There has been a lot of press, over the last several weeks, about the
"BadBunny"
worm, which infects OpenOffice.org (OO.o) files. Most of the buzz seems to
be about the multi-platform nature of the worm, which is interesting, but
the mainstream technical press seems to miss the fact that, without a number
of bad user decisions, the worm would not do anything at all. There was a
lot of noise about OO.o macros and security last summer, but the situation
is the same as when we last
reported about OO.o security:
if one is going to use an office suite with a macro language, one must be
careful about which macros are run.
The infected file itself is a graphics document file called
badbunny.odg which
contains macro definitions that can be executed when the file is loaded
into OO.o. If the macro is run, it does different things depending on
the platform, but attempting to infect either the mIRC or
XChat Internet Relay Chat (IRC) clients is the first step. If
those clients are run after the infection, BadBunny
will try to propagate by offering the document file to other connected users.
As a secondary payload, BadBunny stores and runs a script file that tries
to infect other files in the directory where the document file is stored.
For reasons unknown, each operating system gets a script written in a
different language: for Linux it is Perl, MacOSX is Ruby, and Windows is
Javascript. BadBunny also attempts to do a
"ping of death"
denial of service attack against multiple anti-virus sites.
The worm was first
reported
by the anti-virus company Sophos back in May and was described as a "proof
of concept" that was emailed to their researchers. The name, BadBunny,
comes from the names of various files
that get installed as well as a pornographic image of a man in a bunny suit
that may be displayed. More recently,
anti-virus vendor Symantec has reported BadBunny "in the wild", but it is
not very widespread.
There are some pretty good reasons this worm has not spread widely. Users
are becoming more aware of these kinds of problems and many already know
to be "cautious when handling OpenOffice files from unknown
sources" as Symantec suggests in their announcement. This is not, of
course, an OO.o-specific problem. All files from unknown sources should
be treated with care. In order to be affected by BadBunny, users will
also have to enable the macros to run. As
reported
by Malte Timmermann, Sun's OO.o Technical Architect, the worm does not
bypass the OO.o security checks and the user will be prompted before the macros
are run.
One can certainly imagine that there are users who will receive a file of
unknown provenance, perhaps by email or over IRC, open it and run its macros,
but they are, hopefully, few and far between; this is certainly not
the infection vector of an attacker's dreams.
Like it or not, macro languages in office suites are here to stay. They have
their uses (and abuses). For the most part, users will not even consider
using an office suite that does not offer a scripting language. As
Timmermann puts it:
OpenOffice.org has a macro language with access to local resources.
Of course this macro language can be used for performing any kind of tasks,
that's the intention of it!
Users shouldn't run macros from unknown sources, same like they shouldn't run any programs or other scripts from unknown sources.
It could be argued that the OO.o macro language should be simplified in
ways that might help cut down the potential for abuse. It is difficult to
see how that can be done when the major competitor, at least in the Windows
world, has a "full featured" macro language. The balance between security
and new features is always tricky, but when trying to compete against an
established market leader, sometimes the features have to win.
If you believe that an office suite requires a sophisticated macro
language, these kinds of problems cannot be considered security holes
in the program; it is doing exactly as the user instructed it to.
Individuals or organizations that want to use tools with these capabilities
have to be security conscious. In the end, if users are going to blindly
click through any kind of warning, any reasonable level of security is
impossible. This is true no matter what operating system, web browser or
office suite is used.
Comments (20 posted)
