This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

OpenOffice.org virus debunked by experts

By Bruce Byfield on June 02, 2006 (8:00:00 AM)

Share    Print    Comments   

Kaspersky Lab, a manufacturer of anti-virus software, claims to have discovered a macro virus for StarOffice and OpenOffice.org. The claim has received widespread media attention on the Internet as the first of its kind. However, according to experts, the alleged virus is nothing more than the use of a long-existing capability in the StarBasic macro language (also known as OOo Basic). Although the potential for malicious macros exists, they can be easily guarded against.

Labelled Stardust, the alleged virus was first described on May 30 in a blog from a Kaspersky Lab virus analyst who posts as Kostya. According to the blog, "It's written in StarBasic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document." The story first appeared on May 31, with the additional caveat that it is a proof-of-concept virus only, and has not been in circulation.

The next day, the OpenOffice.org home page posted an acknowledgement of the story, adding that the project was consulting with Kaspersky Lab about the virus. On June 2, OpenOffice.org issued a press release, downplaying the story. "This is a known risk with any capable macro language," the release explained, adding, "This 'proof of concept' virus is not new information, and does not require a software patch."

Andrew Douglas Pitonyak, the writer of OpenOffice.org Macros Explained, and generally considered by participants in the OpenOffice.org project as one of the leading experts in StarBasic, was more cautious. Although several posters to the OpenOffice.org Discuss list were quick to point out that Stardust was not a virus in the conventional sense, since it did no harm to the operating system or existing files, Pitonyak wrote in an email, "I consider a 'macro virus' to be any macro that does something malicious without your consent." However, he added that he considered Stardust "far from earth shattering and [that it] hardly elicits a yawn from anyone but the most paranoid."

Pitonyak did go on to say that, in theory, "An OpenOffice.org virus can be just as bad as an MS Office virus. I have seen some people claim that you could not write a virus using OOo, when in fact, it is no more difficult than any other platform." Pitonyak suggested that a true macro virus could use StarBasic's file and directory handling capabilities to trash a hard drive. Alternatively, it could include binary data that could be written to disk, then run, or download binary data from a web site. In the last two cases, he explained, "the macro is merely an infector for the real virus."

However, Pitonyak emphasized that such scenarios are malicious uses of standard capabilities.

Furthermore, as Pitonyak points out, by default OpenOffice.org prompts users whether to enable macros when opening a document that contains one. Those who desire additional protection can go to Tools -> Options -> OpenOffice.org -> Security -> Macro Security in OpenOffice.org and set the programs to run only signed macros from trusted sources, or only macros from trusted file locations on their own system. Most of the danger comes from inexperienced users who might automatically enable macros, or from those who relax macro security so that all macros are opened without confirmation.

Users can have additional security by only running OpenOffice.org on non-root accounts on UNIX-like operating systems such as GNU/Linux or Solaris, or on accounts without administrative privileges on Windows. With these precautions, any damage caused by a macro virus should be limited to the users' personal files.

Pitonyak also acknowledged the possibility of writing a plug-in using Java, Python, or any of the other programming languages supported by OpenOffice.org, but concluded that "it would probably be easier" to use StarBasic.

Despite downplaying the Kaspersky Lab claim, OpenOffice.org's home page now displays a message that says, "Nevertheless, we take even the possibility of a threat very seriously, and engineers are working with Kaspersky Labs on this proof of concept to determine possible precautions and remedies."

However, project members on the Discuss mailing list were more scathing. Lars D. Nooden expressed concern that headlines on articles about the claim would mislead people about the issue. Ian Lynch, the founder of the INGOTS program certification program, was even more direct. While acknowledging that the story might mislead people, Lynch described the original article as "not a story with any substance. The headline is an example of lack of professionalism and certainly lack of technical knowledge on the part of those reporting it."

Lynch is perhaps overstating the case, but the general agreement is that the Kaspersky Lab claim is an exaggeration. At best, it serves as a warning against trusting files from unknown sources. Clearly, it is neither new nor cause for anything more than standard caution.

Bruce Byfield is a course designer and instructor, and a computer journalist who writes regularly for NewsForge, Linux.com, and IT Manager's Journal.

Bruce Byfield is a computer journalist who writes regularly for Linux.com.

Share    Print    Comments   

Comments

on OpenOffice.org virus debunked by experts

Note: Comments are owned by the poster. We are not responsible for their content.

Kaspersky Labs

Posted by: Jeremy Akers on June 03, 2006 12:13 PM
These are the same idiots who proclaimed they invented a cross-platform Windows/Linux virus, which ended up getting debunked too.

-Jeremy

#

Re:Kaspersky Labs

Posted by: Anonymous Coward on June 03, 2006 11:48 PM
Exactly! They *always* seem to create controversy over something meaningless or "suddenly" discover a huge gaping hole somewhere...it's all lame advertising for their crappy Anti-Virus product.

#

*What* are they trying to pull?

Posted by: hosiah on June 03, 2006 04:12 PM
First the "Winux" fiasco, now this. Malicious code in BASIC has existed since the 1990's bulletin boards. Many have pointed out that this story can be misinterpretted and/or mistaken, much in the same way you had people going around last time saying a virus that runs on both Windows and Linux was terrorizing the world. Then it occurs to me that that could be Kapersky's *exact* intention!

#

They have a point

Posted by: Anonymous Coward on June 03, 2006 06:06 PM
I can't really understand all these negative reactions. The fact that macro's can only be allowed to run or not, without any discrimination between those that try to (for example) write to external files and those that don't, is stupid. Users are warned that macro's exist in a document, but macro's can be very useful without having to do potentially dangerous things.


    IMHO, OO.o's reaction ('Industry standard practice') shows a complete lack of understanding of security issues.

jdv

#

Re:They have a point

Posted by: Anonymous Coward on June 04, 2006 06:19 AM
I agree. The knee jerk reaction here is appalling... had a similar article been posted about some vulnerability specific to MS Word or Excel, even one that has in principle been known for years (regarding ActiveX, let's say), I'd wager we'd see a very different reaction.

You can't address a problem until you acknowledge there's a problem.

#

Re:They have a point

Posted by: nanday on June 04, 2006 10:18 AM
I think you need to distinguish between two things here.

First, there's the announcement of a new virus that's nothing more than a normal, often useful capability that has existed for years. That is misleading, and deserves to be debunked.

Second, there's the basic security question about macros that can affect more than the program they are running in. They're convenient, but they also create vulnerabilities, and in general should be questioned far more than they usually are.

However, since macro viruses are easily countered through OOo's macro security settings and through the basic user account and permission structures of UNIX-like systems, OpenOffice.org's official response seems reasonable. Even though much nastier macro viruses than Stardust are possible, they aren't worth anything like the concern that Kaspersky Lab suggests.

- Bruce Byfield

#

Re:They have a point

Posted by: Anonymous Coward on June 06, 2006 05:29 AM
I can't really understand all these negative reactions. The fact that

      macro's can only be allowed to run or not, without any discrimination

      between those that try to (for example) write to external files and

      those that don't, is stupid. Users are warned that macro's exist in a

      document, but macro's can be very useful without having to do

      potentially dangerous things.

              IMHO, OO.o's reaction ('Industry standard practice') shows a

      complete lack of understanding of security issues.

      jdv

>
>
Of course you can't really understand all these negative reactions because you are an ignorant asshole trying to pretend to be knowlegable about something you have absolutely no clue about.

#

Users making security decisions is dangerous.

Posted by: Anonymous Coward on June 03, 2006 06:54 PM
Secrurity in the average users hands is dangerous, Period.

Just by saying don't run this or that... well, before long you run into the average non-tech office idiot whose eyes glaze over when describing how to use a mouse... but who you have to teach how to use a mouse because she has been with you for 20 years and does a wonderful job at customer serice (or whatever). So - now she has a computer and as time goes along she gets an attachment from what appears to be some file that she should open and use (this is what happens).

And - there goes your security.

Certain file types should be excluded from use for certain classes of users by rules (maybe the NSA Security Enhanced Linux could be set up to deny at the system level the operation of certain files for classes of users who should never be using a computer system except for the reason that they have to... and to be able to take the weapons of destruction away from them by allowing only certain system rules that governs what they can and can't do). The actual code in a certain macro could be approved for company use where only that code could run... other macros from outside the rules could be excluded.

see: <a href="http://www.nsa.gov/selinux/" title="nsa.gov">http://www.nsa.gov/selinux/</a nsa.gov>

#

Re:Users making security decisions is dangerous.

Posted by: Joe Barr on June 03, 2006 09:21 PM

Wrong-headed. Perhaps correct if speaking for an organization, where a sysadmin will make these decisions for the users, but even then it is a stretch.


Yes, users are dangerous. But they are also ultimately responsible for the security of their machine, nobody else.


Personally, I think it is insane to include these sort of features in MS Word, not just dangerous. It is the very worst example of how grotesque and distorted and bloated and driven off-track from original purpose that a marketing-driven product design can achieve. But hey, MS has never ever been known for the quality of its design or implementation.


That said, the Unix security model would limit the damage done should a user run malware he received from elsewhere, and then _knowkingly execute, only with his permission, on his own box, to those files and data that he is authorized to see and write.


The most important part of this story to my mind is that Kaspersky Lab is once again making unsubstantiated claims of vulnerabilities where none exist. It's as if there is a string tied between Kaspersky Lab and MS public relations. Big new vulnerability in MS Word found related to its insane design? We'll fix that. Let's get some stories floating around about how Linux is just as vulnerable, that we can continue to feed the lie that the only difference in security between the two is their popularity.


And the tres duh press, as always, laps it up like puppies drinking warm milk from a saucer.

#

Nope - Right headed - think left handed.

Posted by: Anonymous Coward on June 03, 2006 10:17 PM
It always is the spaces in the big picture that make the picture, and not the little pixels.

Yes, but some folks might be out sick for security of your computer training day at work.

Individual computer users have no choice about security... they, are the 1st line of defense.

At places where businesses operate networks however, it is the sys admin folks and security folks who should be able to take over for folks. Most "macros" are static... once they are made they don't change... the security folks can set up a process where any macro created needs approval at IT before it gets distributed to others in any organization. So - with global SE Linux rules you could do this.

Individuals, well my experience is that they run it and say what the heck. Most do. This is sad, but true.

Regarding marketing an anti-virus product... doesn't the company mentioned have one for Linux... I wonder what their sales is like? So - any fear that would drive folks to buy their product is called FUDMarketing. Microsoft will be using this same technique to migrate folks to Vista in about 6 months or sooner... only they are marketing against themselves and will be saying we don't support our old products anymore for viruses and updates... we only support our new one (because it is more secure)!

SE LINUX and programs build around it, are the only salvation that we truely have... because SE LINUX, it's Free as in speech.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya