OpenOffice.org "Badbunny" worm hops across operating systems

Scott (angrykeyboarder) geekboy at angrykeyboarder.com
Wed Jun 20 19:31:03 BST 2007 

Alwyn Hainsworth spake thusly on 06/16/2007 08:58 AM:
> On 15/06/07, *Scott (angrykeyboarder)* < geekboy at angrykeyboarder.com
> <mailto:geekboy at angrykeyboarder.com>> wrote:
> 
>     Derek Broughton spake thusly on 06/14/2007 06:28 AM:
>     > Scott (angrykeyboarder) wrote:
>     >
>     >> Nils Kassube spake thusly on 06/11/2007 11:36 AM:
>     >>> Scott (angrykeyboarder) wrote:
>     >>>> Malicious software targeting OpenOffice.org documents is spreading
>     >>>> through multiple operating systems (Including Linux), according to
>     >>>> Symantec....
>     >>>>
>     >>>>
>     http://news.com.com/OpenOffice+worm+Badbunny+hops+across+operating+syst
>     >>>> ems/2100-7349_3-6189961.html?tag=html.alert.hed
>     >>>>
>     >>>> (or http://preview.tinyurl.com/2qmqjj if you prefer).
>     >>> Which is mostly harmless according to
>     >>>
>     >>> < http://blogs.sun.com/malte/entry/sb_badbunny_a_harmless_little
>     <http://blogs.sun.com/malte/entry/sb_badbunny_a_harmless_little>>
>     >> If you have a brain, then yes that's correct.
>     >>
>     >> However, not everyone fits in that category. :)
>     >
>     > LOL.  If you have a brain, viruses aren't a problem on Windows
>     either :-)
> 
>     That was precisely my point.  Windows bashers love to point out how
>     insecure Windows is. While I agree it's typically less secure than
>     Linux, I also point out that the biggest Windows security problem isn't
>     Windows, it's (most) Windows users.
> 
>     And just because a program doesn't have root/administrator access
>     doesn't mean it can't do damage.
> 
>     The last I checked most Linux users don't have to have root access to
>     open their personal files (e.g. Photos, Videos, "important" documents
>     and so forth).
> 
>     There are plenty of ways to do damage to those files without root
>     access.  After all, I as a user can install and run software in ~/foo
>     can I not?
> 
> 
> Actually it's not that simple. Whose was the original sin? The windows
> users being stupid or windows's bad design teaching the users to be
> stupid? It's a chicken and the egg problem.

I also agree. Even though Microsoft brought a more secure environment to
the masses with XP and later Vista (thanks to the concept of the
Administrator and User accounts which didn't exist in consumer-based
Windows prior) they dropped the ball with not insisting that the initial
user sets up a separate user account before they can go any further
(i.e. like every Linux distro I've ever used).

On the other hand they have made public statements urging users not to
routinely work from an account with administrative privileges. But of
course the average user doesn't even know what that means....

> As a windows design fault
> let's take for example the current Vista 'Cancel or Allow' dialogs.

That would be the ever-so-lame/annoying User Account Control (UAC)
"feature".

> Because you need to click 'allow' in order to do some simple tasks, the
> users gradually learns that it is Ok to click the 'allow' button because
> it is probably something simple anyway. While this particular example is
> a new design flaw, windows has had many more in the past, all of which
> have helped to create the 'stupid windows user' of today.

And what makes it worse, is if you do things right and set up an admin
and user account(s) with passwords and work from the User account you
have to first enter the admin password and *then* mess with UAC.  They
should have taken the Mac OS X and Ubuntu route. Start off with an admin
account. Force you to create a user account and to then work from that
account. Want to do something potentially "dangerous" in OS X or
Ubuntu.. you need to enter your password first.

That of course has it's flaws as well, but it's better than Vista's UAC.

> 
> Of course windows isn't the only one that suffers design flaws of this
> kind. Indeed a very on-topic example would be OpenOffice.org's very own
> 'Cancel or Allow' dialog. If you want to add a button to change a
> paragraphs colour for instance, that would naturally require a script.
> If you wanted a button to gather info on the file you just wrote and
> send that data of http to a remote server, that too would require
> writing a script. In both instances you'd get the macros 'Cancel or
> Allow' dialog when loading the file. Most scripts are of the 1st type,
> harmless, affecting the local document only. Such scripts do not need a
> Cancel or Allow dialog as they are harmless outside the local document
> in which they are contained, but because the dialog keeps popping up
> people get used to clicking allow for trivial things. So now when an
> ugly bunny raises it's head, there are a number of people who see the
> 'Cancel or Allow' and think 'Yes please, I'd like pretty colours, thank
> you.'. Is it their fault for being naive or is it the program designers
> fault for teaching them to be?

I say it's both, but I do lay most of the blame with the programmers.
It's frustrated me to no end that your average "user" is so ignorant
about the computer they are working with.

I'm not a programmer. I don't write code. It's mostly Greek to me. But
from day one it just made sense to have *some* knowledge of what I was
working with.

I'd like to know what they teach in school these days. Students from
Kindergarten through High School are in computer classes. But they
mostly seem clueless when it comes to security.


> 
> As you can probably tell from the above I'm of the opinion that the
> oo.org <http://oo.org> security team needs to be hit with a clue stick
> and quickly, before something nasty gets through. The 'Cancel or Allow'
> dialog is at best a quick hack, not an almighty security feature like
> the oo.o people seem to be saying it is.

On a semi-related note the "OK" dialog box needs to be (mostly) done
away with in all software (for any number of reasons).

Speaking of poor security. I was beyond shocked when I tried out Solaris
(Solaris 10) a few days ago.

Not only do you start off with just a root account, you don't even have
a root home directory (i.e. "/root").

Once your desktop appears, (and you open a terminal) you will find you
are at "/". You then have to create the root user directory (e.g.
"/root" - which I didn't find out till I'd done all kinds of stuff that
I assume created "junk" hidden sub directories under "/". I've not gone
back to it as of yet - I installed Solaris in a VM).  It was bad enough
that Solaris doesn't make you create a user account at setup, but the
fact that the root user account initially begins at "/" with no warning
(unless I missed something) is absurd to say the least.

Considering how much Sun has bragged about how wonderful Solaris
supposedly is, I was quite surprised by this, to say the least...








-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/sounder/attachments/20070620/4adb1c47/attachment.pgp

More information about the sounder mailing list