back to article Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't

See our note below: LibreOffice version 6.2.5, which was supposed to patch the macro security hole, is still vulnerable, and exploit code is now available. Disable LibreLogo immediately if it is present and enabled in your build of LibreOffice. Our amended article follows. The Document Foundation said on Tuesday that it had …

  1. MacroRodent Silver badge

    Depressing featuritis

    So a macro feature most people don't need is enabled by default (I had not even heard of it, and I am regular LibreOffice user), and has a glaring security hole. Depressing, because a similar thing has happened before in various programs, open source or not, and still developers have not learned. All run merrily over the same cliff.

    1. IGotOut Silver badge

      Re: Depressing featuritis

      The worst bit is the macro will still run when you set it to "lockdown"

      1. JLV

        Re: Depressing featuritis

        Wonder what kinda moron downvoted you and the OP. An Adobe developer, maybe?

    2. Mage Silver badge

      Re: Depressing featuritis

      Only if LibreLogo is installed. Always choose Custom Install and untick stuff you don't need.

      It seems a daft thing to include. Scratch is a better and free "learning to program with graphics etc" environment. I never saw much educational value in Turtle Graphics / Logo alone. Why on earth would an Office package include a kids programming toy?

      1. Anonymous Coward
        Anonymous Coward

        Re: Depressing featuritis

        So that mrs VP of customer security can let her daughter play on her computer in the evenings....

        I was going to say: Microsoft Office users, but decided the above was more poignant.

      2. John Brown (no body) Silver badge

        Re: Depressing featuritis

        "Only if LibreLogo is installed. Always choose Custom Install and untick stuff you don't need."

        My first thought on reading about LibreLogo was "What the fuck??????". I mean, really, WTF is a Logo teaching system doing in an office suite?

  2. aks

    Wake up, ODF. Add appropriate file-types to your file formats, as Microsoft did years ago.

    I always work in docx or xlsx format. Does LibreOffice or OpenOffice allow macros in those formats? Microsoft Office does not.

    1. Steve Graham

      And if I email you an EXE file called "innocent.docx" you'd click on it?

      1. Anonymous Coward
        Anonymous Coward

        The problem is more with documents called things like "innocent.jpg.docx" and Window's hiding of file extensions.

        Anyway, I've always set my LibreOffice installation to only run macros without confirmation in specific folders where I know I have documents that rely on startup macros. But yes, the default behaviour is very exploitable.

        1. aks

          Agreed. That's why I always make the extension visible. I don't identify the object type by its icon but alwyas by the extension. I also diable all types of autorun.

          1. Doctor Syntax Silver badge

            Is there any OS other than Windows that can make the extension invisible?

            1. PerlyKing Silver badge

              Invisible extensions

              MacOS sometimes hides file extensions, but I've never figured out when it will and when it won't. The default seems to be to show them, or that may be some setting I clicked on years ago.

              I'd be extremely surprised if there isn't a way to hide file extensions in many Linux file managers.

            2. Steve Graham

              The traditional Unix way of handling files was to ignore all aspects of the name, including anything which comes after a dot (which is just another arbitrary character, except when it's . or ..). A file's "type" was deduced by "magic" (essentially its fingerprint), if required.

              Unfortunately, the Windows convention has infected much software.

              1. Charles 9 Silver badge

                Trouble is, it's getting trickier to tell files apart by magic numbers. For example, how do you tell an ODF ePUB, or CBZ apart when magic numbers identify ALL of them as ZIPs?

                1. John Brown (no body) Silver badge

                  "Trouble is, it's getting trickier to tell files apart by magic numbers. For example, how do you tell an ODF ePUB, or CBZ apart when magic numbers identify ALL of them as ZIPs?"

                  I just tested with an imported Excel .xlsx file. KDE Plasma desktop sees it as a spreadsheet. Removing the extension and letting KDE try to detect it and it sees it as a Zip archive. Maybe it's time for *nix desktops and filemanagers to look inside these Zip-mangled files a bit deeper simply because these files actually ARE Zip files until you open and extract them with the relevant program. The fairly simple MSOffice spreadsheet contains 8 xml files and 2 .rels files across 5 folders/directories when opened as a Zip file in Ark.

            3. Anonymous Coward
              Anonymous Coward

              "Is there any OS other than Windows that can make the extension invisible?"

              I think it's the file manager that does it, not the OS. I think Dolphin can do it. Thinking about it, I think every file manager I've seen in the last 20 years can do it.

            4. Fred Flintstone Gold badge

              In MacOS you have a tickbox "Show all filename extensions" in Finder - Preferences - Advanced which is (if I recall correctly) by default unticked. I don't know this for sure because I always want to see them so that's been on from the day I started with MacOS.

              That said, maybe someone can cook up some mischief using the fact that dotfiles (files starting with a ".") are still hidden, irrespective of extensions, something I believe to be true for Linux as well (it's the Unix way of hiding files).

              If you try to save a file with a name like .test.odf LO will tell let you, but will also tell you that it will become invisible. On resume it loads fine, but you have to use a command line to mess with it - Finder won't see it.

              1. ITS Retired

                It was ticked by default in my Macbook. Show all extensions.

                1. Anonymous Coward
                  Anonymous Coward

                  Hurrah for sane defaults. No such luck for "natural direction" though.

          2. ovation1357 Bronze badge

            Hiding file extensions by default has to be the dumbest thing Microsoft has done second only to their decision to embed powerful scripting languages into office/email/web software only to act all surprised that it opened a massive security hole which continues to be problematic to this day.

            It seems that every time there's a chance for them to make their even products less secure, or at least make it easier to dupe nontechnical users into running something dangerous, they jump at it with reckless abandon.

            1. JLV

              Hey, at least macros had a purpose. One that is pointless for most word processing users and documents. One that really, really, isn’t worth the constant risk so should be packaged off in some special ring-fenced unsafe mode/unsafe viewers.

              But the extension hiding? A special hell should await whoever at MS requested such an elective and pointless fail.

              Every time a user falls for hidden EXEs, for all eternity, a swarm of red fire ants should eat their liver, while their testicles are crushed by a slow heated and electrified vise and red pepper poured in their eyes.

              Sinovski, was that you?

      2. aks

        Microsoft Office would not open a macro for docx or xlsx so I'd consider them safe.

        Then again, I'm extremely cynical and always run checks on any downloaded item, even from a known and trusted source such as Microsoft.

        1. Captain Scarlet

          docx and xlsx can still run VBA (With a prompt, however everyone just clicks yes to everything without reading anything >_<)

        2. Anonymous Coward
          Anonymous Coward

          "even from a known and trusted source such as Microsoft."

          M$ is trusted? They have been doing everything to destroy trust, by sneaking telemetry in security updates and the way they handled the Win 10 roll out.

          1. Anonymous Coward
            Anonymous Coward

            "[...] and the way they handled the Win 10 roll out."

            They are again slipping W10 update prompts into W7 as EOL mandatory updates.

            It is my impression that even if you have user control set for update notification - then they will apply them automatically the next time you do a shutdown. A flag appears against the Start Menu Shutdown option - which gives you a chance to go into update and see what they would try to apply.

      3. James O'Shea

        "And if I email you an EXE file called "innocent.docx" you'd click on it?"

        No. And if I did... on the Windows systems around here an .exe with a .docx extension would not run. I mostly use Mac and Linux systems anyway; Windows .exes don't run on either unless something like WINE is installed, which is not the case. (I do have Windows in virtual machines on many Mac and Linux boxes, but normally the VM is off. In the event that the system somehow recognized that a .docx was really an .exe and launched Windows in the VM to load it, I'm pretty sure that people would notice.)

        It's a vulnerability in LibbreOffice, and no amount of whataboutism is going to make it less of a vulnerability. If this was a problem in Office, many commentards would be screaming for Microsoft's head. Oh Wait. It _was_ a problem in Office, _20 years ago_, and has been patched. Why in Christ's name has a 20-year-old vuln been brought back to life?

        1. aks

          The article implied that the ODF (Open Document Foundation) haven't followed Microsoft's path and separated out objects with macros from objects without them.

          https://documentation.solarwindsmsp.com/backup-recovery/Content/backup-manager/backup-documents/files.htm

      4. Kevin McMurtrie Silver badge

        You should be able to click on it. A document is supposed to display information and there must be no features to extend that purpose. That's why LibreLogo is a very seriously flawed feature.

  3. Zimmer
    Linux

    Not in Version 5 , it would seem.

    I have both versions 5 and 6

    5.1.6.2 is the version supplied by the repositories for Linux Mint... 18.2

    I see that the Beta for 19.2 is out , and that supplies a version 6.0.7

    I installed 6 alongside 5 some time ago from the website...

    Version 6 has a toolbar for Logo, Version 5 does not.

    So, will the LibreLogo macro run in version 5 at all ?

    1. bombastic bob Silver badge
      Devil

      Re: Not in Version 5 , it would seem.

      looks like it's in version 6 on FreeBSD, in any case.

      My fix (hopefully works):

      rename /usr/local/lib/libreoffice/share/Scripts/python/LibreLogo to something else

      Should make any attempt to run LibreLogo python stuff fail. Doesn't seem tlo affect loading the program, though. I'm sure I'll _NEVAR_ miss this "feature".

      in case anyone wonders, there's a checkbox in the 'view toolbars' menu in Libre Office writer, for 'Logo'. It's off, but I'm not convinced that's enough. Renaming the diretory where its support files are, that SHOULD fix it. Use "locate LibreLogo" to find them.

      (or on linux, most likely in /usr/lib/libreoffice/share/... yotta yotta)

  4. Updraft102

    There is no such distinction in ODF (Open Document Format) as used by OpenOffice and LibreOffice. Perhaps there should be.

    I propose ODF for those without macros, and [nothing] for those with macros.

    1. bombastic bob Silver badge
      Meh

      I've never liked word macros, especially the auto-run kind. don't wanna code 'em, too much trouble, viruses etc. like "insecure by design". RTF format actually made more sense at one time. But from now on if someone sends me a document, I guess I'll have to find a way to get rid of any macros in it before opening, even in libre office.

      stupid feature creep.

  5. stuartnz
    Unhappy

    Disappointed muchly

    I am running 6.2.5 and have never enabled LibreLogo anyway, in any version, but it's still disappointing that the devs had left the door open for this old school style vulnerability. Errare humanum est, romanes eunt domus, etc.

    1. Zack Mollusc

      Re: Disappointed muchly

      People called Romanes, they go, the house?

      1. Sir Runcible Spoon
        Coat

        Re: Disappointed muchly

        It says 'Romans go home'

        1. FrogsAndChips

          Re: Disappointed muchly

          No, it doesn't! What's the Latin for "Roman"? Come on, come on!

          1. Anonymous Coward
            Anonymous Coward

            Re: Disappointed muchly

            It's deliberate "Romeglish" - along the same lines as Franglais. In other words, deliberately crass.

            1. stuartnz

              Re: Disappointed muchly

              I'm not sure if "crass" was what the MPFC team were going for in their sendup of a "classical" education, but since the language being used was Latin, not Roman, why "Romeglish"?

  6. Allan George Dyer Silver badge
    Facepalm

    Defaults...

    "LibreLogo is an optional component, though installed by default."

    On Ubuntu 18.04.2 LTS, libreoffice-librelogo is a separate package, not installed by default.

    icon - phew, I dodged that one!

    1. NATTtrash

      Re: Defaults...

      Same here for Xubuntu 18.04.2 LTS. But that is also *buntu of course. Looks like there might be considerable "per-distro" differences...

    2. PaulVD

      Re: Defaults...

      Ditto on Linux Mint 19 / LibreOffice 6.5.2. Logo is available as an extension, but not installed by default.

      1. John Brown (no body) Silver badge

        Re: Defaults...

        I've not checked the binary package, but the port (ie building from source) has Java support turned off by default, so no macros, XML filters or DB connections.

        ...and just checked, looks like the binary package is the same.

        But whoever thought trusting macros and building in the Logo crap should be sacked and wages withheld. That'll show'em!!

    3. bombastic bob Silver badge
      Meh

      Re: Defaults...

      on FreeBSD the port installs all of it, and I didn't see a configure option to get rid of LibreLogo. however, it installs to a specific place and looks like renaming the directory (or blowing it away) would avoid the bug by preventing it from running. so you'd get an error, the first clue that something is wrong with that document.

  7. DerekCurrie
    Holmes

    LibreOffice Version 6.2.5.2 Is Current

    LibreOffice has in recent months had minor version confusion in its metadata. You may see it listed in your OS as 6.2.5.002. I have no idea why. The proper current version number is 6.2.5.2. Be confused no longer, my padawans.

    1. Barry Mahon

      Re: LibreOffice Version 6.2.5.2 Is Current

      Mine says 6.2.1 is up to date ??

      1. YetAnotherLocksmith

        Re: LibreOffice Version 6.2.5.2 Is Current

        Check again. As of right now, 6.2.5.2 is on the website as the latest version.

        Or, disable the logo module.

  8. YetAnotherLocksmith

    Sent a dodgy ODF?

    I'd be incredibly suspicious of an ODF coming in on my email! Seriously, it's been Word macro viruses for over 20 years. Don't think anyone but me uses ODF!

    1. Esme

      Re: Sent a dodgy ODF?

      Nah, I use only ODF unless circumstances force otherwise. Which for me, is seldom, thank goodness!

      1. jelabarre59 Silver badge

        Re: Sent a dodgy ODF?

        Nah, I use only ODF unless circumstances force otherwise. Which for me, is seldom, thank goodness!

        I always send ODF files, if for nothing else than to piss off the Microsoft-using lemmings.

        1. WolfFan Silver badge

          Re: Sent a dodgy ODF?

          MS Word reads ODF files. I think that Pages does, too, but I’m not in a position to test right now. What usually happens is that any formatting in the ODF gets screwed up, so your document looks bad. If you want to look bad, by all means carry on.

        2. bombastic bob Silver badge

          Re: Sent a dodgy ODF?

          if someone needs it formatted, I send PDF. But if it's something they need to edit I usually convert the ODF into a Word doc. It's more "compatible" that way.

          NOt sure if word macros using LibreLogo would 'convert' back when you open it.

  9. Anonymous South African Coward Silver badge

    CLI sorcery helps a lot with identifying files.

    Unfortunately you need to have a background in DOS.

  10. sitta_europea Silver badge

    Debian user here - still on version 5.

    1. HooHah!
      FAIL

      Debian 10

      Debian 9 (stretch) and 10 (buster) have libreoffice-librelogo versions 1:5.2.7-1+deb9u9 and 1:6.1.5-3+deb10u2, respectively, installed by default. My buster machine was upgraded from stretch.

      I didn't even know it was there until I read this article. Feeping creatures, indeed!

  11. Anonymous Coward
    Anonymous Coward

    Version 5 has LibreLogo as well.

  12. JLV
    FAIL

    Why, oh, why?

    It’s almost as if, gasp, we needed a consumer-friendly word processor with advanced formatting capabilities.

    BUT NO EFFIN MACROS WHATSOEVER.

    It could just read ODF/DOCX stuff and ignore macros.

    What’s the % of people, and text documents that actually need macros? Does everybody else have to put up with corresponding risks? Ditto Adobe PDFs with active content scripting. Come’on it’s been 15-20 yrs now we know they suck.

    Browsers are heavily sandboxed

    Word processors are not, shouldn’t have to be, can’t really be (file system access) and have insufficient exposure, unlike browsers facing a hostile internet, to develop a comprehensive immune system.

    I am not ranting about spreadsheets, which carry the same risks, but have more general justifications for a macro feature.

    MS Word admittedly seems closer with no-macro extensions (but then they fail by hiding extensions). And of course, they’ve made macros a “feature” in the first place.

    In any case, packaging a learn-to-program toolkit in a word processor is an act of monumental stupidity. Open source or not. Fail.

    P.S. on a related subject, despite being a huge Python fan, the last thing we need is Python as VBA in Office or Python as JS in browsers.

    1. Anonymous Coward
      Anonymous Coward

      packaging a learn-to-program toolkit in a word processor is an act of monumental stupidity

      In 2019 packaging anything that does Y in a program supposed to do X is monumental stupidity.

      Unfortunately on a stupidity scale of 0 to aleph-null, there's always a software designer who will go full aleph-one.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why, oh, why?

      "It’s almost as if, gasp, we needed a consumer-friendly word processor with advanced formatting capabilities.

      "BUT NO EFFIN MACROS WHATSOEVER".

      Quite so. In accordance with the Unix tools philosophy - each tool should do one thing as well as it can be done. To do complex things, you chain the tools together.

      1. Herby
        Facepalm

        Re: Why, oh, why?

        "Quite so. In accordance with the Unix tools philosophy - each tool should do one thing as well as it can be done. To do complex things, you chain the tools together."

        Spoken like someone who hasn't installed EMACS (yet).....

  13. wayne 8

    Don't see LibreLogo in 6.0.6.2

    I stopped upgrading LibreOffice when the next version blocked loading of data from other local spreadsheets.

    I assume because some people were blindly clicking "yes" to loading from unknown external sources.

    I see no reference to LibreLogo in 6.0.6.2 that came with Xubuntu 16.04.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021