User topics

Article topics

Log in Sign up

Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't

See our note below: LibreOffice version 6.2.5, which was supposed to patch the macro security hole, is still vulnerable, and exploit code is now available. Disable LibreLogo immediately if it is present and enabled in your build of LibreOffice. Our amended article follows. The Document Foundation said on Tuesday that it had …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 30th July 2019 18:49 GMT MacroRodent

Depressing featuritis

So a macro feature most people don't need is enabled by default (I had not even heard of it, and I am regular LibreOffice user), and has a glaring security hole. Depressing, because a similar thing has happened before in various programs, open source or not, and still developers have not learned. All run merrily over the same cliff.

66 3 Reply
1. Tuesday 30th July 2019 19:05 GMT IGotOut
  
  Re: Depressing featuritis
  
  The worst bit is the macro will still run when you set it to "lockdown"
  
  37 1 Reply
  1. Wednesday 31st July 2019 19:01 GMT JLV
    
    Re: Depressing featuritis
    
    Wonder what kinda moron downvoted you and the OP. An Adobe developer, maybe?
    
    19 0 Reply
2. Wednesday 31st July 2019 08:02 GMT Mage
  
  Re: Depressing featuritis
  
  Only if LibreLogo is installed. Always choose Custom Install and untick stuff you don't need.
  
  It seems a daft thing to include. Scratch is a better and free "learning to program with graphics etc" environment. I never saw much educational value in Turtle Graphics / Logo alone. Why on earth would an Office package include a kids programming toy?
  
  32 1 Reply
  1. Wednesday 31st July 2019 21:11 GMT Anonymous Coward
    
    Re: Depressing featuritis
    
    So that mrs VP of customer security can let her daughter play on her computer in the evenings....
    
    I was going to say: Microsoft Office users, but decided the above was more poignant.
    
    3 0 Reply
  2. Wednesday 31st July 2019 23:32 GMT John Brown (no body)
    
    Re: Depressing featuritis
    
    "Only if LibreLogo is installed. Always choose Custom Install and untick stuff you don't need."
    
    My first thought on reading about LibreLogo was "What the fuck??????". I mean, really, WTF is a Logo teaching system doing in an office suite?
    
    7 0 Reply
Tuesday 30th July 2019 18:59 GMT aks

Wake up, ODF. Add appropriate file-types to your file formats, as Microsoft did years ago.

I always work in docx or xlsx format. Does LibreOffice or OpenOffice allow macros in those formats? Microsoft Office does not.

4 35 Reply
1. Tuesday 30th July 2019 19:38 GMT Steve Graham
  
  And if I email you an EXE file called "innocent.docx" you'd click on it?
  
  15 6 Reply
  1. Tuesday 30th July 2019 20:18 GMT Anonymous Coward
    
    The problem is more with documents called things like "innocent.jpg.docx" and Window's hiding of file extensions.
    
    Anyway, I've always set my LibreOffice installation to only run macros without confirmation in specific folders where I know I have documents that rely on startup macros. But yes, the default behaviour is very exploitable.
    
    25 0 Reply
    1. Tuesday 30th July 2019 21:37 GMT aks
      
      Agreed. That's why I always make the extension visible. I don't identify the object type by its icon but alwyas by the extension. I also diable all types of autorun.
      
      19 0 Reply
      1. Wednesday 31st July 2019 08:38 GMT Doctor Syntax
        
        Is there any OS other than Windows that can make the extension invisible?
        
        7 0 Reply
        
        Wednesday 31st July 2019 08:45 GMT PerlyKing
        
        Invisible extensions
        
        MacOS sometimes hides file extensions, but I've never figured out when it will and when it won't. The default seems to be to show them, or that may be some setting I clicked on years ago.
        
        I'd be extremely surprised if there isn't a way to hide file extensions in many Linux file managers.
        
        3 0 Reply
        
        Wednesday 31st July 2019 10:54 GMT Steve Graham
        
        The traditional Unix way of handling files was to ignore all aspects of the name, including anything which comes after a dot (which is just another arbitrary character, except when it's . or ..). A file's "type" was deduced by "magic" (essentially its fingerprint), if required.
        
        Unfortunately, the Windows convention has infected much software.
        
        11 0 Reply
        
        Wednesday 31st July 2019 18:22 GMT Charles 9
        
        Trouble is, it's getting trickier to tell files apart by magic numbers. For example, how do you tell an ODF ePUB, or CBZ apart when magic numbers identify ALL of them as ZIPs?
        
        6 0 Reply
        
        Wednesday 31st July 2019 23:49 GMT John Brown (no body)
        
        "Trouble is, it's getting trickier to tell files apart by magic numbers. For example, how do you tell an ODF ePUB, or CBZ apart when magic numbers identify ALL of them as ZIPs?"
        
        I just tested with an imported Excel .xlsx file. KDE Plasma desktop sees it as a spreadsheet. Removing the extension and letting KDE try to detect it and it sees it as a Zip archive. Maybe it's time for *nix desktops and filemanagers to look inside these Zip-mangled files a bit deeper simply because these files actually ARE Zip files until you open and extract them with the relevant program. The fairly simple MSOffice spreadsheet contains 8 xml files and 2 .rels files across 5 folders/directories when opened as a Zip file in Ark.
        
        5 0 Reply
        
        Wednesday 31st July 2019 12:28 GMT Anonymous Coward
        
        "Is there any OS other than Windows that can make the extension invisible?"
        
        I think it's the file manager that does it, not the OS. I think Dolphin can do it. Thinking about it, I think every file manager I've seen in the last 20 years can do it.
        
        4 0 Reply
        
        Wednesday 31st July 2019 18:27 GMT Fred Flintstone
        
        In MacOS you have a tickbox "Show all filename extensions" in Finder - Preferences - Advanced which is (if I recall correctly) by default unticked. I don't know this for sure because I always want to see them so that's been on from the day I started with MacOS.
        
        That said, maybe someone can cook up some mischief using the fact that dotfiles (files starting with a ".") are still hidden, irrespective of extensions, something I believe to be true for Linux as well (it's the Unix way of hiding files).
        
        If you try to save a file with a name like .test.odf LO will tell let you, but will also tell you that it will become invisible. On resume it loads fine, but you have to use a command line to mess with it - Finder won't see it.
        
        3 0 Reply
        
        Wednesday 31st July 2019 19:37 GMT ITS Retired
        
        It was ticked by default in my Macbook. Show all extensions.
        
        1 0 Reply
        
        Thursday 1st August 2019 07:50 GMT Anonymous Coward
        
        Hurrah for sane defaults. No such luck for "natural direction" though.
        
        3 0 Reply
      2. Wednesday 31st July 2019 14:42 GMT ovation1357
        
        Hiding file extensions by default has to be the dumbest thing Microsoft has done second only to their decision to embed powerful scripting languages into office/email/web software only to act all surprised that it opened a massive security hole which continues to be problematic to this day.
        
        It seems that every time there's a chance for them to make their even products less secure, or at least make it easier to dupe nontechnical users into running something dangerous, they jump at it with reckless abandon.
        
        14 0 Reply
        
        Wednesday 31st July 2019 20:45 GMT JLV
        
        Hey, at least macros had a purpose. One that is pointless for most word processing users and documents. One that really, really, isn’t worth the constant risk so should be packaged off in some special ring-fenced unsafe mode/unsafe viewers.
        
        But the extension hiding? A special hell should await whoever at MS requested such an elective and pointless fail.
        
        Every time a user falls for hidden EXEs, for all eternity, a swarm of red fire ants should eat their liver, while their testicles are crushed by a slow heated and electrified vise and red pepper poured in their eyes.
        
        Sinovski, was that you?
        
        9 0 Reply
  2. Tuesday 30th July 2019 20:22 GMT aks
    
    Microsoft Office would not open a macro for docx or xlsx so I'd consider them safe.
    
    Then again, I'm extremely cynical and always run checks on any downloaded item, even from a known and trusted source such as Microsoft.
    
    4 0 Reply
    1. Wednesday 31st July 2019 12:32 GMT Captain Scarlet
      
      docx and xlsx can still run VBA (With a prompt, however everyone just clicks yes to everything without reading anything >_<)
      
      4 0 Reply
    2. Wednesday 31st July 2019 22:58 GMT Anonymous Coward
      
      "even from a known and trusted source such as Microsoft."
      
      M$ is trusted? They have been doing everything to destroy trust, by sneaking telemetry in security updates and the way they handled the Win 10 roll out.
      
      8 1 Reply
      1. Thursday 1st August 2019 11:03 GMT Anonymous Coward
        
        "[...] and the way they handled the Win 10 roll out."
        
        They are again slipping W10 update prompts into W7 as EOL mandatory updates.
        
        It is my impression that even if you have user control set for update notification - then they will apply them automatically the next time you do a shutdown. A flag appears against the Start Menu Shutdown option - which gives you a chance to go into update and see what they would try to apply.
        
        1 0 Reply
  3. Tuesday 30th July 2019 20:53 GMT James O'Shea
    
    "And if I email you an EXE file called "innocent.docx" you'd click on it?"
    
    No. And if I did... on the Windows systems around here an .exe with a .docx extension would not run. I mostly use Mac and Linux systems anyway; Windows .exes don't run on either unless something like WINE is installed, which is not the case. (I do have Windows in virtual machines on many Mac and Linux boxes, but normally the VM is off. In the event that the system somehow recognized that a .docx was really an .exe and launched Windows in the VM to load it, I'm pretty sure that people would notice.)
    
    It's a vulnerability in LibbreOffice, and no amount of whataboutism is going to make it less of a vulnerability. If this was a problem in Office, many commentards would be screaming for Microsoft's head. Oh Wait. It _was_ a problem in Office, _20 years ago_, and has been patched. Why in Christ's name has a 20-year-old vuln been brought back to life?
    
    13 3 Reply
    1. Tuesday 30th July 2019 21:50 GMT aks
      
      The article implied that the ODF (Open Document Foundation) haven't followed Microsoft's path and separated out objects with macros from objects without them.
      
      https://documentation.solarwindsmsp.com/backup-recovery/Content/backup-manager/backup-documents/files.htm
      
      5 0 Reply
  4. Wednesday 31st July 2019 18:28 GMT Kevin McMurtrie
    
    You should be able to click on it. A document is supposed to display information and there must be no features to extend that purpose. That's why LibreLogo is a very seriously flawed feature.
    
    4 0 Reply
Tuesday 30th July 2019 20:37 GMT Zimmer

Not in Version 5 , it would seem.

I have both versions 5 and 6

5.1.6.2 is the version supplied by the repositories for Linux Mint... 18.2

I see that the Beta for 19.2 is out , and that supplies a version 6.0.7

I installed 6 alongside 5 some time ago from the website...

Version 6 has a toolbar for Logo, Version 5 does not.

So, will the LibreLogo macro run in version 5 at all ?

6 0 Reply
1. Thursday 1st August 2019 12:44 GMT bombastic bob
  
  Re: Not in Version 5 , it would seem.
  
  looks like it's in version 6 on FreeBSD, in any case.
  
  My fix (hopefully works):
  
  rename /usr/local/lib/libreoffice/share/Scripts/python/LibreLogo to something else
  
  Should make any attempt to run LibreLogo python stuff fail. Doesn't seem tlo affect loading the program, though. I'm sure I'll _NEVAR_ miss this "feature".
  
  in case anyone wonders, there's a checkbox in the 'view toolbars' menu in Libre Office writer, for 'Logo'. It's off, but I'm not convinced that's enough. Renaming the diretory where its support files are, that SHOULD fix it. Use "locate LibreLogo" to find them.
  
  (or on linux, most likely in /usr/lib/libreoffice/share/... yotta yotta)
  
  0 0 Reply
Tuesday 30th July 2019 21:54 GMT Updraft102

There is no such distinction in ODF (Open Document Format) as used by OpenOffice and LibreOffice. Perhaps there should be.

I propose ODF for those without macros, and [nothing] for those with macros.

4 4 Reply
1. Thursday 1st August 2019 14:54 GMT bombastic bob
  
  I've never liked word macros, especially the auto-run kind. don't wanna code 'em, too much trouble, viruses etc. like "insecure by design". RTF format actually made more sense at one time. But from now on if someone sends me a document, I guess I'll have to find a way to get rid of any macros in it before opening, even in libre office.
  
  stupid feature creep.
  
  0 0 Reply
Wednesday 31st July 2019 01:51 GMT stuartnz

Disappointed muchly

I am running 6.2.5 and have never enabled LibreLogo anyway, in any version, but it's still disappointing that the devs had left the door open for this old school style vulnerability. Errare humanum est, romanes eunt domus, etc.

11 0 Reply
1. Wednesday 31st July 2019 11:02 GMT Zack Mollusc
  
  Re: Disappointed muchly
  
  People called Romanes, they go, the house?
  
  8 0 Reply
  1. Wednesday 31st July 2019 13:32 GMT Sir Runcible Spoon
    
    Re: Disappointed muchly
    
    It says 'Romans go home'
    
    7 0 Reply
    1. Wednesday 31st July 2019 16:09 GMT FrogsAndChips
      
      Re: Disappointed muchly
      
      No, it doesn't! What's the Latin for "Roman"? Come on, come on!
      
      10 0 Reply
      1. Thursday 1st August 2019 10:09 GMT Anonymous Coward
        
        Re: Disappointed muchly
        
        It's deliberate "Romeglish" - along the same lines as Franglais. In other words, deliberately crass.
        
        0 1 Reply
        
        Thursday 1st August 2019 11:10 GMT stuartnz
        
        Re: Disappointed muchly
        
        I'm not sure if "crass" was what the MPFC team were going for in their sendup of a "classical" education, but since the language being used was Latin, not Roman, why "Romeglish"?
        
        0 1 Reply
Wednesday 31st July 2019 03:00 GMT Allan George Dyer

Defaults...

"LibreLogo is an optional component, though installed by default."

On Ubuntu 18.04.2 LTS, libreoffice-librelogo is a separate package, not installed by default.

icon - phew, I dodged that one!

11 0 Reply
1. Wednesday 31st July 2019 06:50 GMT NATTtrash
  
  Re: Defaults...
  
  Same here for Xubuntu 18.04.2 LTS. But that is also *buntu of course. Looks like there might be considerable "per-distro" differences...
  
  4 0 Reply
2. Wednesday 31st July 2019 20:13 GMT PaulVD
  
  Re: Defaults...
  
  Ditto on Linux Mint 19 / LibreOffice 6.5.2. Logo is available as an extension, but not installed by default.
  
  3 0 Reply
  1. Thursday 1st August 2019 00:40 GMT John Brown (no body)
    
    Re: Defaults...
    
    I've not checked the binary package, but the port (ie building from source) has Java support turned off by default, so no macros, XML filters or DB connections.
    
    ...and just checked, looks like the binary package is the same.
    
    But whoever thought trusting macros and building in the Logo crap should be sacked and wages withheld. That'll show'em!!
    
    0 0 Reply
3. Thursday 1st August 2019 14:56 GMT bombastic bob
  
  Re: Defaults...
  
  on FreeBSD the port installs all of it, and I didn't see a configure option to get rid of LibreLogo. however, it installs to a specific place and looks like renaming the directory (or blowing it away) would avoid the bug by preventing it from running. so you'd get an error, the first clue that something is wrong with that document.
  
  0 0 Reply
Wednesday 31st July 2019 05:07 GMT DerekCurrie

LibreOffice Version 6.2.5.2 Is Current

LibreOffice has in recent months had minor version confusion in its metadata. You may see it listed in your OS as 6.2.5.002. I have no idea why. The proper current version number is 6.2.5.2. Be confused no longer, my padawans.

1 0 Reply
1. Wednesday 31st July 2019 05:58 GMT Barry Mahon
  
  Re: LibreOffice Version 6.2.5.2 Is Current
  
  Mine says 6.2.1 is up to date ??
  
  0 0 Reply
  1. Wednesday 31st July 2019 08:32 GMT YetAnotherLocksmith
    
    Re: LibreOffice Version 6.2.5.2 Is Current
    
    Check again. As of right now, 6.2.5.2 is on the website as the latest version.
    
    Or, disable the logo module.
    
    0 0 Reply
Wednesday 31st July 2019 08:34 GMT YetAnotherLocksmith

Sent a dodgy ODF?

I'd be incredibly suspicious of an ODF coming in on my email! Seriously, it's been Word macro viruses for over 20 years. Don't think anyone but me uses ODF!

2 0 Reply
1. Wednesday 31st July 2019 11:32 GMT Anonymous Coward
  
  Re: Sent a dodgy ODF?
  
  Nah, I use only ODF unless circumstances force otherwise. Which for me, is seldom, thank goodness!
  
  1 0 Reply
  1. Thursday 1st August 2019 01:57 GMT jelabarre59
    
    Re: Sent a dodgy ODF?
    
    Nah, I use only ODF unless circumstances force otherwise. Which for me, is seldom, thank goodness!
    
    I always send ODF files, if for nothing else than to piss off the Microsoft-using lemmings.
    
    6 2 Reply
    1. Thursday 1st August 2019 11:05 GMT WolfFan
      
      Re: Sent a dodgy ODF?
      
      MS Word reads ODF files. I think that Pages does, too, but I’m not in a position to test right now. What usually happens is that any formatting in the ODF gets screwed up, so your document looks bad. If you want to look bad, by all means carry on.
      
      1 1 Reply
    2. Thursday 1st August 2019 14:59 GMT bombastic bob
      
      Re: Sent a dodgy ODF?
      
      if someone needs it formatted, I send PDF. But if it's something they need to edit I usually convert the ODF into a Word doc. It's more "compatible" that way.
      
      NOt sure if word macros using LibreLogo would 'convert' back when you open it.
      
      0 0 Reply
Wednesday 31st July 2019 12:51 GMT Anonymous South African Coward

CLI sorcery helps a lot with identifying files.

Unfortunately you need to have a background in DOS.

2 0 Reply
Wednesday 31st July 2019 13:39 GMT sitta_europea

Debian user here - still on version 5.

3 0 Reply
1. Wednesday 31st July 2019 14:34 GMT HooHah!
  
  Debian 10
  
  Debian 9 (stretch) and 10 (buster) have libreoffice-librelogo versions 1:5.2.7-1+deb9u9 and 1:6.1.5-3+deb10u2, respectively, installed by default. My buster machine was upgraded from stretch.
  
  I didn't even know it was there until I read this article. Feeping creatures, indeed!
  
  3 0 Reply
Wednesday 31st July 2019 14:23 GMT Anonymous Coward

Version 5 has LibreLogo as well.

1 0 Reply
Wednesday 31st July 2019 18:42 GMT JLV

Why, oh, why?

It’s almost as if, gasp, we needed a consumer-friendly word processor with advanced formatting capabilities.

BUT NO EFFIN MACROS WHATSOEVER.

It could just read ODF/DOCX stuff and ignore macros.

What’s the % of people, and text documents that actually need macros? Does everybody else have to put up with corresponding risks? Ditto Adobe PDFs with active content scripting. Come’on it’s been 15-20 yrs now we know they suck.

Browsers are heavily sandboxed

Word processors are not, shouldn’t have to be, can’t really be (file system access) and have insufficient exposure, unlike browsers facing a hostile internet, to develop a comprehensive immune system.

I am not ranting about spreadsheets, which carry the same risks, but have more general justifications for a macro feature.

MS Word admittedly seems closer with no-macro extensions (but then they fail by hiding extensions). And of course, they’ve made macros a “feature” in the first place.

In any case, packaging a learn-to-program toolkit in a word processor is an act of monumental stupidity. Open source or not. Fail.

P.S. on a related subject, despite being a huge Python fan, the last thing we need is Python as VBA in Office or Python as JS in browsers.

10 0 Reply
1. Wednesday 31st July 2019 18:55 GMT Anonymous Coward
  
  packaging a learn-to-program toolkit in a word processor is an act of monumental stupidity
  
  In 2019 packaging anything that does Y in a program supposed to do X is monumental stupidity.
  
  Unfortunately on a stupidity scale of 0 to aleph-null, there's always a software designer who will go full aleph-one.
  
  9 0 Reply
2. Thursday 1st August 2019 10:46 GMT Anonymous Coward
  
  Re: Why, oh, why?
  
  "It’s almost as if, gasp, we needed a consumer-friendly word processor with advanced formatting capabilities.
  
  "BUT NO EFFIN MACROS WHATSOEVER".
  
  Quite so. In accordance with the Unix tools philosophy - each tool should do one thing as well as it can be done. To do complex things, you chain the tools together.
  
  3 0 Reply
  1. Friday 2nd August 2019 08:03 GMT Herby
    
    Re: Why, oh, why?
    
    "Quite so. In accordance with the Unix tools philosophy - each tool should do one thing as well as it can be done. To do complex things, you chain the tools together."
    
    Spoken like someone who hasn't installed EMACS (yet).....
    
    0 0 Reply
Wednesday 31st July 2019 19:30 GMT wayne 8

Don't see LibreLogo in 6.0.6.2

I stopped upgrading LibreOffice when the next version blocked loading of data from other local spreadsheets.

I assume because some people were blindly clicking "yes" to loading from unknown external sources.

I see no reference to LibreLogo in 6.0.6.2 that came with Xubuntu 16.04.

2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

German state ditches Windows, Microsoft Office for Linux and LibreOffice

'Complete digital sovereignty' ... sounds familiar

Software 4 Apr 2024 | 184

Linux Foundation is leading fight against fauxpen source

Opinion Shifts its transmission from vendor neutral into open source gear

Applications 12 Apr 2024 | 37

Open sourcerers say suspected xz-style attacks continue to target maintainers

Social engineering patterns spotted across range of popular projects

Security 16 Apr 2024 | 29

Open source versus Microsoft: The new rebellion begins

Opinion Neither side can afford to lose, but one surely must

SaaS 15 Apr 2024 | 176

Valkey publishes release candidate and attracts new backer

Open source Redis alternative gathers momentum

Databases 18 Apr 2024 | 5

AlmaLinux 9.4 beta prepares to tread where RHEL dares not

CIQ also has an alternative approach to compatible kernels with RockyLinux

OSes 17 Apr 2024 | 5

NetBSD 10 proves old tech can still kick apps and take names three decades later

FOSDEM 2024 Proper old-school Unix, not like those lazy, decadent Linux types

OSes 17 Apr 2024 | 36

Debian spices up APT package manager with a dash of color, squishes ancient bug

2.9 gives a taste of what's to come

OSes 18 Apr 2024 | 14

Torvalds intentionally complicates his use of indentation in Linux Kconfig

Paramount penguin forces more robust whitespace handling

OSes 16 Apr 2024 | 89

OpenBSD 7.5 locks down with improved disk encryption support and syscall limitations

The most secure Unix-like OS to date?

OSes 12 Apr 2024 | 49

AMD to open source Micro Engine Scheduler firmware for Radeon GPUs

And it was all thanks to peer pressure

Systems 5 Apr 2024 | 12

Notepad++ dev slams Google-clogging notepad.plus 'parasite'

Updated Imitator seemingly swiftly sunk from search after plea to users for help

Applications 9 Apr 2024 | 105

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024