Microsoft Office Macros are currently used to infect PCs, by sending a Document with Macros. As LibreOffice Microsoft Office asks the User, if he would execute the Macros. But there is a simple Trick: There is written something like "If the document is not displayed correctly, enable macros". As a standard user may don't know what Macros are, and especially on Windows a lot of such warnings are displayed, there is a big chance a Users clicks to "Execute Macros". Even if I didn't head about such an infection with LibreOffice, there should be a security mechanism, which prevents exactly this behaviour. First we need to identify all possible security relevant Basic Methods: * Shell: Execute a system command - e.g. download a file with CMD tools - execute a virus.... * Open Files for Writing - Write a Batch / Shell script in the Autorun Folder of the User - Write an executable itself at location where it's getting executed * Probably a lot more, please help listing it! My Proposal to solve the security issues, but still let the usable macros working. If you have a better Idea: The discussion is open! I would create a "MacroRoule.xml", with a white list of allowed operations: <macroRoule> <writeableFiles> <file>/home/asdf/myWhitelistedFile.txt</file> <file>/home/asdf/anotherFile.bin</file> </writeableFiles> <writeableFolders> <file>/home/asdf/libreOfficeOutput</file> <file>/home/asdf/anotherFolder</file> </writeableFolders> <allowedCommands> <command>/usr/bin/gedit</command> <command>/usr/bin/nautilus</command> </allowedCommands> </macroRoule> The file has to be placed in a Folder, where usually only system administrator have access to it, and it should be hidden. So if a company or a developer needs macros its really easy to edit a file. For a standard user it's nearly impossible to edit this file. I think this would increase the security really much, without preventing document editing macros from running.
Hi Andreas, Thanks for your concern and listing your ideas. Do you realize that by default macro's are disabled (security High)? And that to change that setting quite some steps must be taken (and that information is given along the way)? Can you please consider that and update this issue accordingly? Ciao, Cor
Hi Cor Nouws That's right, but you get a Dialog Box, which says the three steps which are needed to enable Macros. (There is also a warning it can contain Viruses) But: Microsoft Office also has Macros disabled by default and shows a notification to the Users (Source e.g.: https://support.office.com/en-us/article/Change-macro-security-settings-in-Excel-3b5ec213-efcc-4d48-9efd-83d097397a7e) And currently a lot of users get infected by this way, because there is written the user has to enable macros. Even it's a little easier in MS Office. I picked up an example article: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ The main point: How can LibreOffice prevent such a behaviour, but don't block may needed macros? (Even if the main problem in this case is the user - not the software, but I think it's an important point to discuss)
(In reply to Andreas B. from comment #2) > That's right, but you get a Dialog Box, which says the three steps which are > needed to enable Macros. So better information, clearer warning? > The main point: How can LibreOffice prevent such a behaviour, but don't > block may needed macros? In a business environment admins are able to set this (group policy, extensions on installation level). In a local environment, we need to allow users to handle.. > (Even if the main problem in this case is the user - not the software, but I > think it's an important point to discuss) We say "don't do this unless.. " and someone still does it. Sad but true.
>So better information, clearer warning? >We say "don't do this unless.. " and someone still does it. Sad but true. If the user ignore the warning you cannot do a better warning... As there is currently no specific threat at LibreOffice, close the Bug and think about if there is a real attack? (Does hopefully not happen)
(In reply to Andreas B. from comment #4) > If the user ignore the warning you cannot do a better warning... Maybe the current text can/should be improved? Something as "Please read the Help for information on Macro security, if this is new for you."
(In reply to Cor Nouws from comment #5) > Maybe the current text can/should be improved? > Something as "Please read the Help for information on Macro security, if > this is new for you." Let's try it.
Feel free to prepare and commit a patch, then =)
** Please read this message in its entirety before responding ** To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present on a currently supported version of LibreOffice (5.2.5 or 5.3.0 https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the version of LibreOffice and your operating system, and any changes you see in the bug behavior If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a short comment that includes your version of LibreOffice and Operating System Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) http://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to "inherited from OOo"; 4b. If the bug was not present in 3.3 - add "regression" to keyword Feel free to come ask questions or to say hello in our QA chat: http://webchat.freenode.net/?channels=libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug-20170306
Dear Andreas B., To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Dear Andreas B., To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
There's some improvement in wording since 24.2 with the fix for bug 157588. Gabor and Andreas, what should we do with this report?