Bug 98051 - Improve Macro Security warning
Summary: Improve Macro Security warning
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: UI (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: low trivial
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Options-Dialog
  Show dependency treegraph
 
Reported: 2016-02-21 09:51 UTC by Andreas B.
Modified: 2020-04-09 03:36 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas B. 2016-02-21 09:51:08 UTC
Microsoft Office Macros are currently used to infect PCs, by sending a Document with Macros. As LibreOffice Microsoft Office asks the User, if he would execute the Macros.

But there is a simple Trick: There is written something like "If the document is not displayed correctly, enable macros".

As a standard user may don't know what Macros are, and especially on Windows a lot of such warnings are displayed, there is a big chance a Users clicks to "Execute Macros".

Even if I didn't head about such an infection with LibreOffice, there should be a security mechanism, which prevents exactly this behaviour.

First we need to identify all possible security relevant Basic Methods:
* Shell: Execute a system command
- e.g. download a file with CMD tools
- execute a virus....

* Open Files for Writing
- Write a Batch / Shell script in the Autorun Folder of the User
- Write an executable itself at location where it's getting executed

* Probably a lot more, please help listing it!


My Proposal to solve the security issues, but still let the usable macros working. If you have a better Idea: The discussion is open!

I would create a "MacroRoule.xml", with a white list of allowed operations:
<macroRoule>
  <writeableFiles>
    <file>/home/asdf/myWhitelistedFile.txt</file>
    <file>/home/asdf/anotherFile.bin</file>
  </writeableFiles>
  <writeableFolders>
    <file>/home/asdf/libreOfficeOutput</file>
    <file>/home/asdf/anotherFolder</file>
  </writeableFolders>

  <allowedCommands>
    <command>/usr/bin/gedit</command>
    <command>/usr/bin/nautilus</command>
  </allowedCommands>
</macroRoule>

The file has to be placed in a Folder, where usually only system administrator have access to it, and it should be hidden. So if a company or a developer needs macros its really easy to edit a file. For a standard user it's nearly impossible to edit this file.

I think this would increase the security really much, without preventing document editing macros from running.
Comment 1 Cor Nouws 2016-02-21 20:35:12 UTC
Hi Andreas,

Thanks for your concern and listing your ideas.
Do you realize that by default macro's are disabled (security High)? And that to change that setting quite some steps must be taken (and that information is given along the way)?

Can you please consider that and update this issue accordingly?

Ciao,
Cor
Comment 2 Andreas B. 2016-02-21 21:15:09 UTC
Hi Cor Nouws

That's right, but you get a Dialog Box, which says the three steps which are needed to enable Macros.
(There is also a warning it can contain Viruses)

But: Microsoft Office also has Macros disabled by default and shows a notification to the Users (Source e.g.: https://support.office.com/en-us/article/Change-macro-security-settings-in-Excel-3b5ec213-efcc-4d48-9efd-83d097397a7e)

And currently a lot of users get infected by this way, because there is written the user has to enable macros. Even it's a little easier in MS Office.

I picked up an example article: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/

The main point: How can LibreOffice prevent such a behaviour, but don't block may needed macros?

(Even if the main problem in this case is the user - not the software, but I think it's an important point to discuss)
Comment 3 Cor Nouws 2016-02-22 14:02:37 UTC
(In reply to Andreas B. from comment #2)

> That's right, but you get a Dialog Box, which says the three steps which are
> needed to enable Macros.

So better information, clearer warning?

> The main point: How can LibreOffice prevent such a behaviour, but don't
> block may needed macros?

In a business environment admins are able to set this (group policy, extensions on installation level).
In a local environment, we need to allow users to handle..

> (Even if the main problem in this case is the user - not the software, but I
> think it's an important point to discuss)

We say "don't do this unless.. " and someone still does it. Sad but true.
Comment 4 Andreas B. 2016-02-22 17:03:24 UTC
>So better information, clearer warning?
>We say "don't do this unless.. " and someone still does it. Sad but true.

If the user ignore the warning you cannot do a better warning...

As there is currently no specific threat at LibreOffice, close the Bug and think about if there is a real attack? (Does hopefully not happen)
Comment 5 Cor Nouws 2016-02-23 11:13:32 UTC
(In reply to Andreas B. from comment #4)
> If the user ignore the warning you cannot do a better warning...

Maybe the current text can/should be improved?
Something as "Please read the Help for information on Macro security, if this is new for you."
Comment 6 Buovjaga 2016-02-26 20:02:29 UTC
(In reply to Cor Nouws from comment #5)
> Maybe the current text can/should be improved?
> Something as "Please read the Help for information on Macro security, if
> this is new for you."

Let's try it.
Comment 7 Adolfo Jayme 2016-02-27 00:36:01 UTC
Feel free to prepare and commit a patch, then =)
Comment 8 QA Administrators 2017-03-06 15:26:49 UTC Comment hidden (obsolete)
Comment 9 QA Administrators 2020-04-09 03:36:02 UTC
Dear Andreas B.,

To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year.

There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present.

If you have time, please do the following:

Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/

If the bug is present, please leave a comment that includes the information from Help - About LibreOffice.
 
If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice.

Please DO NOT

Update the version field
Reply via email (please reply directly on the bug tracker)
Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not 
appropriate in this case)


If you want to do more to help you can test to see if your issue is a REGRESSION. To do so:
1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/

2. Test your bug
3. Leave a comment with your results.
4a. If the bug was present with 3.3 - set version to 'inherited from OOo';
4b. If the bug was not present in 3.3 - add 'regression' to keyword


Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa

Thank you for helping us make LibreOffice even better for everyone!

Warm Regards,
QA Team

MassPing-UntouchedBug