Worming its way to insecurity

When it comes to the growing multitude of viruses and worms that wreak havoc by exploiting security holes in its products, some say Microsoft is between a rock and a hard place.

The rock is its business and product strategies, which drive it to provide maximum functionality to its users while zealously protecting its source code. The hard place is the motley group of hackers and cranks seemingly determined to exploit that functionality to do maximum harm to Microsoft's more naive customers.

But others sheet culpability directly home to the company, insisting Microsoft should be in the same boat as any manufacturer which fails to incorporate safeguards into its products, be it seat belts, child-proof bottle caps or safety guards on power machinery.

They say explicit decisions to elide or avoid safety features make Microsoft just as culpable as any other company allowing breaches of safety in its products, morally if not legally.

Pointing to the proliferation of MS Office-based macro viruses that exploit ActiveX engines as a prime example, this group argues Microsoft's bid to "enable the desktop" has seen technologies like Visual Basic, ActiveX, Active Content and Windows-extended Java opening systems to enormous amounts of harm.

If there are far more security exploits against Windows systems than all others combined, they say, then that's precisely because Windows is such an easy target.

They argue the advent of the Internet coupled with a push for active content has left Windows machines, originally designed as stand-alone "offline" systems, wide open to attack.

With Lloyd's of London putting the cost of repairing the damage done by the love bug virus alone at $25 billion, most of it uninsured, these people see Microsoft sharing at least some of theblame.

High risk

There's been ongoing debate for some years on Internet mailing lists between those blaming Microsoft for selling technologies carrying attendant risk and those who say the onus is on users to reduce that risk.

Statistics would seem to provide ammunition to the former group. Computer Emergency Response Team (CERT) figures show in the 10-year (120-month) period to 1997, a total of 12,362 security incidents were reported. The rise of Windows-based computing saw those figures soar by 150 per cent to 17,859 reported incidents in the subsequent 27 months alone.

With few if any recorded viruses and worms affecting non-Windows systems even today (even allowing for the lower installed base of those systems) it would seem evident it was the introduction of PCs running the MS Windows operating system to the Internet that resulted in the dramatic rise in breaches.

Whatever the case, Microsoft has come under more fire than ever of late from IT users and security experts who charge it with exposing users to, then failing to do enough to help them insulate themselves against the so-called love bug and other e-mail viruses.

"The point is that the root cause of these mass virus proliferations is a pathetically insecure e-mail client foisted upon the public by a certain monopoly whose name I need not mention," wrote a reader of Wired News.

"The only computers susceptible to this ‘virus' are those running Microsoft's Windows operating system and the Microsoft Outlook e-mail client; but due to the herd mentality of IT managers around the world, this means almost every desktop office machine," wrote an irate user in a letter to The Australian.

The debate is also a hot topic on the prestigious Link Institute mailing list.

"Microsoft should plug its holes rather than promoting them as features (perhaps they could issue another one of those quaintly named ‘Service Packs')," wrote one contributor . . . and if it wants to play with the big boys in a networked world at least pay rudimentary attention to little aspects like network security, operating system security and the like."

Others disagree. "Maybe I'm just not getting it, but pushing the blame back and forth when this seems to be just a plain case of ‘personal security' is beyond me," said another.

Not surprisingly, Microsoft too rejects the criticisms, arguing it does everything possible to educate its users about best practices and ways to avoid exposure, and saying it makes its security patches as broadly available as possible.

Cofounder Bill Gates even seized on the latest e-mail attack to argue in Time Magazine - rather absurdly in this writer's opinion - that splitting the company in two, as recommended by US federal prosecutors during the antitrust trial, would make it even harder for users to protect against future love bugs.

This much is clear: like other worms before it, the "love letter" worm and its many variants incorporate malicious VBScript code that capitalise on features within Microsoft products including the Outlook e-mail client in order to replicate and cause damage to files.

According to a FAQ prepared by Rick Welykochy of Praxis, the vulnerability is due entirely to Microsoft's programming of both the Windows system and the Outlook e-mail application, which are intricately tied together by Visual Basic.

It's all in the Script

VB supports full access to the file system and Internet communications, making it possible to alter and destroy files as well as send e-mails and contact chat groups with just a few lines of programming code.

Welykochy says "one-click" launching of active content is dangerous, getting users used to the convenience of one-click execution of scripts and other executables and thus inviting them to unwittingly expose their systems to destructive worms such as the love bug. He says it's a feature that should never have been offered to users.

And he points out Microsoft's recent response to the problem, a fix that stops active content from executing by default, is only possible for users who download and install the required patches.

At least under Windows 95 and 98 users can protect somewhat against exposure by disabling the Windows Scripting Host. But now there are claims Windows 2000 users will be the losers in the trade-off between automation and total operability.

Richard Baldry, the local MD for UK-based virus software company Sophos, claims Microsoft's latest operating system is so automated it may be impossible to dismantle the script-enabling function which allows such worms to infiltrate and infest PCs.

But even before Windows 2000, Visual Basic - the language that enables varied MS applications like Word, Excel, Explorer and Outlook to communicate with each other - had shown its capacity to bring the Internet e-mail system and millions of personal computers to their respective knees.

Robert Wilkie, a senior security consultant with IT Audit & Consulting, says the problem can be considered an inherent design flaw in some Microsoft products. He says providing a fully featured scripting language like VB introduces a series of vulnerabilities in letting users create fully functional macros to perform functions like executing programs and deleting files.

"It is possible to turn these things off," says Wilkie, "but the right settings to do it are buried down three or four layers. The average Jo Blow home user is not going to have the know-how to do it. Couple that with systems administrators at large organisations who don't necessarily have a security focus, and obviously you've got the problem which we've just seen."

Wilkie says that while non-Microsoft products like Corel Draw and PhotoPaint also incorporate fully featured scripting languages, these haven't been abused at least partly because they are not as widely used.

And he criticises Microsoft for not adopting a default "Deny" policy, in which such functionality would be disabled until it was switched on by users. Microsoft, he says, should begin a user education program and include new functionality in software to warn users of the dangers every time they go to execute a VB script.

Jumping to the defence, Ross Dembecki, lead product manager with Microsoft, points out that the company released an e-mail attachment security update last year that is now included as a standard feature in Office 2000 SR-1.

He says the update does exactly what Wilkie asks, increasing security protection by changing the attachment dialogue box to provide much more explicit warnings about attachments and forcing users to save attachments to the file system.

Compound exposure

And in response to criticism that Microsoft isn't doing enough to alert users to the vulnerabilities, Dembecki insists Microsoft broadly communicates the availability of updates via the press, its Communique magazine, through its subscription-based Office newsletter and on its Web sites.

"We're certainly focused on educating users on how they can protect themselves against viruses in general," he says.

"We work very closely with the leading antivirus software vendors and they all have updates to their signature file to handle this and various mutations of the ILoveYou virus."

In the server environment, the love bug had minimal affect on systems not running Microsoft Exchange Server. Servers using Unix Sendmail, Novell Groupwise or Lotus Notes e-mail products suffered nowhere near the propagation problems the virus caused in environments where Exchange Server was the e-mail hub.

Frank O'Connor, a contributor to MacWorld magazine, believes Microsoft's entire Internet strategy is to blame.

He argues Microsoft, under threat from Netscape, Java, JavaScript and other open source distributed computing technologies, attempted to develop proprietary solutions to do what those technologies do.

However, Microsoft took shortcuts and didn't think about a host of other issues that those more familiar with WAN (wide area networking) (the IETF, W3C, the Java Working Group and others) emphasised.

"In essence, it has tried to leverage its existing closed LAN (local area networking) and single-user cross application, and cross-client technologies into the worldwide network we now live in . . . where the likelihood of hostile and nasty attacks has been accepted as high for many years," O'Connor says.

"Microsoft's technologies are basically built on the assumptions that you trust everyone, that it's more process efficient not to limit software capabilities and install a heap of security, and that the WAN is simply an extension of the LAN."

Welykochy agrees.

"Computer viruses have plagued the PC desktop for over 10 years. The problem is greatly compounded now that the PC is on the Internet and able to transmit viruses to other connected PCs," Welykochy says.

"Rather than plug security holes known since the early days of Windows (late 1980s), Microsoft has inadvertently extended the number of insecure entries into the operating system, for the sake of interoperability of its products. One would conclude this was done to gain market share and capture the desktop," he says.

This accords with the views of one senior systems administrator at a Sydney district university who preferred not to be named.

She says while one can argue virus security is the responsibility of the end user, it is Microsoft's software environment and design philosophy that allows virus writers to exploit features in the application chain.

Rejecting Microsoft's arguments that the more restrictions you place on the user environment, the less functionality you can provide to the user, the systems administrator says Microsoft knows full well the power of the functionality it provides in its software.

"It has access to the source code of the tools supplied in the application chain that lets viruses propagate. It therefore has an obligation to the end users of its product to ensure that security is a feature of its software, not an ‘add on' from a third-party vendor," she said.

Greg Taylor, IT manager with Brisbane-based AGEN Biomedical Limited, accepts all organisations need to put in place adequate IT security arrangements.

But he too points out that most Windows desktop users are both ignorant of how computers work, and not particularly interested in knowing any more.

"Where Microsoft has failed is that it assumes that Windows installations are in environments where adequate security precautions are in place.

The extent to which this virus has affected so many users throughout the world is testimony to the fact that security is not taken seriously enough.

"Microsoft could certainly do more to plug security holes and provide security advice. However, for too long it has operated on the basis of getting new product to market at a prodigious rate, and security and reliability have taken a back seat," Taylor said.

Whose problem is it?

On the other hand AusCERT senior security analyst Robert McMillan insists the security vulnerabilities are everybody's problem, not just Microsoft's.

"We all have a sense of ownership. If I have a problem at my site it's partly up to me to do what I can to defend against that problem, and that includes making sure I'm educated, making sure my users are educated," he says.

And IT user David Chiam argues that since every person and organisation has a choice about using Microsoft products, Microsoft has no other liabilities besides being the provider of software.

"To an extent, why should Microsoft be doing the education of users? [Neither] Holden nor Ford taught me how to drive nor fix a car when I bought one from them . . .

"As always, there is no harm in providing more education for the end user, but I feel that in comparison with other operating systems, Microsoft is just doing what everyone else is doing."

Legal position

Whatever its moral culpability, even had Microsoft deliberately set out to incorporate security holes in products to leave users exposed to severe risk, one could be forgiven for doubting whether there would be any legal redress available under current law.

Gordon Hughes, a technology law specialist and partner with Blake Dawson Waldron, points out that to a large extent software licensors can shield themselves from any liability for problems with their software through the use of contractual disclaimers.

There is some redress for licensees in relatively limited circumstances under contract or trade practice law where software can be proved to be unfit for its basic purpose or to be of poor quality.

"Beyond that Australia doesn't as yet have laws which specifically target the IT industry in relation specifically to the quality of IT goods or in relation to the effects of the supply of defective IT goods," Hughes said.

Hughes says various Australian governments are aware that the IT industry does to some extent have consumers over a barrel, with people being reliant upon IT products but having relatively little choice or flexibility in negotiating the conditions of supply. But he says none have yet moved to do anything much about it.

Virus includes password-stealing Trojan horseThe ILoveYou e-mail virus, which forced the shutdown of e-mail servers around the world recently, contains a Trojan horse program that sent the cached Windows passwords of unsuspecting recipients who opened the virus-laden attachment to an e-mail account in the Philippines.

Security experts said the Trojan horse program also has the ability to steal passwords to dial-up Internet services from end-user PCs. Infected users should take care to change passwords that may have been compromised, the experts warned.

Elias Levy, a security analyst at SecurityFocus, said the love virus modified Internet Explorer start pages to point to one of four Web sites hosted by a Philippine-based Internet service provider called skyinet.

The virus - which is contained in a Visual Basic scripting attachment called "love-letter-for-you.txt.vbs" - configured compromised PCs to recognise the Philippine Web sites as their default IE homepage and then to download an executable called win-bugsfixe.exe. The executable in turn siphoned off Windows and dial-up passwords and sent them to mailme@super.net.ph, a Philippine e-mail address.

A Microsoft spokesperson confirmed that the Philippine Web sites were stealing passwords, but said that these sites had been taken down. The company insisted that any passwords downloaded would have been encrypted and therefore present no risk to users.

But Levy argued that companies infected by the malicious program before the Web sites were disabled could have inadvertently shipped sensitive and accessible passwords to an unknown attacker. "Anybody who finds the executable on their PC should change passwords on any accounts that you use your computer from," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ADVENTAgen BiomedicalAshurst - AustraliaAusCertBlake Dawson WaldronCERT AustraliaComputer Emergency Response TeamCorelHolden- General MotorsIETFIT Audit & ConsultingLloyd's of LondonMicrosoftNovellPraxisSecurityFocusSendMailSophosW3C

Show Comments