Home page logo

interesting-people logo Interesting People mailing list archives

IP: A MUST READ -- a comment on viruses etc from Gene Spafford - a real security expert
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 20 May 2000 14:00:01 -0400

Date: Sat, 20 May 2000 12:11:05 -0500
To: farber () cis upenn edu
From: Gene Spafford <spaf () cerias purdue edu>
Subject: For IP

Jim Warren's post prompts me to send this out.   I wrote this last week 
for our campus security mailing list (I am the campus ISSO, among other 

 (This has been edited somewhat from the original.)

Several of you have taken me to task for my comments about Microsoft 
software quality.  I don't say these things to bash MS -- I say them 
based on over a dozen years of experience and research in infosec 
issues.  Quite simply, Microsoft is the vendor that is putting arbitrary 
scripting commands into their email clients and servers, Microsoft 
products are ones that continue to exhibit security flaws and problems 
known to researchers for decades, and it is Microsoft's design decisions 
and products that result in problems such as Melissa, the "love bug," and 
a myriad of computer viruses. Couple this with the nearly total Windows 
population in some environments, and we have an extremely volatile situation.

Ask any biologist, doctor, historian, or agricultural specialist: what 
happens when you introduce a severe contagion into a monoculture 
population with little natural resistance? You get pandemic -- widespread 
infection and damage. Whether it is measles and smallpox killing 
something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay 
of the American forest, or ILOVEYOU in Outlook damaging files on machines 
worldwide, the result is a massive and quick-spreading epidemic.

Analyze statistics from anti-virus researchers, companies, and on-line 
documents.  You will find that there are currently about 60,000 
recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but 
traditional viruses).  Of these (as of this week):
  * slightly less than 52,000 are viruses for DOS/Window/NT platforms
     - about 6000 of these are Word macro viruses
     - about 150-200 of these are known to be widespread "in the wild"
     - in 1999, approximately 650 new viruses were reported each month 
(more than 20 a day)
  * 680 are for the Amiga
  * A few hundred are for Javascript, Hypercard, Perl, and other 
scripting languages.  Few of these can spread beyond a few machines 
without active support of the users
  * 150 are for the Atari
  * 31 are native to the Macintosh, and only two of them are known to 
exist anymore
  * 2 or 3 are viruses native to OS/2
  * About 5 are for Linux/Unix/etc, but none have been found in quantity 
"in the wild", nor would they be likely to spread very far if they were "loose"
  * None are for BeOS, ErOS, or other small-population systems.

So, over 85% of all the known viruses are for Microsoft platforms (nearly 
all the self-propagating worms are as well). The rate of new reports -- 
especially for macro viruses -- means that pattern-based virus detectors 
can never be up-to-date and provide 100% protection. (Note: I'm not 
trying to draw grand conclusions here about the reasons for this skew, 
but simply point out where the overwhelming threat is.)  Fast-spreading, 
self-propagating worms using Outlook move so quickly that they are likely 
to be upon us before an anti-virus vendor can even get a copy to analyze.

The situation is made worse by Microsoft trying to minimize the scope of 
the problem and claim that they aren't responsible in any way. The MS 
spin doctors are even attempting to blame the users! (One MS executive 
even claimed that we should beat our users to prevent problems such as 
the "love bug": <http://www.digitalmass.com/columns/software/0508.html>). 
Microsoft employees and apologists are attempting to claim that these are 
problems that every software platform has, as if this somehow makes the 
gaping vulnerabilities less of a problem. This is simply not true -- you 
can't construct a "Melissa" or "love bug" worm without Outlook and MS 
Windows scripting host.

So, we need to do what we can ourselves to help our situation. What 
should you, as Purdue system and security administrators, consider doing?

#1 is to make sure your anti-malware software is up-to-date to detect 
older, known viruses. We have site licenses for various NAI products if 
you don't have something installed yet. Also, install Tripwire if you are 
using NT or Unix boxes (we have this site-licensed, too). The use of 
Tripwire will help detect new, as-yet undetected viruses (after the fact, 
unfortunately) and also help in clean-up of damage by giving a snapshot 
of altered files and registry settings. (It also provides intrusion 
detection in addition to the change detection involved in detecting viruses.)

#2 is to ensure that your users understand good anti-malware practices. 
This can't stop all future problems, but it may help limit their spread. 
In particular, get users to cut and paste text in email rather than 
attach Word documents. If they need to send a file of some kind, then 
have them use ftp rather than embed the files in email. On the receiving 
side, users should simply reject any executable content rather than 
depend on virus screening.

#3, perform regular, comprehensive backups of all systems. If you do not 
perform regular, full backups of any systems, notify those users and 
ensure that they understand the procedures (and importance) to do it 
themselves. Files deleted by buggy software, viruses, worms, crashes or 
simple mistakes cannot always be recreated. Backups are critical for 
recovery. (Be sure to test your backups periodically to ensure they work!)

#4, be certain your systems are up-to-date on patches and security fixes, 
no matter what kind of platform you may be using.

#5 If you use Outlook, disable the Windows scripting host feature (see 
article at the URL given above). Alternatively, think about switching 
your users from Outlook to some other email client (e.g., Eudora). For 
this to work, however, you need to de-install Outlook rather than simply 
install something alongside it. (There was at least one case on campus 
where someone using Eudora on Windows saved the ILOVEYOU code to disk and 
started it, and it then activated Outlook to use the global address book 
to mail copies to other users.)

#6, if your users are using Internet Explore, be certain they have their 
security settings on the highest level for all zones unless you *know* it 
is safe to use a lower setting. Also, in the security settings, disable 
ActiveX if at all possible -- ActiveX supports threats that cannot be 
defended against. In all WWW browsers users should be careful about 
enabling Javascript and Java, with Java being safer than Javascript in 
up-to-date browsers.

#7, When acquiring new systems, think carefully if you really need 
Windows/Word, or whether an alternative is available that is more 
resistant to attack. This is especially a concern if you don't have staff 
or expertise to be constantly dealing with security concerns. For 
instance, if you are only seeking a machine to run a WWW server, then a 
Mac makes a robust server with an almost non-existent history of security 
problems. In fact, last year the US Army replaced their NT-based WWW 
servers after repeated security problems and they have not had a single 
security incident since! Similarly, you can run Excel and Word on a Mac, 
and using StarOffice on a Unix box you can deal with the same files. 
There are also other word processing programs (e.g., Framemaker, 
AppleWorks, others) and spreadsheet systems. Windows and Office are not 
the only choices.

The key here is to think about total cost of operation and the needed 
core functionality. When you put a machine in service there may be the 
up-front cost of the box and the software, and in this regard a Wintel 
box seems the best choice. But add in the time spent applying security 
patches, strengthening the default installation, responding to (and 
cleaning up after) break-ins and malware incidents, and the time spent 
staring at blue screens -- time for you and your staff is valuable, as is 
the loss of productive work time by your users. Yes, Windows runs 
thousands more programs than does Unix or a Mac -- but do you ever need 
those in a work or lab environment? Most are games, or are versions of 
software you don't need or already have in another form.  Consider 
carefully what you want: buying a system because it runs programs you 
will never use and that may cost more over its lifetime to operate is not 
a bargain.

This is not intended to suggest that Microsoft is the source of all evil, 
or that you should run out and replace all your Windows boxes with 
something else.   There are good people working for MS -- and several of 
them are former students and colleagues. The university (and the world 
around us) would come to a very abrupt halt if we didn't have MS products 
for everyday use.  Furthermore, other vendor products are hardly bug-free 
-- we continue to see security advisories for Solaris, HP-UX, Linux, and 
others. But the number of security problems for MS products and the near 
ubiquity of MS platforms in many environments means that we need to be 
especially concerned about this as a potential problem area.  (See 
<http://www.securityfocus.com/frames/?content=/vdb/stats.html> for some 
interesting numbers supporting this.)

Several security experts, myself included, are convinced that we have 
seen only the tip of the iceberg as far as new worm/virus code is 
concerned. Being aware of alternatives and threats is the first step in 
protecting ourselves. Trying to reduce the "monoculture" environment and 
replace the most vulnerable members of the population is simply one step 
towards protecting our environment against future threats.

You *do* have choices, and if only enough people exercised their choices 
we might find *all* the vendors paying a little more attention to security.

  By Date           By Thread  

Current thread:
  • IP: A MUST READ -- a comment on viruses etc from Gene Spafford - a real security expert Dave Farber (May 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]