mailing list archives
IP: USATODAY.com: Windows too open to viruses, experts say
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 23 May 2000 14:59:09 -0700
05/23/00- Updated 03:51 PM ET
Microsoft programs vulnerable to viruses
By Will Rodger, USATODAY.com
More than 45,000 viruses infect PCs running the Windows operating system
worldwide. Several have caused billions of dollars in damage in the past 12
months. Hundreds more viruses appear each year, requiring armies of
anti-virus programmers to isolate and kill the offending bugs.
By contrast, perhaps 35 viruses have been written for the Macintosh and four
or five for the Unix-based computers that run most Web sites, says Eugene
Spafford, director of the Center for Education and Research in Information
Assurance and Security lab at Purdue University.
This, a growing chorus of security experts say, is not happenstance.
"PC operating systems have inadequate security," says Peter Neumann,
principal scientist at SRI International in Menlo Park, Calif. "Attachments
and executable content are features that should not exist if you are worried
about security. Period."
For even though Microsoft has produced the world's most popular operating
system, its ease of use and the staggering number of features integrated
into Windows and the Office applications has left the world's dominant
computing platform uniquely vulnerable to a plague of troubles.
Not Net viruses; Microsoft viruses
Put simply, the last two big viruses were not Internet viruses. They, like
virtually every virus that has made headlines in the last 10 years, were
Steve Lipner, manager of Microsoft's security response center, says the
criticism is unfair:
"That goes to what Willie Sutton said: The answer is, that's where the money
is. The reason people write viruses for Microsoft Windows is there are lots
of Microsoft machines out there, and that improves the chances for
But that's precisely the point, critics say. Security specialists, drawing
ever more on the language of epidemiology, have long warned that as networks
expand and become more vital to everyday life, they become ever more
vulnerable. Now, viruses face not just high-density populations but would-be
victims that share the same weaknesses.
Like the flu and the smallpox that killed 90% of the Aztecs or the blight
that brought on the Irish potato famine, a single malady can ravage almost
everyone's PC because they all have the same genetic makeup: Windows.
As Windows grows in size - a typical Windows 98 installation can run
anywhere from 120 MB to 295 MB vs. just 40 MB five years ago - the burden of
checking code for errors grows even faster, Spafford says.
But beyond that, he says, is another, more difficult truth: Windows and
Microsoft's equally dominant Office Suite were designed neither for the
Internet nor secure operation generally.
Instead of forcing the operator to stop and check every new program that
hits his hard drive, Windows offers the ability to automatically run any
"script" or Internet-borne program without user intervention.
And viruses are programs, after all.
Windows usually hides telltale ".vbs" tag
Security consultant Rick Forno (www.infowarrior.org) says Microsoft's
now-infamous "visual basic scripting" is emblematic of the problem. VBS, in
fact, can launch hidden programs without so much as notifying users they are
The "love bug" virus that hit May 4 was such a program. Because Windows
usually hides the final ".vbs" tag attached to the end of visual basic
programs, most victims thought what they got was a simple text attachment -
a love letter, in fact.
As it turned out, the virus erased millions of graphics and sound files
worldwide and stole an untold number of passwords from Filipino Internet
accounts before authorities shut down the Web site to which the passwords
were being e-mailed. The virus spread at record rates, thanks to the bug's
tactic of sending copies of itself to every address in every copy of
Microsoft's Outlook e-mail program - again made possible by VBS technology.
That same mechanism showed up again Friday as the "new love" virus struck in
much the same fashion. This time, though, the virus destroyed virtually
every file on infected computers.
A bug in the program, ironically, stopped the virus from spreading very far.
Microsoft has promised a patch to "turn off" the VBS problem in Outlook
sometime this week.Yet at least a half-dozen major viruses have duplicated
themselves through Microsoft's Outlook over the past 18 months, Forno says.
The infamous Melissa virus, Explore.zip, VBS/Bubbleboy and X97M/Papa viruses
all used the Outlook address book to spread themselves.
Other operating systems don't work this way
Other programs on other operating systems could not behave this way, Forno
says, because applications written for other operating systems - e-mail
programs, word processors and the like - do not reach down into the deepest
levels of the operating system to function.
And true, Forno says, programs like Outlook and Microsoft Word work smoothly
together in part because they share files that are also part of Windows. But
that close connection to the operating system also let "new love" destroy
those same system files, in effect destroying every file on the targeted
computer's hard dive.
The "love bug" and its progeny couldn't procreate so quickly on a Unix
system, Purdue's Spafford says.
For even though security specialists and computer vandals regularly find
holes in Unix operating systems, they have one real strength that keeps them
essentially virus-free: programs don't simply run of their own accord.
Rather than clicking on an icon and waiting for a new program to set itself
up, Unix users must go through a deliberate, sometimes tricky task of
tweaking a software package so that a computer can actually run it.
Is it as easy as Windows? No way, Spafford says. But that's a small price to
pay, he says, when millions are clicking on files they should know better
than to click on.
Eventually, he says, all users will come to realize that ease of use and
total security are at polar extremes of the same continuum. What you gain in
one you usually will lose in the other.
Fred Cohen, a security specialist who performed the first research on
computer viruses, says Microsoft may be only the largest of a group of
After all, he says, one could write a version of Microsoft's Office for Unix
that would cause much the same sort of trouble. And Netscape's Internet
browser and mail program is not only highly popular among Unix users but
also quite insecure from a security specialist's point of view.
"Go ahead and take a swipe at Microsoft," Cohen says. "They deserve it. But
if 90% of the world was running Unix and everybody was running Netscape on
it, we would have the same kinds of problems on Unix."
Specialists say the lure of the quick and easy remains powerful.
"There are a lot of businesses that really like that close integration,"
says Pete Hammes, director of engineering at Para-Protect Services in
Alexandria, Va. "It makes it a lot easier for users that don't have a lot of
German government considers dropping Outlook
It is anyone's guess how long the love affair with simplicity will last. The
German government said Friday that it was considering dumping Outlook
altogether in the wake of the latest virus outbreak.
"I think a really big issue is just design and quality," Spafford says.
"Other operating systems have been designed with security at the forefront."
As dim a view as he takes of Microsoft's work, Spafford concedes there is at
least one factor over which Microsoft has no control: time.
"Windows is relatively a much newer operating system than is the Macintosh
or Unix, which don't have these sorts of problems," he says. "Part of it may
be just maturity."
For now, Lipner says, the company is working to improve its security
practices while giving customers what they want. With its promised "patch"
for its Outlook program in place, Lipner says, users will have to take extra
steps to send or receive attachments that work. Those extra steps, he says,
should give users fair warning before they blindly click on attachments.
"It's not going to be the casual thing it is now," he says.
Regardless of what it does in the future, Microsoft can be thankful that
damage from the viruses hasn't been more widespread.
At a gathering at the Economic Strategy Institute in Washington, D.C., last
week, former CIA director R. James Woolsey said that he expected terrorist
and spies would soon use password-sniffing techniques similar to those
deployed by the "love bug." This time, though, the rogue programs would be
aimed at specific computers, he said. And they would not announce themselves
the way the latest ones did.
"If you've had your computer or network hacked into or somebody's put a
(virus) on your system and is reading out your files before the data is
encrypted, you've got a serious problem," he said.
05/22/00- Updated 03:30 PM ET
Net has made virus writing easier
By Will Rodger, USATODAY.com
Virus writing, which has never been hard, is getting easier all the time.
Want evidence? Look at the Internet itself.
It wasn't long ago that virus writers gathered in small electronic
communities that amounted to nothing more than individual computers
connected to the outside world by a few phone lines.
Communications about their illegal activity had to be confidential, so
expertise spread slowly.
But now anyone can post anything to the Internet. Add a few search engines
to the mix, and there you have it.
"Viruses have gotten easier to write because there are more examples to use
and there's more literature about how to write them," says Dave Farber,
professor of computer science at the University of Pennsylvania and
Chief Technologist at the Federal Communications Commission.
Statistics from the government-funded computer emergency Response Team at
Carnegie Mellon University tell the tale. Reported incidents of computer
vandalism have grown dramatically from 1990, when there were only 252, to
9,859 incidents in 1999. The first quarter of this year alone saw 4,266
Automated hacking tools that require essentially no programming skills have
accounted for much of the growth.
Indeed, the Internet has become in some ways its worst enemy by offering a
wide variety of tips on system cracking. At the same time, teaching computer
security techniques means explaining how the attacks are done in the first
place. So even if someone tried to censor information about virus writing,
the effort would be pointless, experts say.
- IP: USATODAY.com: Windows too open to viruses, experts say Dave Farber (May 23)