Microsoft to Blame for 'Love Bug'?

[William Knowles <wk () C4I ORG>]

http://www.thestandard.com/article/display/0,1151,15019,00.html

Microsoft to Blame for 'Love Bug'?

Security experts say automation features in Windows make it a
potential breeding ground for viruses.

By Elinor Abreu

Who is to blame for the "Love Bug" virus and its 25 or so nasty
variants that ripped through an estimated 600,000 computers and caused
computer-system shutdowns at corporations and government offices
worldwide? As law enforcement authorities homed in on a cadre of
technical-college students inManila, Philippines, security experts
pointed out that Microsoft's operating system creates an environment
that is vulnerable, if not virus-friendly.

The "Love Bug" took advantage of a feature in Windows called Windows
Scripting Host, which allows users to automate routine tasks. The
virus' author created a Visual Basic script that was directed to send
itself to all recipients in a user's Microsoft Outlook address book
and then delete image files and hide audio files.

The Scripting Host is not the only Windows feature that invites
hackers. Other flaws include Outlook's automation feature, which
allows external programs to command the application remotely. Security
experts say such features should be disabled by default.

"The bottom line is that very few people need [the Scripting Host],
and yet it's turned on by default," says Richard M. Smith, a security
expert and Internet consultant based in Brookline, Mass. "Windows
Scripting Host [is] almost like the Virus Scripting Host."

Microsoft's tight integration of its operating system with all
applications the Windows hallmark cited in the guilty verdict in the
software giant's antitrust trial also makes it vulnerable. Other
platforms integrate and use active content far less than Microsoft.

A self-proclaimed California-based hacker who calls himself "Bronco
Buster," writing in the online magazine Synthesis, says the Love Bug
"couldn't affect MacOS or any kind of Unix system. Because
[Microsoft's] applications are so closely tied with their operating
system, their applications tell the operating system what needs to be
done, and the operating system fires up the program to get it done,
all without you knowing it."

"It's much harder to make this same thing work in Unix because Unix
doesn't work this way." says Bruce Schneier, chief technology officer
at Counterpane Internet Security, a network-monitoring service
provider in San Jose, Calif. "From a security point of view, this is a
disaster."

"Microsoft is focused on the simplicity aspect, and I can understand
why," says Steven Bellovin, network security researcher at AT&T Labs,
"but they've done it at a serious cost in safety."

Security flaws in Windows have long been known in the
software-developer and hacker communities. Technology writer James
Gleick, author of Faster: The Acceleration of Just About Everything,
pointed out these flaws in a recent column in Slate.

The company's traditional response is that security is a trade-off
between users' competing desires for both automation and absolute
protection, and that pop-up dialogue boxes provide warnings of
potentially dangerous attachments.

Critics like Schneier scoff at that defense. "Giving users
functionality is b*llshit because users never said, 'We want more
viruses.' They might have said they want more features that Microsoft
[then] implemented in a way that allowed this."

Microsoft's primary goal shipping products interferes with its
security obligations, Schneier contends. "It's in Microsoft's interest
to make products as insecure as they can get away with," he says.
"They have no liability. They'll just do damage control."

Microsoft could fix the problems by turning off defaults for certain
features that pose security risks and by requiring script writers to
"sign" their work digitally. The latter is a requirement already built
into macros, but it is one that virus writers avoid for obvious
reasons.

Meanwhile, the new "Kak" e-mail virus has emerged, able to spread even
if a recipient doesn't open its attachment. Kak affects users of
Internet Explorer 5.0 and Office 2000, and it works with Outlook and
other e-mail programs that recognize HTML. It doesn't damage files
like the Love Bug virus does, but a destructive version of it is
almost certainly coming to a computer near you.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".