Interesting People mailing list archives
IP: USATODAY.com: Windows too open to viruses, experts say
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 23 May 2000 14:59:09 -0700
http://www.usatoday.com/life/cyber/tech/cth950.htm 05/23/00- Updated 03:51 PM ET Microsoft programs vulnerable to viruses By Will Rodger, USATODAY.com More than 45,000 viruses infect PCs running the Windows operating system worldwide. Several have caused billions of dollars in damage in the past 12 months. Hundreds more viruses appear each year, requiring armies of anti-virus programmers to isolate and kill the offending bugs. By contrast, perhaps 35 viruses have been written for the Macintosh and four or five for the Unix-based computers that run most Web sites, says Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security lab at Purdue University. This, a growing chorus of security experts say, is not happenstance. "PC operating systems have inadequate security," says Peter Neumann, principal scientist at SRI International in Menlo Park, Calif. "Attachments and executable content are features that should not exist if you are worried about security. Period." For even though Microsoft has produced the world's most popular operating system, its ease of use and the staggering number of features integrated into Windows and the Office applications has left the world's dominant computing platform uniquely vulnerable to a plague of troubles. Not Net viruses; Microsoft viruses Put simply, the last two big viruses were not Internet viruses. They, like virtually every virus that has made headlines in the last 10 years, were Windows viruses. Steve Lipner, manager of Microsoft's security response center, says the criticism is unfair: "That goes to what Willie Sutton said: The answer is, that's where the money is. The reason people write viruses for Microsoft Windows is there are lots of Microsoft machines out there, and that improves the chances for propagation." But that's precisely the point, critics say. Security specialists, drawing ever more on the language of epidemiology, have long warned that as networks expand and become more vital to everyday life, they become ever more vulnerable. Now, viruses face not just high-density populations but would-be victims that share the same weaknesses. Like the flu and the smallpox that killed 90% of the Aztecs or the blight that brought on the Irish potato famine, a single malady can ravage almost everyone's PC because they all have the same genetic makeup: Windows. As Windows grows in size - a typical Windows 98 installation can run anywhere from 120 MB to 295 MB vs. just 40 MB five years ago - the burden of checking code for errors grows even faster, Spafford says. But beyond that, he says, is another, more difficult truth: Windows and Microsoft's equally dominant Office Suite were designed neither for the Internet nor secure operation generally. Instead of forcing the operator to stop and check every new program that hits his hard drive, Windows offers the ability to automatically run any "script" or Internet-borne program without user intervention. And viruses are programs, after all. Windows usually hides telltale ".vbs" tag Security consultant Rick Forno (www.infowarrior.org) says Microsoft's now-infamous "visual basic scripting" is emblematic of the problem. VBS, in fact, can launch hidden programs without so much as notifying users they are there. The "love bug" virus that hit May 4 was such a program. Because Windows usually hides the final ".vbs" tag attached to the end of visual basic programs, most victims thought what they got was a simple text attachment - a love letter, in fact. As it turned out, the virus erased millions of graphics and sound files worldwide and stole an untold number of passwords from Filipino Internet accounts before authorities shut down the Web site to which the passwords were being e-mailed. The virus spread at record rates, thanks to the bug's tactic of sending copies of itself to every address in every copy of Microsoft's Outlook e-mail program - again made possible by VBS technology. That same mechanism showed up again Friday as the "new love" virus struck in much the same fashion. This time, though, the virus destroyed virtually every file on infected computers. A bug in the program, ironically, stopped the virus from spreading very far. Microsoft has promised a patch to "turn off" the VBS problem in Outlook sometime this week.Yet at least a half-dozen major viruses have duplicated themselves through Microsoft's Outlook over the past 18 months, Forno says. The infamous Melissa virus, Explore.zip, VBS/Bubbleboy and X97M/Papa viruses all used the Outlook address book to spread themselves. Other operating systems don't work this way Other programs on other operating systems could not behave this way, Forno says, because applications written for other operating systems - e-mail programs, word processors and the like - do not reach down into the deepest levels of the operating system to function. And true, Forno says, programs like Outlook and Microsoft Word work smoothly together in part because they share files that are also part of Windows. But that close connection to the operating system also let "new love" destroy those same system files, in effect destroying every file on the targeted computer's hard dive. The "love bug" and its progeny couldn't procreate so quickly on a Unix system, Purdue's Spafford says. For even though security specialists and computer vandals regularly find holes in Unix operating systems, they have one real strength that keeps them essentially virus-free: programs don't simply run of their own accord. Rather than clicking on an icon and waiting for a new program to set itself up, Unix users must go through a deliberate, sometimes tricky task of tweaking a software package so that a computer can actually run it. Is it as easy as Windows? No way, Spafford says. But that's a small price to pay, he says, when millions are clicking on files they should know better than to click on. Eventually, he says, all users will come to realize that ease of use and total security are at polar extremes of the same continuum. What you gain in one you usually will lose in the other. Fred Cohen, a security specialist who performed the first research on computer viruses, says Microsoft may be only the largest of a group of offenders. After all, he says, one could write a version of Microsoft's Office for Unix that would cause much the same sort of trouble. And Netscape's Internet browser and mail program is not only highly popular among Unix users but also quite insecure from a security specialist's point of view. "Go ahead and take a swipe at Microsoft," Cohen says. "They deserve it. But if 90% of the world was running Unix and everybody was running Netscape on it, we would have the same kinds of problems on Unix." Specialists say the lure of the quick and easy remains powerful. "There are a lot of businesses that really like that close integration," says Pete Hammes, director of engineering at Para-Protect Services in Alexandria, Va. "It makes it a lot easier for users that don't have a lot of technical sophistication." German government considers dropping Outlook It is anyone's guess how long the love affair with simplicity will last. The German government said Friday that it was considering dumping Outlook altogether in the wake of the latest virus outbreak. "I think a really big issue is just design and quality," Spafford says. "Other operating systems have been designed with security at the forefront." As dim a view as he takes of Microsoft's work, Spafford concedes there is at least one factor over which Microsoft has no control: time. "Windows is relatively a much newer operating system than is the Macintosh or Unix, which don't have these sorts of problems," he says. "Part of it may be just maturity." For now, Lipner says, the company is working to improve its security practices while giving customers what they want. With its promised "patch" for its Outlook program in place, Lipner says, users will have to take extra steps to send or receive attachments that work. Those extra steps, he says, should give users fair warning before they blindly click on attachments. "It's not going to be the casual thing it is now," he says. Regardless of what it does in the future, Microsoft can be thankful that damage from the viruses hasn't been more widespread. At a gathering at the Economic Strategy Institute in Washington, D.C., last week, former CIA director R. James Woolsey said that he expected terrorist and spies would soon use password-sniffing techniques similar to those deployed by the "love bug." This time, though, the rogue programs would be aimed at specific computers, he said. And they would not announce themselves the way the latest ones did. "If you've had your computer or network hacked into or somebody's put a (virus) on your system and is reading out your files before the data is encrypted, you've got a serious problem," he said. -------------------------- 05/22/00- Updated 03:30 PM ET http://www.usatoday.com/life/cyber/tech/cth951.htm Net has made virus writing easier By Will Rodger, USATODAY.com Virus writing, which has never been hard, is getting easier all the time. Want evidence? Look at the Internet itself. It wasn't long ago that virus writers gathered in small electronic communities that amounted to nothing more than individual computers connected to the outside world by a few phone lines. Communications about their illegal activity had to be confidential, so expertise spread slowly. But now anyone can post anything to the Internet. Add a few search engines to the mix, and there you have it. "Viruses have gotten easier to write because there are more examples to use and there's more literature about how to write them," says Dave Farber, professor of computer science at the University of Pennsylvania and Chief Technologist at the Federal Communications Commission. Statistics from the government-funded computer emergency Response Team at Carnegie Mellon University tell the tale. Reported incidents of computer vandalism have grown dramatically from 1990, when there were only 252, to 9,859 incidents in 1999. The first quarter of this year alone saw 4,266 incidents. Automated hacking tools that require essentially no programming skills have accounted for much of the growth. Indeed, the Internet has become in some ways its worst enemy by offering a wide variety of tips on system cracking. At the same time, teaching computer security techniques means explaining how the attacks are done in the first place. So even if someone tried to censor information about virus writing, the effort would be pointless, experts say.
Current thread:
- IP: USATODAY.com: Windows too open to viruses, experts say Dave Farber (May 23)