Love Bug Prompts Security Experts To Poke at Microsoft's Weak Points

[William Knowles <wk () C4I ORG>]

Forwarded by: Marjorie Simmons <lawyer () usit net>

http://interactive.wsj.com/dailyedition/
Love Bug Prompts Security Experts To Poke at Microsoft's Weak Points
Lee Gomes, Staff Reporter
of THE WALL STREET JOURNAL Wed, May 24, 2000

Want the whole world to know the "secret" name you gave your Windows
personal computer when you installed software for high-speed Internet
access? It's easy: Just hook it up to your digital subscriber line or
cable modem. Whether you realize it or not, you'll instantly be making
the information available everywhere on the Net -- and giving the
world an unwelcome peek inside your machine.

That's just one of the security weaknesses that exist in Microsoft
Corp.'s software products -- and one of the reasons that security
experts say the world's leading software company still has a way to go
in making its products less vulnerable to hackers and other
malefactors.

The world-wide attack of the "love bug" computer virus on May 4, and
last week's less widespread replay, called attention to security
problems in Outlook, Microsoft's e-mail program. The outbreaks
highlighted the way Outlook can launch potentially dangerous software
programs and spread them to the hundreds or thousands of other e-mail
addresses in a computer's electronic address book -- with just a
single click of a mouse. In the case of the love bug, all it took was
the simple act of opening an e-mail attachment.

Microsoft has taken steps to make Outlook more secure, but many
security experts say the fact that the ubiquitous e-mail system was so
vulnerable is evidence of fundamental flaws in many Microsoft
products. For example, the powerful programming languages Microsoft
includes with its Windows products lack "fences" that keep out
destructive pieces of computer code and prevent them from hurting a
machine. Such fences are a standard feature in other computer
languages intended to be passed around on the Internet.  Microsoft's
consumer-oriented operating systems, such as Windows 98, also lack
security provisions that experts say ought to be routine in a major
piece of software.

None of these shortcomings alone are showstopper "bugs" that could
instantly bring down a computer. Instead, they are what experts
describe as flawed approaches to software design that can lead to big
problems down the road -- the way the flawed design of Outlook led to
the global love-bug emergency.

But the flaws are there to see for anyone looking for them. And with
Microsoft software in such wide use, the stakes are high indeed: A
single security flaw in a Microsoft program has the potential to bring
organizations all around the world to their knees.

Microsoft is well aware of the problems. The recent love-bug attack
marked "a watershed" for the company, says Steve Lipner, manager of
Microsoft's security response center, who helps plan the company's
security policies.  He says Microsoft has worked hard to keep up with
users' evolving security needs.

"We are constantly looking at what we can do, and what the threats
are.  It's not a static environment," Mr. Lipner says. A few years
back, for example, following reports of destructive "macro" programs
hidden inside Microsoft Word documents, the company introduced
security features that made Word more selective about which programs
it would run.

What's more, Microsoft is now changing its basic software-design
philosophy to emphasize security, whereas in the past it had
emphasized having its products work together easily. For example, when
questions were first raised about Outlook following the love bug,
Microsoft executives strongly defended the program's ability to allow
e-mail files to launch programs.  Lately, however, the company says it
is toying with removing the ability altogether.

Of course, no software has a monopoly on security problems, and
Microsoft's sheer size makes it a magnet for criticism. But experts
say Microsoft hasn't moved fast enough to adapt to security threats in
the Internet age.

Too many Microsoft products were designed for the long-gone world of
the stand-alone PC, where very little can go wrong, critics say.

"Microsoft often takes shortcuts in security in the name of coming out
with a product," said Gene Schultz, who teaches computer science at
Purdue University and who has written books on Microsoft security
questions. "I don't like to simply bash Microsoft, but the fact is,
they are a desktop software company, and they don't have the years of
experience needed to develop a product high in security."

Another complaint: The company often ships its products with settings
at their least secure positions. While it's possible to tighten those
settings, doing so often requires knowledge that novice users don't
have.

For example, before Windows users can sign up for high-speed Internet
connections, such as DSL or cable modems, they must name their
computer and the "work group" it belongs to. The information isn't
meant to be public, but Windows will, without telling users, make the
names available to all comers over the Internet. Steve Gibson, an
Irvine, Calif., security consultant, says that while the data alone
wouldn't give someone direct access to files, it might give a hacker
valuable clues to breaching the security of a machine or a network.

What's more, many versions of Windows will keep certain internal
access points on a computer, called "ports," open over the Internet --
another way potentially dangerous information could be revealed. It's
possible to change all those settings to make everything secure, Mr.
Gibson says, but it can be a complicated process. His Web site,
http://www.grc.com, tells people how.

Microsoft's Mr. Lipner said security concerns related to high-speed
Internet access are "under review." He said the company plans to
unveil its own Web site to tell people about changing the settings.

Among the other concerns:

Languages: Microsoft makes several powerful computer programming
languages available with its products, including Visual Basic and
Active X components. Most of them can be easily passed over the
Internet. The problem, experts say, is that these languages don't let
users change security levels. That means that once a program is inside
a computer, it has full power to do anything it wants, even deleting
all the files on the hard drive.

Microsoft does provide the means to identify the author of a program
and to guarantee that a program hasn't been tampered with as it made
its way to a user's PC. But critics say the measures aren't enough.
Mr. Lipner said Microsoft is examining the issue.

Operating systems: Microsoft's high-end business applications Windows
NT and 2000 allow users to change security settings when they sign on
to determine how much control they will have during a session at the
machine.  Sophisticated users spend most of their time signed on at
the most restrictive level: That way, should they happen to download a
virus, it couldn't, for example, delete crucial system files even if
it tried.

But there is no such feature in the consumer products Windows 95 or
Windows 98, and there won't be in the next version, either. Mr. Lipner
said that Microsoft plans to bring the higher security level to
consumer products two releases down the road, though the date for that
version hasn't been set.

Write to Lee Gomes at lee.gomes () wsj com

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".