Information Security News mailing list archives
Re: Microsoft to Blame for 'Love Bug'?
From: Bronc Buster <bronc () ATTRITION ORG>
Date: Fri, 12 May 2000 16:59:32 -0600
I think the main focus of the problem is that Microsoft attempts to make things TOO convient for users. At least if someone attached an .EXE file and you had some kind of virus scanner you might stand a chance of catching it. With Outlook, and other MS Office products, a lot of things go on behind the scenes a user never knows about. Look at macros in Word docs, as well a VB scripts embedded in other files. Would it be that hard for someone to at least make a pop up box to tell the user what is about to happen and that there is some kind of embedded code, or that they are running a script, and not a .TXT file (which ILOVEYOU.TXT appeared to be since Windows hides the file extension) like they think they are? How long have these problems existed and how many times will it have to happen before someone at least makes at attempt to put on the breaks? After Mellissa and the $5 Million (?) price tag on it, and now with ILOVEYYOU and the $8 Billion (?) price tag, what else will it take for MS to take some kind of action? Maybe even a built in script/virus checker included in the Office suite and Outlook - something - ANYTHING! Just because you shouldn't do something doesn't mean people won't do it. Just because people shouldn't abuse attachments and scripts is no reason not to have some kind of security measures to insure people don't. regards, Bronc Buster On Fri, 12 May 2000, Barry H Gill wrote:
The Dodger Wrote:I was under the impression that Outlook 2000 automatically ran the ILOVEYOU VBScript attachment when it previewed the mail (i.e. as it does automatically in the preview pane). In other words, the user didn't have to open the attachment.Fortunately, I can't be certain of this, because my company hasn't had any problems with ILOVEYOU, so perhaps someone else could confirm/deny this?I run Office 2000 unfortunately and am sad to see people defending such a flagrnt disregard from the part of Microsoft when we all discuss these issues. Outlook, Outlook 98 and Outlook 2000 have a feature called the Preview Pane. Any embedded scripts, .vbs, .hta etc will BY DEFAULT be run automatically when a message is previewed. To disable this feature is extremely simple but has to be done once Internet Explorer 5 (another great web disaster) has been installed as it installs a Windows Scripting Host which is enabled by default. For what? So that users can have a look at some pretty embedded MS features when browsing smut? The worm poses a risk to users that have Windows Scripting Host (including Win '98 users, users who have installed IE 5.x in default mode, users who have installed WSH specifically, and probably users of Windows 2000) So ja, it becomes a big question of who is fooling who. Do we ALWAYS have to spend the extra dollars purchasing Firewalls with E-Mail virus and maliscious script scanners? How much faith do we put in the vendors that create the perpetual loop of resource wasting while there are so many different beneficial things we could utilise our resources on? I for one would be most grateful if I could nuke my notebook but as it is Corporate Property and has to conform to the requirements of the Company, I will continue to use what I have to and run my own private boxes as I see fit. Getting the Great Microsoft Marketing Machine to accept any responsibility for its shortsighted irresponsibility (look at the security loopholes in Windows 2000 Professional, a desktop designed not for home use but for corporate work environments) is going to be an impossibly long and drawn out task with the embattled few fighting against millions. The only way out of it all is to become a vendor of superior products that assist in closing the potentially harmful holes that MS seem loathe to admit exist. My two cents worth B <Ignorance used to be Bliss> ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft to Blame for 'Love Bug'? William Knowles (May 12)
- <Possible follow-ups>
- Re: Microsoft to Blame for 'Love Bug'? William Knowles (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Felix von Leitner (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Aj Effin ReznoR (May 12)
- Re: Microsoft to Blame for 'Love Bug'? The Dodger (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Barry H Gill (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Bronc Buster (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Erik Moeller (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Barry H Gill (May 12)
- Re: Microsoft to Blame for 'Love Bug'? Chico (May 12)