SCN: Security
Steve
steve at advocate.net
Wed May 10 15:17:34 PDT 2000
x-no-archive: yes
========================
by James Gleick (excerpts)
(Slate)---The ILOVEYOU virus propagated by means of security flaws
created by Microsoft software engineers. No one running MacOS or
Unix could have spread this virus or any virus like it.
Microsoft's public comment has run: "There's always the potential
for misuse. More important than the technical side of this is the
human side. It's not something technology is ever going to be able
to solve."
It's a cliche that technology is value-neutral - a cliche employed in
the service of a variety of causes. There's always some truth to the
idea. But we're allowed to notice when particular technologies are
especially dangerous. Some technologies actively invite misuse.
So here's what the ILOVEYOU virus did, and here's why it shouldn't
have been able to:
It looked up some settings in the registry, Windows' core database
of system settings, and then it changed those settings. For example,
by default, scripts are given only 10 seconds to do whatever they
do. So this script began by looking up this "timeout" feature and
turning it off. Oops! Scripts shouldn't be allowed to override settings
that control those same scripts. Then it changed some more registry
settings, with statements like (one) which instructs the system to run
a new script every time it starts up. Scripts shouldn't be allowed to
alter anything in the registry - not without direct approval from a
system administrator and especially not from inside an e-mail
message. Microsoft knows this, in principle. But it chose to leave
the door open.
Then the script changed the start page of the (Microsoft) Web
browser. In fact, it pointed the browser not at a Web site but at an
executable file. It would be safer to require user intervention before
changing the browser's start page. But Microsoft wanted to make it
easy for companies like, oh, Microsoft, to change your start page for
you.
In a subroutine cunningly titled "sub infectfiles," the virus copied
itself to files all over the user's hard disk, deleting some files and
sneakily renaming others. Now, this is suspicious and dangerous
behavior. An operating system has to support the deletion and
renaming and alteration of files, but it doesn't have to give this
capability to scripts - little programs run from inside e-mail
messages or through the Web browser. These powerful abilities
came with the Windows Scripting Host, not a part of Windows 95,
but added to later systems, including any that got Internet Explorer
Version 5.
Maybe the ILOVEYOU author read Microsoft TechNet's article on
"Leveraging the Power of the Windows Scripting Host." "The script
we've demonstrated may be the foundation for a greater task," it
concludes cheerfully. "Once you've located a file, you may wish to
perform a file copy or an FTP process."
Finally, as we all now know, the virus performed a mass mailing of
itself to everyone in the user's Outlook address book. Cute, and
sometimes Microsoft customers do need to send mass mailings, but
they don't need to be able to do it with scripts running from inside e-
mail messages. Not ever. Close that door.
In recent years, Microsoft's designers have deliberately blurred the
distinction between opening some data and running a program. You
can run Word indirectly, just by clicking on any Word document
ending with .doc. The virus executed the Windows Scripting Host
because it ended with the extension .vbs.
Which leads to one more lovely detail. Most of us rarely see those
file extensions because the operating system hides them by default.
The ILOVEYOU virus exploited this by adding an extra fake
extension to its name: "LOVE-LETTER-FOR-YOU.TXT.vbs." We
users saw only the innocent-looking "LOVE-LETTER-FOR-YOU.TXT."
The final hidden .vbs was the trigger.
Thus Windows gave us the worst of both worlds: It was smart
enough to display and yet disregard the .TXT that would have
started a harmless text editor. It was smart enough to conceal and
yet execute the .vbs. Microsoft should have been smart enough to
take an obvious precaution in the first place: Prevent the creation of
file names with double extensions. That kind of file name is a sure
tip-off that someone is up to no good.
Even after the fact, Microsoft continues to take a "Close the Barn
Door" approach to security. It recommends with a straight face that
users now delete all e-mail messages with the subject ILOVEYOU.
It's important to note that the virus payload cannot run by itself. In
order for it to run, the recipient must open the mail, launch the
payload by double-clicking on it, and answer "yes" to a dialogue that
warns of the dangers of running untrusted programs.
Sure enough, the warning is explicit and prophetic. To activate the
virus, at least some people had to ignore it. And sure enough,
people ignored it all over the world. They ignored it inside Microsoft
headquarters - we know this because the company mail servers
were shut down intermittently over a two-day period and because
some copies of the virus were inadvertently dispatched onward to
the outside world.
How could people be so stupid? Simple. We've seen these fine-print
warnings thousands of times. We've had to learn to click on past
them. We've seen them whenever we display e-mailed pictures from
our friends. The warning says to "be certain that this file is from a
trustworthy source" - none too helpful when our trustworthy sources
are being tricked into mailing us the virus. But the wording hardly
matters; we no more read these warnings than we read the click-
through agreements crafted by company legal departments.
The trouble is, Microsoft applies the same warning to the passive
display of content and to active scripts allowed to delete files, alter
the Windows registry, and send mass e-mail.
The ILOVEYOU vandal showed a sophisticated understanding of
vertical integration, a fact of life in the Microsoft universe that the
Department of Justice, too, has been zeroing in on. Many different
pieces of the Microsoft jigsaw puzzle are now platforms for
executing programs: the browser, the word processor, the
spreadsheet, the e-mail client. They all work together, and they each
perform the functions of an operating system.
That can be really useful. It's also dangerous. So it's time for
Microsoft to make some crucial distinctions. It's one thing to display
data passively: present text, play music, show pictures. It's another
to grant active access to the file system: delete data, alter program
settings. A good, modern e-mail program needs to be able to display
all kinds of stuff. But there must be limits.
As a matter of cultural style, it's odd that Microsoft has earned
notoriety for laxness about computer security. The company is such
a control freak, after all, in other domains.
It may be in part because Microsoft itself likes to be able to do
things to our computers from a distance. If you spend any time at
MSN or Microsoft.comeven at Slateyou've noticed that you are
often given a chance to "install and run" some ActiveX control or
other, and you are invited to check a box that says, "Always trust
content from Microsoft Corporation." These ActiveX controls can do
anything, where Java, by contrast, was designed not to have
unbridled access to the file system.
Last year Microsoft got caught placing secret unique identifiers in
Office documents and collecting associated hardware indentifiers
from across the Internet. Soon all Office users will be required to
register their software, in the name of copy protection, and allow
Microsoft to check remotely on where the software has been
installed. The company has just patented a technique for installing
software upgrades over the Internet, after consulting settings in the
registry. All this middleware, all this powerful scripting, helps
Microsoft check up on its users. Maybe that's why the company
doesn't feel any great urgency about having us batten down the
hatches.
I got my own copy of ILOVEYOU from a trusted friend, an Episcopal
priest who often e-mails me pictures of his kids. By then I'd heard
the news, so I carefully opened it for viewing. I'd like to say I was
smart enough not to run the thing first, but the truth is just that I was
lucky enough.
Copyright 2000 Microsoft and/or its suppliers
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list