SCN: Security

[Steve]

x-no-archive: yes

========================

by James Gleick (excerpts)

(Slate)---The ILOVEYOU virus propagated by means of security flaws 
created by Microsoft software engineers. No one running MacOS or 
Unix could have spread this virus or any virus like it.  

Microsoft's public comment has run: "There's always the potential 
for misuse. More important than the technical side of this is the 
human side. It's not something technology is ever going to be able 
to solve." 

It's a cliche that technology is value-neutral - a cliche employed in 
the service of a variety of causes. There's always some truth to the 
idea. But we're allowed to notice when particular technologies are 
especially dangerous. Some technologies actively invite misuse.  

So here's what the ILOVEYOU virus did, and here's why it shouldn't 
have been able to:  

It looked up some settings in the registry, Windows' core database 
of system settings, and then it changed those settings. For example, 
by default, scripts are given only 10 seconds to do whatever they 
do. So this script began by looking up this "timeout" feature and 
turning it off. Oops! Scripts shouldn't be allowed to override settings 
that control those same scripts. Then it changed some more registry 
settings, with statements like (one) which instructs the system to run 
a new script every time it starts up. Scripts shouldn't be allowed to 
alter anything in the registry - not without direct approval from a 
system administrator and especially not from inside an e-mail 
message. Microsoft knows this, in principle. But it chose to leave 
the door open.  

Then the script changed the start page of the (Microsoft) Web 
browser. In fact, it pointed the browser not at a Web site but at an 
executable file. It would be safer to require user intervention before 
changing the browser's start page. But Microsoft wanted to make it 
easy for companies like, oh, Microsoft, to change your start page for 
you.

In a subroutine cunningly titled "sub infectfiles," the virus copied 
itself to files all over the user's hard disk, deleting some files and 
sneakily renaming others. Now, this is suspicious and dangerous 
behavior. An operating system has to support the deletion and 
renaming and alteration of files, but it doesn't have to give this 
capability to scripts - little programs run from inside e-mail 
messages or through the Web browser. These powerful abilities 
came with the Windows Scripting Host, not a part of Windows 95, 
but added to later systems, including any that got Internet Explorer 
Version 5.

Maybe the ILOVEYOU author read Microsoft TechNet's article on 
"Leveraging the Power of the Windows Scripting Host." "The script 
we've demonstrated may be the foundation for a greater task," it 
concludes cheerfully. "Once you've located a file, you may wish to 
perform a file copy or an FTP process."

Finally, as we all now know, the virus performed a mass mailing of 
itself to everyone in the user's Outlook address book. Cute, and 
sometimes Microsoft customers do need to send mass mailings, but 
they don't need to be able to do it with scripts running from inside e-
mail messages. Not ever. Close that door.   

In recent years, Microsoft's designers have deliberately blurred the 
distinction between opening some data and running a program. You 
can run Word indirectly, just by clicking on any Word document  
ending with .doc. The virus executed the Windows Scripting Host 
because it ended with the extension .vbs.  

Which leads to one more lovely detail. Most of us rarely see those 
file extensions because the operating system hides them by default. 
The ILOVEYOU virus exploited this by adding an extra fake 
extension to its name: "LOVE-LETTER-FOR-YOU.TXT.vbs." We 
users saw only the innocent-looking "LOVE-LETTER-FOR-YOU.TXT." 
The final hidden .vbs was the trigger.  

Thus Windows gave us the worst of both worlds: It was smart 
enough to display and yet disregard the .TXT that would have 
started a harmless text editor. It was smart enough to conceal and 
yet execute the .vbs. Microsoft should have been smart enough to 
take an obvious precaution in the first place: Prevent the creation of 
file names with double extensions. That kind of file name is a sure 
tip-off that someone is up to no good.  

Even after the fact, Microsoft continues to take a "Close the Barn 
Door" approach to security. It recommends with a straight face that 
users now delete all e-mail messages with the subject ILOVEYOU.

It's important to note that the virus payload cannot run by itself. In 
order for it to run, the recipient must open the mail, launch the 
payload by double-clicking on it, and answer "yes" to a dialogue that 
warns of the dangers of running untrusted programs.  

Sure enough, the warning is explicit and prophetic. To activate the 
virus, at least some people had to ignore it. And sure enough, 
people ignored it all over the world. They ignored it inside Microsoft 
headquarters - we know this because the company mail servers 
were shut down intermittently over a two-day period and because 
some copies of the virus were inadvertently dispatched onward to 
the outside world.  

How could people be so stupid? Simple. We've seen these fine-print 
warnings thousands of times. We've had to learn to click on past 
them. We've seen them whenever we display e-mailed pictures from 
our friends. The warning says to "be certain that this file is from a 
trustworthy source" - none too helpful when our trustworthy sources 
are being tricked into mailing us the virus. But the wording hardly 
matters; we no more read these warnings than we read the click-
through agreements crafted by company legal departments.  

The trouble is, Microsoft applies the same warning to the passive 
display of content and to active scripts allowed to delete files, alter 
the Windows registry, and send mass e-mail.  

The ILOVEYOU vandal showed a sophisticated understanding of 
vertical integration, a fact of life in the Microsoft universe that the 
Department of Justice, too, has been zeroing in on. Many different 
pieces of the Microsoft jigsaw puzzle are now platforms for 
executing programs: the browser, the word processor, the 
spreadsheet, the e-mail client. They all work together, and they each 
perform the functions of an operating system. 

That can be really useful. It's also dangerous. So it's time for 
Microsoft to make some crucial distinctions. It's one thing to display 
data passively: present text, play music, show pictures. It's another 
to grant active access to the file system: delete data, alter program 
settings. A good, modern e-mail program needs to be able to display 
all kinds of stuff. But there must be limits.  

As a matter of cultural style, it's odd that Microsoft has earned 
notoriety for laxness about computer security. The company is such 
a control freak, after all, in other domains. 

It may be in part because Microsoft itself likes to be able to do 
things to our computers from a distance. If you spend any time at 
MSN or Microsoft.com—even at Slate—you've noticed that you are 
often given a chance to "install and run" some ActiveX control or 
other, and you are invited to check a box that says, "Always trust 
content from Microsoft Corporation." These ActiveX controls can do 
anything, where Java, by contrast, was designed not to have 
unbridled access to the file system. 

Last year Microsoft got caught placing secret unique identifiers in 
Office documents and collecting associated hardware indentifiers 
from across the Internet. Soon all Office users will be required to 
register their software, in the name of copy protection, and allow 
Microsoft to check remotely on where the software has been 
installed. The company has just patented a technique for installing 
software upgrades over the Internet, after consulting settings in the 
registry. All this middleware, all this powerful scripting, helps 
Microsoft check up on its users. Maybe that's why the company 
doesn't feel any great urgency about having us batten down the 
hatches.  

I got my own copy of ILOVEYOU from a trusted friend, an Episcopal 
priest who often e-mails me pictures of his kids. By then I'd heard 
the news, so I carefully opened it for viewing. I'd like to say I was 
smart enough not to run the thing first, but the truth is just that I was 
lucky enough.

Copyright 2000 Microsoft and/or its suppliers





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *