I keep reading press accounts describing the latest e-mail virus. E-mail viruses have been infecting Microsoft Windows software for years and I keep expecting that either the security hole will be fixed or the Microsoft user base will rebel. Why do Microsoft users accept this level of risk? This Web page broadly describes the problem. I don't hate Microsoft. In fact I use Windows NT, in addition to UNIX. But I don't have any answers to these questions either. If you are a Windows user and you use a program like Outlook Express, which is susceptible to these viruses, perhaps you can answer the question yourself.
The only secure computer system is one that is locked in a guarded, electromagnetically shielded, room. In fact, this is how the military guards their secure computer systems.
Most computer users would like to send and receive e-mail and read material on the World Wide Web. This would be impossible on a "secure" computer system, so we accept a certain level of risk.
Software designers, especially those designing operating system and networking software should design the software so that the security risks are minimized. Although carefully designed software can always be attacked making a computer system or its network connection unusable, ideally attacks should require a high level of technical sophistication. Only those who have a deep understanding of networking technology and software should be able to mount a successful attack on a computer system. Of course the issue is not quite so simple. Some very sophisticated software engineers have written network attack software and released it on the Internet. This software is then used by unsophisticated "script kiddies" to attack computer networks. But the point remains: computer system software should be designed so that it is resistant to attack.
The e-mail viruses seem to spread endlessly over the Internet do not attack computer systems in sophisticated ways. These viruses use features designed into Microsoft operating systems without any thought to system security.
In the last few years tens or perhaps hundreds of millions of dollars worth of damage has been done by e-mail viruses. These viruses are attached to e-mail that is sent to an e-mail account. When the attachment is opened with an e-mail program like Microsoft's Outlook Express, the virus executes, installing itself on the user's computer. Frequently the virus software reads the user's e-mail address book and sends itself to all users in the address book, using the identity of the infected user. Some of these viruses then destroy data on the computer or open a network link allowing the computer to be used over the Internet (to launch an attack on other computer systems, for example).
E-mail viruses have never infected any computer system running UNIX or Linux. These viruses make use of security hole on computer systems running Microsoft Windows operating systems. Although UNIX or Linux systems can and have been attacked (e.g., the famous Internet Worm, for example) it takes sophisticated software to attack these operating systems. Few software engineers would label the e-mail viruses that have been used to attack Windows systems as sophisticated.
This is the first virus I've actually received. According to The Associated Press (reprinted here in Salon), this virus spread from Asia around the world, infecting systems in Europe and the US. For Salon Editor Scott Rosenberg's take on this latest Microsoft Outlook virus see his article Love Bites.
I use an Emacs e-mail reader, which understands MIME (Emacs is an editor for software engineers). The Emacs e-mail reader will decode MIME, but it will not execute attachments (this is an alien idea on UNIX, where execution is controlled by execution permission). On a UNIX system, this virus had no effect and was totally harmless. As a result, I was able to look at the virus source. It appears to have been written in something like Visual Basic (VB) or a VB script. Now that such a virus has spread throughout the world it will serve as a nice model for other people who have way too much time on their hands and want to cook up their own virus to bring down the British House of Commons. It is just pathetic that some teenager who can't get a date can wreck this kind of havoc. This just brings home how primitive our computer systems still are.
The histories of Microsoft Windows and the UNIX operating system have influenced the security on these systems. UNIX was originally developed at AT&T's Bell Labs (now part of Lucent). UNIX was rapidly adopted by universities in the early 1980s. Networked UNIX systems followed in the mid to late 1980s. The academic environment has always been a hostile one for computer systems, since there are very bright students with a lot of time on their hands and breaking into a system confers a certain amount of prestige. Since networked UNIX systems evolved in this environment, their security in the modern World Web Web world has been good. Computer systems running the UNIX or Linux operating systems make up only a small fraction of the computers in use. Most computer systems run operating system software developed by Microsoft.
The software design philosophy at Microsoft has been influenced by Microsoft's history as well. Microsoft has designed operating system software for desk top computer systems. Until Windows NT was developed, there was no built in support for networking. After the release of Microsoft Windows 3.0, one of the design goals at Microsoft was to make their software work seemlessly together. Microsoft Excel spread sheets and table could be embedded in Microsoft word documents, for example. The link between Microsoft applications was not simply a data link, it allowed application execution. Since Microsoft Windows was a single user desk top system, there were no security concerns. When Microsoft developed Outlook Express, they built this new program to inter-operate with their applications. This allowed Microsoft Word documents to be sent in e-mail. Opening a Word or Power Point document would execute the associated application. However, security remained weak, opening the door to the e-mail viruses.
A reasonable argument could be made that Microsoft should have seen the security implications of their application interconnectivity and fixed the security problems before they released Windows 95. Even if we assume that they could not have reasonable foreseen a security hole that would allow e-mail to compromise a computer network, it is hard to see why they have not taken steps to improve security. E-mail viruses started to appear soon after Windows 95 was released. Microsoft has ignored a serious design problem in Windows, which has resulted in millions of dollars worth of losses. Only Microsoft knows all the details of their software, but numerous fixes can be proposed for this huge security hole. And yet I keep reading news reports about these viruses.
Most computer users are not computer experts. They expect the computer software to perform the correct action in a given situation. One mystified user, thinking that his corporate firewall would protect him from viruses like this commented "I have no idea how it got through the firewall. It's [the computer, which was crashed by the virus] supposed to be protected."
Computer experts may laugh, but why should this person have to understand the issues involved with networking and computer security to avoid having his computer network trashed by a virus? In theory this is what the computer experts are paid to understand so others don't have to.
If an e-mail attachment is a sound file, an image or a video file the correct action is to play or display the file. These files are data and can be accessed without harming the computer. Obviously the root of the problem is that mail software running on Windows will pass off attachments for execution. And this is done without printing a warning like "running this attachment could harm your computer or your computer network". Interestingly, this is the approach taken for non-Java executable code (e.g., ActiveX) which by default only runs when the user has been warned and has given permission. Java code is usually given execution permission, but it can't cause other programs (like the e-mail software) to run on the local computer system. In most cases Java cannot read from disk. The ILOVEYOU virus seems operate by reading the Microsoft registry file, which would usually not be allowed from Java code.
Since viruses like this are easy to build and difficult or impossible to protect against until security is fixed in Windows, users have started to get the idea that viruses are like traffic accidents. They are simply a risk that the user runs by using a computer system. What is largely ignored is the fact that these viruses can be avoided. The ILOVEYOU virus should have been nothing more than it appeared on UNIX: some very obscure text.
As I predicted, the Visual Basic script in the virus was used as a model for a variety of additional viruses that appeared soon afterward. These has a variety of "social engineering" features, which attempt to get people to open the attachment. One of these was:
Subject: Mothers Day Order Confirmation Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs
Among other things, this e-mail virus shut down e-mail at Microsoft on May 4 and May 5, 2000. Perhaps this will actually motivate Microsoft to fix this huge security hole, if only for themselves.
Perhaps the reason that Microsoft Outlook Express has not been banned from corporate networks is that no one really cares. These stupid e-mail viruses have not caused enough trouble to prompt any real action, despite the claims about the huge damage they have caused. In a Wall Street Journal editoral, published on May 8, 2000, George Smith of Cyrpt Newletter points out that the Melissa and Chernobyl viruses were logically similar to the ILOVEYOU virus, yet nothing has changed.
Viruses like ILOVEYOU spread explosively because of longstanding and well-understood holes in both e-mail software and in the antivirus approach to dealing with them. Yet because there is no real pressure from corporate customers for change, we face the same virus problems again and again.
Implementing a new non-standard e-mail solution (e.g., a safe e-mail application that will not execute attachments) is fairly painful, especially for large companies. The user base must be trained in the new program and it must be propagated to all Windows based systems. Since few companies seem to have done this for their networks of computers running Microsoft software, there is some evidence that George Smith is right. The level of pain is just not high enough to prompt anyone to take action. On the other hand, I would think that an e-mail shutdown of a day or more would be pretty painful for most modern companies. But this may simply be the difference between the perceptions of a software engineer and someone outside the computer industry.
I continue to be surprised that there has never been a class action suit undertaken against Microsoft. Perhaps the lawyers feel that the complexities of software and the conflicting testimony of experts would be too confusing for a jury. However, the "features" of Microsoft's Outlook Express to execute components of an email (work documents, Visual Basic scripts) is simply inexcusable. Press reports have suggested that these holes have finally been closed in Windows XP.
Some computer security sites publish descriptions of security holes, in some cases complete with sample code. At least in the cryptographic community there is the view that cryptographic security should not depend on secrecy. In fact, cryptographic algorithms should be made public so that attacks can be undertaken. Only after an algorithm has survived scrutiny can there be some assurance of security. The same is ultimately true of Linux and the various versions of BSD UNIX. The source code for these operating systems is available to anyone who cares to download it. Any security flaws will be openly discussed and quickly fixed. Even the NSA seems to have acknowledged the power of open discussion of at least some security issues. The NSA has released reference code for improving Linux security.
The ubiquitous nature of Microsoft software, their monopolistic and preditory nature and their historically cavalier attitude toward computer security (which is finally starting to effect their sales of Windows servers) has made Microsoft a target for many security attacks. Microsoft security flaws are also frequently published on security sites. Microsoft claims that this has increased the number and severity of attakcs. This is discussed in the article Microsoft to hackers: Don't publish code by Robert Lemos, Cnet.com, October 17, 2001. This article mentions an article by Microsoft employee Scott Culp, It's Time to End Information Anarchy. In this article Culp writes
It's high time the security community stopped providing blueprints for building these [hacker] weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Depending on secrecy is never a good way to insure security. Information always gets out. Building software that has security holes that can be exploited by ignorant script kiddies using Visual Basic does not lend a lot of credibility to those who complain about others publishing information about their security holes.
Microsoft has a lot of money and they have used some of it to hire some of the best computer scientists in the world. Rather than complaining about people publishing information about Microsoft security holes, Microsoft should let this impressive talent loose to build reliable, maintainable and secure software. The fact that Microsoft has allowed such gaping security holes to exist in their software through many years of operating system releases renders their complaints about publishing security holes empty.
As a software engineer I am not suggesting that the software industry be subjected to massive product litigation. Software systems are the most complex objects created by the human race. There is no question that there will be bugs and design flaws in any large software system. There is no way to design a perfect large scale software system. Even if the software were perfect in and of itself, there will always be unforseen events that cause the software to fail.
Suing software companies for every unforseen flaw would destroy the software industry. But if a software company knows of a serious flaw that they know causes serious harm to their customers, they should be obligated to make a concerted effort to correct the problem.
Companies like Microsoft which have a fanatic obsession with profits, even when these profits come at the expense of their customers computer scecurity would think twice about their policies if it cost them billions of dollars in legal settlement costs. The security problems in Microsoft software have existed in the same form for years, without being addressed by Microsoft. This is the critical issue. Microsoft knew about the problem but took no concrete steps to fix it for a period of years.
Microsoft's security push lacks oomph by Robert Lemos, January 11, 2002, news.com (cnet.com)
Security Flaws May be Pitfall for Microsoft, Joseph Menn, Los Angeles Times, January 14, 2002
This article answers one of the questions raised on this web page: why has Microsoft not been sued in a massive class action suite over the havoc they have wrought throught he security holes in their software. So far, apparently, the courts have held that software makers cannot be held liable for product flaws. In part this is because, in theory, the user licenses the software, they don't own it.
The increasingly wide spread concerns about Microsoft security problems are also discussed in this article. Many people (including the author) will not use Microsoft's .NET software given their history of security problems.
Windows UPnP Vulnerability in Bruce Schneier's Crypto-Gram Newsletter, January 15, 2002
This much quoted issue of the Crypto-Gram newsletter discusses the Microsoft Plug and Play security hole in the early releases of Windows XP. This security hole resulted in an FBI advisory.
Commentary: The Best Way to Make Software Secure: Liability, By Ira Sager and Jay Greene, BusinessWeek online, March 18, 2002
Microsoft has been able to ignore glaring security issues like the linking of email to scripts that can destroy data on the users system because there has been no liability.
Microsoft Outlook's so-so security by Robert Lemos, News.com, March 21, 2002
Two years have passed since I first wrote this web page. The security problems in Microsoft's Outlook persist. Why any corporation allows this source of security vulnerability on their networks is beyond my understanding. The Dark Lord Himself, Mr. Bill, has put forward the Microsoft "Trustworthy Computing" initiative. The core problem is that the software Microsoft has layered on top of Windows NT, which is a good operating system, is riddled with security problems. No initiative is going to fix this by fiat.
Microsoft faces class-action on security breaches by Kevin Krolicki, October 2, 2003, Reuters (published on Yahoo)
As I've noted above, I believe that Microsoft has shown a cavalier disregard for security, especially when it comes to e-mail born viruses. Holding Microsoft at least partially accountable does not seem unreasonable.
On the other hand, as a software developer I'm a bit worried about this. Even carefully tested and well designed software may hide a design flaw that results from a condition that the designer did not foresee. Being sued for such errors would make it impossible to sell software (or perhaps even give it away). A number of posters to the slashdot discussion that pointed to the above article made similar points.
Linux vs. Windows Viruses by Scott Granneman, October 10, 2003, the Register.
Microsoft or their defenders have claimed that the reason that there are so many viruses, worms and other security exploits aimed at Microsoft operating systems is not because they software architecture is poorly designed for security but because Microsoft is so popular. This argument claims that Microsoft's presence on some many computer systems means that security exploits are targeted at them.
Clearly there is some truth to Microsoft's claim. Let us say for the sake of argument that there was a single operating system named Colossus, from Acme Software, on all computers. All security exploits would, in fact, target Colossus, because no other targets would be available. This is an empty observation.
The argument that Microsoft operating systems are wide spread and so are a target addresses the wrong issue, which is addressed in Scott Granneman's article. The important issue is: how easy is it to target a security expoit at a particular operating system. No software system of any significant complexity will ever be completely safe, so there will always be some security exploit possible.
As history has shown, security issues on Microsoft operating systems are much easier to exploit than they are on Unix or Linux systems. This is largely a result of system architecture.
Ian Kaplan, March 5, 2000
Most recently revised: October 2003