IP: USATODAY.com: Windows too open to viruses, experts say

[Dave Farber <farber@cis.upenn.edu>]

>
>http://www.usatoday.com/life/cyber/tech/cth950.htm
>
>05/23/00- Updated 03:51 PM ET
>
>Microsoft programs vulnerable to viruses
>
>By Will Rodger, USATODAY.com
>
>More than 45,000 viruses infect PCs running the Windows operating system
>worldwide. Several have caused billions of dollars in damage in the past 12
>months. Hundreds more viruses appear each year, requiring armies of
>anti-virus programmers to isolate and kill the offending bugs.
>
>By contrast, perhaps 35 viruses have been written for the Macintosh and four
>or five for the Unix-based computers that run most Web sites, says Eugene
>Spafford, director of the Center for Education and Research in Information
>Assurance and Security lab at Purdue University.
>
>This, a growing chorus of security experts say, is not happenstance.
>
>"PC operating systems have inadequate security," says Peter Neumann,
>principal scientist at SRI International in Menlo Park, Calif. "Attachments
>and executable content are features that should not exist if you are worried
>about security. Period."
>
>For even though Microsoft has produced the world's most popular operating
>system, its ease of use and the staggering number of features integrated
>into Windows and the Office applications has left the world's dominant
>computing platform uniquely vulnerable to a plague of troubles.
>
>Not Net viruses; Microsoft viruses
>
>Put simply, the last two big viruses were not Internet viruses. They, like
>virtually every virus that has made headlines in the last 10 years, were
>Windows viruses.
>
>Steve Lipner, manager of Microsoft's security response center, says the
>criticism is unfair:
>
>"That goes to what Willie Sutton said: The answer is, that's where the money
>is. The reason people write viruses for Microsoft Windows is there are lots
>of Microsoft machines out there, and that improves the chances for
>propagation."
>
>But that's precisely the point, critics say. Security specialists, drawing
>ever more on the language of epidemiology, have long warned that as networks
>expand and become more vital to everyday life, they become ever more
>vulnerable. Now, viruses face not just high-density populations but would-be
>victims that share the same weaknesses.
>
>Like the flu and the smallpox that killed 90% of the Aztecs or the blight
>that brought on the Irish potato famine, a single malady can ravage almost
>everyone's PC because they all have the same genetic makeup: Windows.
>
>As Windows grows in size - a typical Windows 98 installation can run
>anywhere from 120 MB to 295 MB vs. just 40 MB five years ago - the burden of
>checking code for errors grows even faster, Spafford says.
>
>But beyond that, he says, is another, more difficult truth: Windows and
>Microsoft's equally dominant Office Suite were designed neither for the
>Internet nor secure operation generally.
>
>Instead of forcing the operator to stop and check every new program that
>hits his hard drive, Windows offers the ability to automatically run any
>"script" or Internet-borne program without user intervention.
>
>And viruses are programs, after all.
>
>Windows usually hides telltale ".vbs" tag
>
>Security consultant Rick Forno (www.infowarrior.org) says Microsoft's
>now-infamous "visual basic scripting" is emblematic of the problem. VBS, in
>fact, can launch hidden programs without so much as notifying users they are
>there.
>
>The "love bug" virus that hit May 4 was such a program. Because Windows
>usually hides the final ".vbs" tag attached to the end of visual basic
>programs, most victims thought what they got was a simple text attachment -
>a love letter, in fact.
>
>As it turned out, the virus erased millions of graphics and sound files
>worldwide and stole an untold number of passwords from Filipino Internet
>accounts before authorities shut down the Web site to which the passwords
>were being e-mailed. The virus spread at record rates, thanks to the bug's
>tactic of sending copies of itself to every address in every copy of
>Microsoft's Outlook e-mail program - again made possible by VBS technology.
>
>That same mechanism showed up again Friday as the "new love" virus struck in
>much the same fashion. This time, though, the virus destroyed virtually
>every file on infected computers.
>
>A bug in the program, ironically, stopped the virus from spreading very far.
>
>Microsoft has promised a patch to "turn off" the VBS problem in Outlook
>sometime this week.Yet at least a half-dozen major viruses have duplicated
>themselves through Microsoft's Outlook over the past 18 months, Forno says.
>The infamous Melissa virus, Explore.zip, VBS/Bubbleboy and X97M/Papa viruses
>all used the Outlook address book to spread themselves.
>
>Other operating systems don't work this way
>
>Other programs on other operating systems could not behave this way, Forno
>says, because applications written for other operating systems - e-mail
>programs, word processors and the like - do not reach down into the deepest
>levels of the operating system to function.
>
>And true, Forno says, programs like Outlook and Microsoft Word work smoothly
>together in part because they share files that are also part of Windows. But
>that close connection to the operating system also let "new love" destroy
>those same system files, in effect destroying every file on the targeted
>computer's hard dive.
>
>The "love bug" and its progeny couldn't procreate so quickly on a Unix
>system, Purdue's Spafford says.
>
>For even though security specialists and computer vandals regularly find
>holes in Unix operating systems, they have one real strength that keeps them
>essentially virus-free: programs don't simply run of their own accord.
>Rather than clicking on an icon and waiting for a new program to set itself
>up, Unix users must go through a deliberate, sometimes tricky task of
>tweaking a software package so that a computer can actually run it.
>
>Is it as easy as Windows? No way, Spafford says. But that's a small price to
>pay, he says, when millions are clicking on files they should know better
>than to click on.
>
>Eventually, he says, all users will come to realize that ease of use and
>total security are at polar extremes of the same continuum. What you gain in
>one you usually will lose in the other.
>
>Fred Cohen, a security specialist who performed the first research on
>computer viruses, says Microsoft may be only the largest of a group of
>offenders.
>
>After all, he says, one could write a version of Microsoft's Office for Unix
>that would cause much the same sort of trouble. And Netscape's Internet
>browser and mail program is not only highly popular among Unix users but
>also quite insecure from a security specialist's point of view.
>
>"Go ahead and take a swipe at Microsoft," Cohen says. "They deserve it. But
>if 90% of the world was running Unix and everybody was running Netscape on
>it, we would have the same kinds of problems on Unix."
>
>Specialists say the lure of the quick and easy remains powerful.
>
>"There are a lot of businesses that really like that close integration,"
>says Pete Hammes, director of engineering at Para-Protect Services in
>Alexandria, Va. "It makes it a lot easier for users that don't have a lot of
>technical sophistication."
>
>German government considers dropping Outlook
>
>It is anyone's guess how long the love affair with simplicity will last. The
>German government said Friday that it was considering dumping Outlook
>altogether in the wake of the latest virus outbreak.
>
>"I think a really big issue is just design and quality," Spafford says.
>"Other operating systems have been designed with security at the forefront."
>
>As dim a view as he takes of Microsoft's work, Spafford concedes there is at
>least one factor over which Microsoft has no control: time.
>
>"Windows is relatively a much newer operating system than is the Macintosh
>or Unix, which don't have these sorts of problems," he says. "Part of it may
>be just maturity."
>
>For now, Lipner says, the company is working to improve its security
>practices while giving customers what they want. With its promised "patch"
>for its Outlook program in place, Lipner says, users will have to take extra
>steps to send or receive attachments that work. Those extra steps, he says,
>should give users fair warning before they blindly click on attachments.
>
>"It's not going to be the casual thing it is now," he says.
>
>Regardless of what it does in the future, Microsoft can be thankful that
>damage from the viruses hasn't been more widespread.
>
>At a gathering at the Economic Strategy Institute in Washington, D.C., last
>week, former CIA director R. James Woolsey said that he expected terrorist
>and spies would soon use password-sniffing techniques similar to those
>deployed by the "love bug." This time, though, the rogue programs would be
>aimed at specific computers, he said. And they would not announce themselves
>the way the latest ones did.
>
>"If you've had your computer or network hacked into or somebody's put a
>(virus) on your system and is reading out your files before the data is
>encrypted, you've got a serious problem," he said.
>
>--------------------------
>
>
>
>05/22/00- Updated 03:30 PM ET
>
>
>http://www.usatoday.com/life/cyber/tech/cth951.htm
>
>
>Net has made virus writing easier
>
>By Will Rodger, USATODAY.com
>
>Virus writing, which has never been hard, is getting easier all the time.
>Want evidence? Look at the Internet itself.
>
>It wasn't long ago that virus writers gathered in small electronic
>communities that amounted to nothing more than individual computers
>connected to the outside world by a few phone lines.
>
>Communications about their illegal activity had to be confidential, so
>expertise spread slowly.
>
>But now anyone can post anything to the Internet. Add a few search engines
>to the mix, and there you have it.
>
>"Viruses have gotten easier to write because there are more examples to use
>and there's more literature about how to write them," says Dave Farber,
>professor of computer science at the University of Pennsylvania and
>Chief Technologist at the Federal Communications Commission.
>
>Statistics from the government-funded computer emergency Response Team at
>Carnegie Mellon University tell the tale. Reported incidents of computer
>vandalism have grown dramatically from 1990, when there were only 252, to
>9,859 incidents in 1999. The first quarter of this year alone saw 4,266
>incidents.
>
>Automated hacking tools that require essentially no programming skills have
>accounted for much of the growth.
>
>Indeed, the Internet has become in some ways its worst enemy by offering a
>wide variety of tips on system cracking. At the same time, teaching computer
>security techniques means explaining how the attacks are done in the first
>place. So even if someone tried to censor information about virus writing,
>the effort would be pointless, experts say.