This article is in the public domain - republish at will.

Version 2.5 "To Err is Human"

Microsoft Applications Security And The Internet
================================================
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared over
the internet.

This continued virus threat is not ONLY an email or Outlook problem
it extends to all Microsoft Office products, Microsofts internet
explorer as well as a lot of third party software for the Microsoft
OS platforms.

This is not a new problem and Microsoft answer has always been to
grudgingly release quick fix patches instead of dealing with the
failings in the design of the application framework.

Unrestricted Foreign Script And Executable Execution
====================================================
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in which
a user can open,view and run untrusted documents. Any operating system can
run executables,shell commands and other scripts but why is it that Windows
9X, 2000 and NT applications run scripts and executables embedded in email
and Office documents at the click of a users assent.

To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting and Active-X within their templates,documents and
enterprise glue. Turning off Windows Scripting Host is not a viable option
for users of the new active directory and remote adminstration services.

The Threat
==========
It is a LOT easier to create a Visual Basic or Jscript virus than
to create a binary executable virus.

Any teenager with half a brain can now grab a copy of a trojan love,
melissa or any number of new visual basic scripts. He can modifiy it by
trial and error until it passes the virus scanners. Then embed the trojan
in ANY type of Microsoft Office 2000 document. He can then attach
the document to the email or have a URL to the document on a web/ftp server.

All he has to do to ensure the spread of the worm is email them to known
Microsoft Outlook email users or to any users with Windows Scripting
Host enabled.

Not all of the attached trojans will be executed by the email recipants but
enough will to ensure its spread.

Once the virus is executed it has unrestricted access to all files that the
user has access to and all interfaces that the Microsoft allows Visual
Basic access to.

To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm from the
user. This is how the "worm" spread so fast.

This love letter virus demonstrates how such security holes can become the
biggest Denial of Service Attack threat to the whole internet.

The Failed Defence Strategies
=============================
Microsofts attempts to keep its applications vulnerabilities hidden behind
a proprietary veil of secrecy has failed.

Not all companies and users apply the security patches that Microsoft
release. A lot of patches cannot be installed if they disable features
that Microsoft sold their organization on for providing enterprise glue.

Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email or other Office documents via the internet
is doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
To quote Mark Twain  "You can fool some of the people all of the time,
and all of the people some of the time ...". When presented with a dialog
window with Yes/No buttons, a LOT of users click yes without even reading
the dialog.

All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will
allways be vulnerable to new and modified forms of attack. There is always
a delay between the release of a new virus or trojan and the detection
and clean up solution packaged and distributed by the Anti-Virus companies.
Firewall proxy based defenses are useless if the email or http request
is encrypted.  

Just changing the client or server operating system to NT, win2000, MacOS,
or even a Unix based OS will not overcome the lack of security in the
client Microsoft Office suites. Any file that the user running the
script or executable has write access to is at risk. Even if you wish
to change File servers Microsoft continues to change its application
interfaces so that using another vendors server products is increasing
difficult.

Relying on data backup to protect your documents is currently the best form
of defence. However if a stealthy virus or trojan is not detected or does
not "announce" its presence to the users and system administrators, then
how do you know how many days/weeks of backup are required?
What date do you restore from to get clean versions of the infected
and damaged files? How much information and work has been lost when
users change the documents in between backup and restore dates?

The Only Real Solutions
=======================
Only system administrators should have write access to files containing
trusted executables and scripts. (It has taken the Unix world a long
time to learn this lesson.)

Where distributed agents or embedded scripting is desired then a suitable
restricted mode must be provided that limits what destructive actions
the execution of the embedded script/executable can perform in its
environment.

If an attachment/document cannot be opened safely then it should not be
opened at all. Just putting up a warning dialog will not work if users
fail to read the message and just click yes.

Peer Based Review
=================
The open source model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available forces
programmers and other solution providers to take a proactive approach to
system security. Putting the source code under peer review results in
the fixing of the security holes in the design of the application
as well as its source code.

Looking Elsewhere
=================
If you are worried about security of your files and information stored on
your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft.

You should look to vendors and solutions that provide a proactive approach
to security, instead of just relying on a third party retroactive antivirus
defence.

Also look for vendors that work towards implementing and following
standards. This insure that it is easier to deal with other organisations
not using the same vendors product and that in the worst case scenario it
is possible to switch to another vendors product.

Afterword
=========
Modifying Asimov's first law of robotics -
"Computer software should never cause the user to lose any of their
 documents or through inaction cause the loss of their documents"