This article is in the public domain - republish at will.
Version 2.5 "To Err is Human"
Microsoft Applications Security And The Internet
================================================
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared over
the internet.
This continued virus threat is not ONLY an email or Outlook problem
it extends to all Microsoft Office products, Microsofts internet
explorer as well as a lot of third party software for the Microsoft
OS platforms.
This is not a new problem and Microsoft answer has always been to
grudgingly release quick fix patches instead of dealing with the
failings in the design of the application framework.
Unrestricted Foreign Script And Executable Execution
====================================================
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in which
a user can open,view and run untrusted documents. Any operating system can
run executables,shell commands and other scripts but why is it that Windows
9X, 2000 and NT applications run scripts and executables embedded in email
and Office documents at the click of a users assent.
To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting and Active-X within their templates,documents and
enterprise glue. Turning off Windows Scripting Host is not a viable option
for users of the new active directory and remote adminstration services.
The Threat
==========
It is a LOT easier to create a Visual Basic or Jscript virus than
to create a binary executable virus.
Any teenager with half a brain can now grab a copy of a trojan love,
melissa or any number of new visual basic scripts. He can modifiy it by
trial and error until it passes the virus scanners. Then embed the trojan
in ANY type of Microsoft Office 2000 document. He can then attach
the document to the email or have a URL to the document on a web/ftp server.
All he has to do to ensure the spread of the worm is email them to known
Microsoft Outlook email users or to any users with Windows Scripting
Host enabled.
Not all of the attached trojans will be executed by the email recipants but
enough will to ensure its spread.
Once the virus is executed it has unrestricted access to all files that the
user has access to and all interfaces that the Microsoft allows Visual
Basic access to.
To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm from the
user. This is how the "worm" spread so fast.
This love letter virus demonstrates how such security holes can become the
biggest Denial of Service Attack threat to the whole internet.
The Failed Defence Strategies
=============================
Microsofts attempts to keep its applications vulnerabilities hidden behind
a proprietary veil of secrecy has failed.
Not all companies and users apply the security patches that Microsoft
release. A lot of patches cannot be installed if they disable features
that Microsoft sold their organization on for providing enterprise glue.
Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email or other Office documents via the internet
is doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
To quote Mark Twain "You can fool some of the people all of the time,
and all of the people some of the time ...". When presented with a dialog
window with Yes/No buttons, a LOT of users click yes without even reading
the dialog.
All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will
allways be vulnerable to new and modified forms of attack. There is always
a delay between the release of a new virus or trojan and the detection
and clean up solution packaged and distributed by the Anti-Virus companies.
Firewall proxy based defenses are useless if the email or http request
is encrypted.
Just changing the client or server operating system to NT, win2000, MacOS,
or even a Unix based OS will not overcome the lack of security in the
client Microsoft Office suites. Any file that the user running the
script or executable has write access to is at risk. Even if you wish
to change File servers Microsoft continues to change its application
interfaces so that using another vendors server products is increasing
difficult.
Relying on data backup to protect your documents is currently the best form
of defence. However if a stealthy virus or trojan is not detected or does
not "announce" its presence to the users and system administrators, then
how do you know how many days/weeks of backup are required?
What date do you restore from to get clean versions of the infected
and damaged files? How much information and work has been lost when
users change the documents in between backup and restore dates?
The Only Real Solutions
=======================
Only system administrators should have write access to files containing
trusted executables and scripts. (It has taken the Unix world a long
time to learn this lesson.)
Where distributed agents or embedded scripting is desired then a suitable
restricted mode must be provided that limits what destructive actions
the execution of the embedded script/executable can perform in its
environment.
If an attachment/document cannot be opened safely then it should not be
opened at all. Just putting up a warning dialog will not work if users
fail to read the message and just click yes.
Peer Based Review
=================
The open source model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available forces
programmers and other solution providers to take a proactive approach to
system security. Putting the source code under peer review results in
the fixing of the security holes in the design of the application
as well as its source code.
Looking Elsewhere
=================
If you are worried about security of your files and information stored on
your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft.
You should look to vendors and solutions that provide a proactive approach
to security, instead of just relying on a third party retroactive antivirus
defence.
Also look for vendors that work towards implementing and following
standards. This insure that it is easier to deal with other organisations
not using the same vendors product and that in the worst case scenario it
is possible to switch to another vendors product.
Afterword
=========
Modifying Asimov's first law of robotics -
"Computer software should never cause the user to lose any of their
documents or through inaction cause the loss of their documents"
How do you mean, true? You say it's your opinion, you don't say it is facts.
It's obviously written by someone who dislikes Microsoft. (Thomas Penfield
Jackson maybe?) I use MS products and I think that their utility outweighs
their risks. If you need a whipping post, try picking on anti-virus
software that can't recognize malicious code unless it's seen it before.
Objectivity check. I incline to agree with the opinion originally posted.
I also accept that other people's views may well be correct as well.
Microsoft is in the business of producing a product which meets the needs of
its users - this is a commercial prerequisite or they wouldn't be able to
sell it. I grudgingly accept that their product has transformed personal
computing for the better, without necessarily agreeing with their marketing
and quality assurance practices.
Microsoft's position (as at around the time they first set up a security
homepage) was that users prefer "richness of experience" to security. If
enough users find their recent experiences a bit too rich then no doubt
pressure will be put on Microsoft to improve their product line in this
respect.
What I can't understand is why some large corporate licencee has not brought
a class action against Microsoft for selling an inherently unsafe product.
Possibly the fact that to succeed, you need to have more money than Bill
Gates' lawyers may figure in here somewhere.
Speaking from my point of view as a corporate security person, what we need
is the ability to securely nominate what "code" (whether machine code,
macros, or scripts) we want our people to be able to run; and refuse *by
default* to run any code which we do not "trust". This can easily be
achieved in concept by using digital signing techniques so that we can
explicitly mark code as trusted. The digital signature would have to be
securely verified every time a script, macro, applet, control, or program is
interpreted, parsed, executed, or run.
Once we had this sort of option then we would be much better protected
against viruses, worms, and the like: further, we would be able to get a
little more of a grip on end-user programming (development of huge, complex,
and undocumented spreadsheets for example). We would no longer need
antivirus software or e-mail content management software (at least, we might
still want it but the protection against "technical attacks" would become
redundant).
I stress that this represents a corporate viewpoint. A home user may have
entirely different needs, or may not care.
But, where is it? Microsoft would be a logical supplier, but they haven't
done so. The antivirus companies have the skills, but is it in their best
interests to promote this solution?
There are several good MS products, and I use some of them, but I prefer to
make the choice myself, not have it forced upon me.
- Anders Gustafsson, Engineer, CNE, ASE
NSC Volunteer Sysop (http://support.novell.com/forums/)
Pedago, The Aaland Islands (N60 E20)
Using VA 4.52 build 277 (32-bit) on Win95
John Elsbury wrote:
>
> Laura Cox <10205...@removethispart.compuserve.com> wrote in message
> news:8gsjki$5t3$1...@sshuraab-i-1.production.compuserve.com...
> > >>Is the following true?
> >
> > It's obviously written by someone who dislikes Microsoft.
> > (Thomas Penfield Jackson maybe?) I use MS products and I think
> > that their utility outweighs their risks.
> > If you need a whipping post, try picking on anti-virus
> > software that can't recognize malicious code unless it's seen it before.
The solution is not AV Software:
First if an OS contains errors than it is the task of its
manufacturer to supply solutions in the form of software fixes.
In relation to Y2K; Microsoft did a good job.
Secondly if an OS is not secure the manufacturer should supply
a new release with more security in the form of rules
that application writers should follow.
The side effect will be less freedom for its users.
For example if I open an URL the OS should at least warn the user
that the page tries to write to your disc.
Microsoft advices its users to use AV Software.
Again that is only a temporary solution.
They should do something permanent.
> >
> >
>
> Objectivity check. I incline to agree with the opinion originally posted.
> I also accept that other people's views may well be correct as well.
>
> Microsoft is in the business of producing a product which meets the needs of
> its users - this is a commercial prerequisite or they wouldn't be able to
> sell it. I grudgingly accept that their product has transformed personal
> computing for the better, without necessarily agreeing with their marketing
> and quality assurance practices.
I accept that they have transformed the PC market.
Also their marketing practices.
I do not accept their security practices.
> Microsoft's position (as at around the time they first set up a security
> homepage) was that users prefer "richness of experience" to security. If
> enough users find their recent experiences a bit too rich then no doubt
> pressure will be put on Microsoft to improve their product line in this
> respect.
What Microsoft should ask to each user is the following:
Dear user, please select one of the following: a, b or c
What do you want (in order to reduce virus risk)
a. Software modifications in the OS to limit disc access.
b. AV software.
c. both
(For details about my opinion see my reply in this users group
under the question: Viruses on Macs, Why are there so few)
> What I can't understand is why some large corporate licencee has not brought
> a class action against Microsoft for selling an inherently unsafe product.
> Possibly the fact that to succeed, you need to have more money than Bill
> Gates' lawyers may figure in here somewhere.
>
> Speaking from my point of view as a corporate security person, what we need
> is the ability to securely nominate what "code" (whether machine code,
> macros, or scripts) we want our people to be able to run; and refuse *by
> default* to run any code which we do not "trust". This can easily be
> achieved in concept by using digital signing techniques so that we can
> explicitly mark code as trusted. The digital signature would have to be
> securely verified every time a script, macro, applet, control, or program is
> interpreted, parsed, executed, or run.
Digital security with a quality label that the code is free
of errors, has no side effects on your PC and causes no damage
is not the answer.
This solution is more or less the same of the table in your AV software
that maintains all the .exe files that you should not run.
Both are post active (after the facts/actions ) solutions.
What we need are preactive solutions.
Suppose I want to send you a program that I have written.
Who is going to give me this quality label ?
(implying that the code is verified)
Do you accept this quality label if the organization
that has verified this is outside nz ?
Will all countries agree to that ?
(Implying that my label is every accepted)
I think a more direct approach is prefered:
The OS should warn you if an application program
does something that you do not expect
i.e. write in files that are not in its child
directories.
(Each program should only write in the extensions
that are approved. Never to *.* (They can read from *.*))
> Once we had this sort of option then we would be much better protected
> against viruses, worms, and the like: further, we would be able to get a
> little more of a grip on end-user programming (development of huge, complex,
> and undocumented spreadsheets for example). We would no longer need
> antivirus software or e-mail content management software (at least, we might
> still want it but the protection against "technical attacks" would become
> redundant).
>
> I stress that this represents a corporate viewpoint.
It would be very interesting to know how many companys agree with you.
> A home user may have entirely different needs, or may not care.
IMO home users have no idea the risks they run.
IMO home users will agree that certain constraints on disc access
is acceptable with almost no loss in functionality.
IMO home users will agree that dependency on AV software
is not a plus.
> But, where is it? Microsoft would be a logical supplier,
> but they haven't done so.
They should supply a solution.
I hope the readers of the newsgroup give more suggestions.
> The antivirus companies have the skills, but is it in their best
> interests to promote this solution ?
After Microsoft has supplied a solution the functionality
of AV software should drastically be reduced.
By preference to zero.
Nonsense. You want something permanent? Pull the plug.
I'm sick of hearing from whiners who want Microsoft to make their life
idiot-proof so they won't have to take responsibility for their own actions.
When you wrecked your car did you start bashing Ford for not making cars
wreck-proof? Did you ask for a car that was built like a tank and couldn't
go fast enough to get you into trouble? Of course not. You chose utility
over safety.
As an earlier post alluded, what we really need is smarter anti-virus
software. I'd love to have an application that would pop up a message
saying, "Hey, dude, I've never seen this program before but there's a line
in the code that will erase all your data. Are you sure you want to do
that?" Sure, some boob would say yes, but he shouldn't be using a computer
anyway.
> John Elsbury wrote:
> >
> > Laura Cox <10205...@removethispart.compuserve.com> wrote in message
> > news:8gsjki$5t3$1...@sshuraab-i-1.production.compuserve.com...
> > > >>Is the following true?
> > >
> > > It's obviously written by someone who dislikes Microsoft.
> > > (Thomas Penfield Jackson maybe?) I use MS products and I think
> > > that their utility outweighs their risks.
> > > If you need a whipping post, try picking on anti-virus
> > > software that can't recognize malicious code unless it's seen it before.
>
> The solution is not AV Software:
there is no *real* solution, but anti-virus software is a good
approximation to one...
> First if an OS contains errors than it is the task of its
> manufacturer to supply solutions in the form of software fixes.
virus infectability is not the result of errors in the OS..
> In relation to Y2K; Microsoft did a good job.
> Secondly if an OS is not secure the manufacturer should supply
> a new release with more security in the form of rules
> that application writers should follow.
virus infectability is not the result of 'insecurity' of the OS...
> The side effect will be less freedom for its users.
> For example if I open an URL the OS should at least warn the user
> that the page tries to write to your disc.
>
> Microsoft advices its users to use AV Software.
> Again that is only a temporary solution.
> They should do something permanent.
there is nothing permanent that can be done about computer
viruses... virus infectability is inate in all general purpose computing
environments - the only way to be rid of them permanently is to stop using
general purpose computers...
--
"i'm gonna break,
i'm gonna break my,
i'm gonna break my rusty cage,
and run"
> <snip>
> The solution is not AV Software: . . . that is only a temporary solution.
> They should do something permanent.
> </snip>
>
> Nonsense. You want something permanent? Pull the plug.
>
> I'm sick of hearing from whiners who want Microsoft to make their life
> idiot-proof so they won't have to take responsibility for their own actions.
> When you wrecked your car did you start bashing Ford for not making cars
> wreck-proof? Did you ask for a car that was built like a tank and couldn't
> go fast enough to get you into trouble? Of course not. You chose utility
> over safety.
agreed...
> As an earlier post alluded, what we really need is smarter anti-virus
> software. I'd love to have an application that would pop up a message
> saying, "Hey, dude, I've never seen this program before but there's a line
> in the code that will erase all your data. Are you sure you want to do
> that?" Sure, some boob would say yes, but he shouldn't be using a computer
> anyway.
such a program is not actually possible.. determining if a given line of
code actually executes is reducible to the halting problem, and since
there is such a thing as self-modifying code, well, it makes things very
problematic...
Joe B wrote:
>
> As an earlier post alluded, what we really need is smarter anti-virus
> software. I'd love to have an application that would pop up a message
> saying, "Hey, dude, I've never seen this program before but there's a line
> in the code that will erase all your data. Are you sure you want to do
> that?" Sure, some boob would say yes, but he shouldn't be using a computer
> anyway.
I also like that message
The problem is that it is for AV software
(any type of software that uses standard compilers)
rather difficult to decipher binary data
and to figure out that you want to write to disc.
The AV software has to do some form of reverse compiling.
For the OS manufacturer this job is much simpler
and the final result the same.
Not only that the OS software can rather
easy check if you are modyfying something
in a parent directory or in a child directory
and warn you ^only^ if you do the first
for example if you want to modify the registry
or autoexec.bat or etc....
Comparing the software industry with the automobile
industry is very interesting.
When cars have a construction error you bring your
car to a dealer and get it fixed for free.
When (OS) software has an error .....
you buy AV software......
>I'm sick of hearing from whiners who want Microsoft to make their life
>idiot-proof so they won't have to take responsibility for their own actions.
>When you wrecked your car did you start bashing Ford for not making cars
>wreck-proof?
Ford Pinto.
Criminally negligent bad design it was, and was taken to task as such.
Embedding (autorunning) program code within data, esp. that which is
leveraged as a "general communications medium", is equally dumb!
>----------------- ----- ---- --- -- - - - -
Clippit Millennium says:
"It looks like you're writing a virus. Need some help?"
>----------------- ----- ---- --- -- - - - -
> Microsoft advices its users to use AV Software.
> Again that is only a temporary solution.
> They should do something permanent.
There were viruses before Microsoft and there will be viruses after too. Now
their contribution is that they supply the o/s platforms that are currently
popular. I'm not aware of any platform that does not have a virus available
for it (even if it's just one as a proof of concept) and I'm not sure how a
platform that was virus proof would be able to do any useful work.
--
--
Robert Moir, Microsoft BackOffice MVP
Search the MS Knowledgebase using the link below
http://support.microsoft.com/support/search/c.asp?PSL=1
**Please post ALL replies to the newsgroup**
** I will NOT answer emailed queries **
What really needs to be done is to provide a restricted mode for visual basic
and Active-X embedded within (untrusted) Office Documents.
The Adobe Postscript printer language used in most laser printers is all
script, based on the "Forth" programing language.
Ghostscript is a postscript conversion program that was released in 1988,
it allows the the printing of Postscript files on a large variety
of non-postscript printers.
To prove what great Postscript programmers they were, the original
developers of Ghostscript used the forth interpreter to do all the
configuration and conversion scripting. This meant that the Ghostscript
interpreter was given access to the filesystem and other programs.
Some Hackers found this out and wrote probably the first Trojan worm
embedded within a document.
To eliminate the security risk the developers added an option
to run the interpreter in restricted mode, crippling it so that it could
not write to any files and limiting what system APIs the script had
access to. This option is now compiled ON by default, and is always
used when ghostscript is being used as a print filter.
Problem solved - no more postscript virus or worms!
David Mohring - "-dSAFER"
And now, years later, people are still finding ways to make those seat belt
equipped cars kill them.
All cars are capable of killing their operators. Is this a construction
error? How do you suggest we correct it?
Don't you?
I don't
Cars are not capable of killing anyone. They are mere inanimate objects.
However a poorly trained or irresponsible operator may lose control of one
and cause all kinds of damage.
Rob Moir
But would this be viable in an environment with a much wider remit than
Postscript? Thats not to say I think the current security model for Wscript
and VBA is perfect, but I do think that people are tossing out "solutions"
without thinking things through.
Specific I wish that Microsoft should comment at my suggestion
that it should become a Good Software Practice for application
programs only to use relative addressing for disc allocation.
That means the OS should warn the user each time when an
aplication program writes for example in the root directory.
Most programs already use that phylosophy so I do not expect
that this will have a major influence on functionality.
This rule implies that Microsoft should modify the message:
Do you want to execute this program:
direct (in memory)
or first save to disk
The direct option should be deleted.
> Now their contribution is that they supply the o/s platforms that
> are currently popular.
And Microsoft succeeded very well.
> (a) I'm not aware of any platform that does not have a virus available
> for it (even if it's just one as a proof of concept) and
> (b) I'm not sure how a platform that was virus proof
> would be able to do any useful work.
In order to comment you have first to define what a virus is.
A virus is a program that performs certain functions:
1. based on errors in the OS.
2. based on undocumented functions in the OS.
3. based on unwanted side effects of documented functions.
(1,a) Each platform can have virusses based on errors.
It is the responsibility of its builder to correct those
errors and as such to minimize the risk of virusses
(1,b) You can never prove if a platform is free of errors.
How useful a platform is depents completely on its
intended functionality i.e. its design.
This has nothing to do if its actual implementation contains
errors and as a consequence could contain virusses.
It is the task of its builder to correct those errors.
2. For virusses based on undocumented functions
the same reasoning applies as above.
It is the task of its builder to correct those errors.
Undocumented funtions typical disappear when a new
release is issued.
(3,a) Each platform can have virusses based on
unwanted side effects i.e. newlove virus.
It is the responsibility of its builder to modify the
design and as such to minimize the risk of virusses
(3,b) You can never prove if a platform free of
unwanted side effects, because they are "legal",
they are implemented as designed.
i.e. unwanted side effects are a design problem.
How useful a platform is depents completely on its
intended functionality i.e. its design.
It is the task of its builder (system architect)
to remove those unwanted side effects.
Why not , why can't a new layer be added to the interpreter working the same
as a proxy firewall does? Or else produce a crippled version of VBA/Wscript
that is used for viewing untrusted documents.
Why not insert a digital signature into 'rem' statements in the script code
to identify trusted documents?
Its not as if these solutions have not been used successfully elsewhere,
in fact most other vendors have realised that some form of restriction
on code execution is a necessity for distributed agents.
David Mohring - Reality bytes back
See, this is a design flaw. What's more, automobile manufacturers tout this
potentially destructive capability as a feature. The operators manual
doesn't even mention that going at top speed into a solid object might be
dangerous. Do they think that everyone is born with some innate knowledge
of physics?
Meanwhile, back on Earth:
Can't you see the parallels in computer security? Windows is merely a tool
and like any tool it can be dangerous in the hands of an ill-trained or
irresponsible operator. You can cripple your computer to try and make it
idiot-proof just as you could limit your car's top speed to, say, 10MPH.
Still, some knucklehead is going drive off a cliff or type "format c:." I
believe it was Spider Man's late uncle Ben that said, "With great power
comes great responsibility."
The problem with many in this industry is that they claim their products
are safe, when in fact they are not.
I've a friend who is a Volvo dealer. He could give you a good price on a new
top of the line model with front and back air bags should anybody out there
wish to try this for themselves.
>See, this is a design flaw. What's more, automobile manufacturers tout this
>potentially destructive capability as a feature. The operators manual
>doesn't even mention that going at top speed into a solid object might be
>dangerous. Do they think that everyone is born with some innate knowledge
>of physics?
>
You could take your argument and extend it to include all the safety
components of all equipment. Remove the safety guards from all power
saws ( chain, circular etc ) because everybody can see that touching the
moving blades is going to seriously ruin the rest of your day.
Accidents happen and small mistakes, like crashes at lower speeds and
bumping into the top the circular saw while its running , will happen
to almost everyone, even they do follow all the safety and operating
procedures.
"So the fuel tank of the Ford Pinto was a design feature? So what the hell
was Mr Naider complaining about."
It is when a "small mistake" causes disastrous results that it tends show
up flaws in the design of equipment. If a safety feature can added or
a change to the design can be made, which does not reduce functionality,
then why not make the change.
>Meanwhile, back on Earth:
>Can't you see the parallels in computer security? Windows is merely a tool
>and like any tool it can be dangerous in the hands of an ill-trained or
>irresponsible operator. You can cripple your computer to try and make it
>idiot-proof just as you could limit your car's top speed to, say, 10MPH.
>Still, some knucklehead is going drive off a cliff or type "format c:." I
>believe it was Spider Man's late uncle Ben that said, "With great power
>comes great responsibility."
>
The situation with the new type of "love" VB viruses that can be embedded
within any Office document is different. People in business tend to send
each other attached Microsoft Office documents all the time.
SO you receive an email from a person that you know. He was infect by a
newly modified version of the virus that cannot yet be detected by your
Antivirus program.
The virus now send a copy of the infected Office document to every address
in his outlook address book. The virus looks up the Inbox first and changes
the header of the email to the header of an email from the same address.
You swap Word and other Office documents all the time, this is normal
business practice.
Both organizations include VB macros in the normal.dot that do cool things
like update document version numbers and dates, this because Microsoft sold
the consultants on using VB macros for this type of functionality.
So you expect the Office file to have macros, so you brush past the warning
dialog to view the document with macros enabled. All this is normal operating
procedure.
The virus replicates itself, but does not start overwriting randomly
selected files on the fileservers until you close the document in word.
The virus gives no warning to the user to what it is doing, no boast or
"Ha Ha Got you " message appears.
You assume that the person who sent you the file made a mistake, you are
to busy to email him back straight away. You carry on oblivious to
the damage the virus is doing to the business. The virus deletes itself
from the system after 20 minutes of doing a lot of damage.
Following everyday normal operating procedure someone makes a small mistake
with disastrous results.
When people started swapping Office documents over the internet, then the
scripting inside the documents became a "Distributed Agent". When browsing
the web you should not expect the web applets in Javascript and Java to
access your files. You should also expect Microsoft to provide a similar
secure environment to view untrusted Office documents.
So would you want to be rear ended in a car designed by Microsoft?
David Mohring - BIZZZT - Things that make you go boom
Agreed. Suppliers shouldn't sell a product that's unnecessarily dangerous
when used as intended. All I'm saying is the user should bear some
responsibility for knowing what he's getting into. Nothing can ever be
foolproof. The default operating mode of a hammer is "pound." (Here I go
with my analogies again.) If I take one and bash myself between the eyes I
really don't think I'd be justified in blaming the hammer manufacturer.
John Bloodworth
You seem to be having a problem with your news reader... You've posted
the same article 6 times now.
--
Cheers-
Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99
Where do Microsoft claim that windows is safe against idiots doing things
they shouldn't do with it?
Sorry , the news servers at my ISP was not acknowledging a successful post,
this happens sometimes when the server is perfoming its expiration cycle.
David Mohring - Opps
Sorry about that - The news server at my ISP was not acknowledging a
successful post.
David Mohring - Opps
I strongly disagree with the last statement here. There is no single party
of which to point a finger at, blame, ridicule, use as a whipping post, beat
as a "red-headed stepchild" or otherwise stone. There are several factors
which contribute the the demise of our systems that require patience,
diligence, thoughtfulness and attention. Failing this, things will go on as
they always have.
IMHO, the following is an abridged, shortened list of some of the
contributory factors which will continue to haunt the computing industry
until the proper focus can be applied to them through various means:
* automatic trust of anything received by email, disk, http, ftp, uunet or
other means (otherwise known as "taking candy from strangers")
* running in standard or default mode for applicable software which may use
scripting, automation or filesystemobject interaction
* existence of automation on systems which do not take advantage of it
* failure to apply available updates to components of applicable software
* ease of which to create a beast of destruction using highly available
examples of software code
* social engineering as a means to trick or spoof a potential victim
This is not anywhere near a complete list however it serves as a great
start.
Regards,
Patrick Nolan, Virus Researcher
McAfee AVERT - a division of nai
http://vil.nai.com
-----------------------------------------------------
-----------------------------------------------------
lookin for books,movies,music?
http://nwbuytown.bizland.com
They must be running MS software. <G>
Agreed
> A virus is a program that performs certain functions:
> 1. based on errors in the OS.
> 2. based on undocumented functions in the OS.
> 3. based on unwanted side effects of documented functions.
I don't agree with your definitions here. This might do for KAK, and for
exploits that are based on buffer over-runs but it certainly does not cover
the whole virus / malware spectrum.
For example, the authors of both Melissa and Lovebug (to use just two
examples where everyone will of heard of them, and most people can find the
code and double check my claims) wrote viruses where neither the payload or
the replication depended on errors in the operating system (or scripting
environment), or undocumented features, or unwanted side effects of
documented features. In both these cases the authors used script commands
that worked correctly, that were documented, and were used "within
specification" by the malware.
> (1,a) Each platform can have virusses based on errors.
Yes
> It is the responsibility of its builder to correct those
> errors
Yes
> and as such to minimize the risk of virusses
No. I want any bugs that are found in a product I use corrected whether or
not they are vectors for viruses. This might seem like a trivial point, but
it is important to me.
It is also the responsability of the users to minimise the risk of viruses.
Far more viruses are spread, far more data lost, far more time is wasted by
human error than malware.
> (1,b) You can never prove if a platform is free of errors.
> How useful a platform is depents completely on its
> intended functionality i.e. its design.
> This has nothing to do if its actual implementation contains
> errors and as a consequence could contain virusses.
But viruses are not a consequence of errors on a platform. They are the
consequence of someone deciding to sit down and write a virus. There are
plenty of viruses out there that are not dependant on bugs in order to
spread, therefore the presence of errors in an operating system are not
relevant to the virus problem, other than how they might directly relate to
the few items of malware that may make use of a particular exploit.
> 2. For virusses based on undocumented functions
> the same reasoning applies as above.
Again, while I agree that undocumented features are a bad thing, the
presence of undocumented features does not make the difference between a
platform being able to sustain viruses or not. I suspect that comparitively
few viruses that are in the wild at the moment rely on "undocumented
features" in their host platform.
> (3,a) Each platform can have virusses based on
> unwanted side effects i.e. newlove virus.
> It is the responsibility of its builder to modify the
> design and as such to minimize the risk of virusses
It is also the responsability of the operator to minimise the risk. All a
product vendor can do is provide the means to secure a product, the operator
must choose to use these features, not circumnavigate them.
> (3,b) You can never prove if a platform free of
> unwanted side effects, because they are "legal",
> they are implemented as designed.
> i.e. unwanted side effects are a design problem.
> How useful a platform is depents completely on its
> intended functionality i.e. its design.
> It is the task of its builder (system architect)
> to remove those unwanted side effects.
It sounds like you have confused "unwanted side effects" with "The user not
understanding the implications of an action" - not the same, though the
distinction might seem minor to some. My definition of "unwanted side
effect" is something that is not covered in the specification for the thing
you are manipulating. If you FDISK your hard drive, not realising that
you'll lose the data on it, then is that an unwanted side effect? It might
be from your point of view if you were to do this, but I don't think it's
really so, rather that you performed this action without bothering to
understand it's implications.
--
--
Robert Moir, Microsoft BackOffice MVP
Search the MS Knowledgebase using the link below
http://support.microsoft.com/support/search/c.asp?PSL=1
**Please post ALL replies to the newsgroup**
** I will NOT answer emailed queries **
That is typical a case of type 3.
I have seen the code of the I love you virus and it belongs
to type 3. Type 3 virusses operate in accordance with specifications
<snip>
> > and as such to minimize the risk of virusses
>
> No. I want any bugs that are found in a product I use corrected whether or
> not they are vectors for viruses. This might seem like a trivial point, but
> it is important to me.
I agree with you. The manufacturer has this task.
I doubt if this is also the policy of Microsoft.
> It is also the responsability of the users to minimise the risk of viruses.
> Far more viruses are spread, far more data lost, far more time is wasted by
> human error than malware.
What do you mean by human error ?
Can you give me an example.
For me if an user does not instal AV software is not an human error.
If Microsoft issues software to correct errors and someone does not
instal
those; that is a human error.
General speaking the user is not responsible for virusses based on
errors.
The main responsiblity lies with the (OS) software manufacturer.
Ofcourse if the manufacturer does not do anything
then it becomes the task of the user to do something.
> > (1,b) You can never prove if a platform is free of errors.
> > How useful a platform is depents completely on its
> > intended functionality i.e. its design.
> > This has nothing to do if its actual implementation contains
> > errors and as a consequence could contain virusses.
>
> But viruses are not a consequence of errors on a platform.
The topic of this part of the discussion is virusses based on errors.
> They are the
> consequence of someone deciding to sit down and write a virus.
based on errors.
I agree.
However it is the responsibility of the manufacturer to correct
those errors.
You agreed about this point. See above.
If the manufacturer does that those types of virusses can be
eliminated.
> > 2. For virusses based on undocumented functions
> > the same reasoning applies as above.
>
> Again, while I agree that undocumented features are a bad thing, the
> presence of undocumented features does not make the difference between a
> platform being able to sustain viruses or not. I suspect that comparitively
> few viruses that are in the wild at the moment rely on "undocumented
> features" in their host platform.
I agree
> > (3,a) Each platform can have virusses based on
> > unwanted side effects i.e. newlove virus.
> > It is the responsibility of its builder to modify the
> > design and as such to minimize the risk of virusses
>
> It is also the responsability of the operator to minimise the risk.
Again no.
First the manufacturer.
(Question do you or someone else know if Microsoft is going to do
something tangible ?)
Second if the product vendor does not do something
the user has to take action in the form of
installing AV software.
> All a product vendor can do is provide the means
> to secure a product,
IMO what Microsoft has done is to provide an easy
to use system.
My request for Microsoft would be:
Please make it less easy to use
i.e. tighten its security slightly.
(see my suggestions in previous postings)
> the operator must choose to use these features,
> not circumnavigate them.
What particular features do you have in mind ?
I hope it does not include AV software.
Because then AV software (with its present functionality)
will stay with us forever and that is a bad thing
I don't think so. I think that unexpected side effects are things happening
outside the specification of the object being manipulated. An unexpected
side affect is Outlook Express crashing sometimes when you insert a
signature, the crash was unexpected, because you went to "Insert-->
Signature" not "Tools --> MS Crash Wizard".
If it's in the specification, it's expected by anyone who has read the
documentaion. And if the user has not read the documentation for something
before trying to operate it, thats the users fault. There is nothing inside
ILU that uses a command "out of specification" but merely the net result of
running the whole scipt is negative because it was written for that purpose.
[...]
> I agree with you. The manufacturer has this task.
> I doubt if this is also the policy of Microsoft.
You do? What do you think service packs are? Office Service releases?
Hotfixes? The Technet Knowledgebase?
[...]
> What do you mean by human error ?
> Can you give me an example.
Yes... typing "Format C: /q /u" when you meant to type "Format A: /q/u" or
typing "rm -rf" when logged in as root on a Unix box. Saving a document over
the "original" that you were modifying when you should of used "Save as" and
gave it another name. All examples of human error that loses data.
> For me if an user does not instal AV software is not an human error.
> If Microsoft issues software to correct errors and someone does not
> instal those; that is a human error.
Agreed, assuming that the vendor does enough to make sure the fact that the
patches are available is known.
> General speaking the user is not responsible for virusses based on
> errors.
Agreed....
> The main responsiblity lies with the (OS) software manufacturer.
> Ofcourse if the manufacturer does not do anything
> then it becomes the task of the user to do something.
... But I think the amount of viruses that rely on errors in the host
environment is so small as to be a statistical blip.
> > > (1,b) You can never prove if a platform is free of errors.
> > > How useful a platform is depents completely on its
> > > intended functionality i.e. its design.
> > > This has nothing to do if its actual implementation contains
> > > errors and as a consequence could contain virusses.
> >
> > But viruses are not a consequence of errors on a platform.
>
> The topic of this part of the discussion is virusses based on errors.
But you appeared to be advancing the theory that viruses are a direct result
of errors in a platform. I am disputing that theory.
> > They are the
> > consequence of someone deciding to sit down and write a virus.
> based on errors.
> I agree.
> However it is the responsibility of the manufacturer to correct
> those errors.
> You agreed about this point. See above.
Yes I did agree that errors, bugs, in a platform should be eliminated. Thats
a "no brainer". However, I think this would not give us the reduction in
malware you seem to expect.
> > It is also the responsability of the operator to minimise the risk.
> Again no.
Again yes. To overuse the car analogy again, car manufacturers can include
ABS antilock breaks, seatbelts, airbags, and anything else in a car to
reduce the risk of accidents and injuries from these accidents. The presence
or absence of these features may, should, be a factor in your choice of
which car to purchase. The presence or absence of these features in your
final choice of car in no way relives you of the burden of driving safely.
> First the manufacturer.
> (Question do you or someone else know if Microsoft is going to do
> something tangible ?)
Anyone who does know of Microsoft's future plans for their products, whether
within or (like me) without the company would not be able to comment one way
or another on those plans. I will say I have no plans to stop using
Microsoft products where I deem them suitable for as far as I can see into
the future.
> IMO what Microsoft has done is to provide an easy
> to use system.
> My request for Microsoft would be:
> Please make it less easy to use
> i.e. tighten its security slightly.
> (see my suggestions in previous postings)
Agreed, at least provide this as an option, and make it the default option
too... But if we are talking security why not run one of their more secure
products? At least meet them halfway, if you want to talk about security,
and use one of the products thats actually meant to be secure.
> > the operator must choose to use these features,
> > not circumnavigate them.
>
> What particular features do you have in mind ?
> I hope it does not include AV software.
I don't know that antivirus software will be disappearing any time soon, but
it's not on my list of things for the future. As for problems with scripts,
whether in Office or WScript or whatever, I've said time and time again in
this newsgroup and others that a rethink of the security model of these
products is in order. I get the feeling that someone comes up with a cool
new idea / technology and it gets built and played with in the labs, and
just before release someone goes "uh-oh, we better secure this baby" and
something gets bolted on to the front as "security". And we all know how
easy it is to pry up a corner, or sneak in the back door don't we?
Microsoft is far from the only guilty party in this regard. Products should
be designed from day one with security as an integral part of the product,
again as I've said before, defence in depth. However, you may also want to
read the comments from David Chess on this subject.
> Because then AV software (with its present functionality)
> will stay with us forever and that is a bad thing
I don't see the current crop of antivirus software as the future of
security, no. It's reactive. Kinda like a police force, that wont even *try*
to prevent crime until there have been enough victims for them to gather
enough evidence to convict the villan.
--
--
Robert Moir wrote:
>
> "Nicolaas Vroom" <nicv...@gallery.uunet.be> wrote in message
> news:3937EB48...@gallery.uunet.be...
> [...]
> > That is typical a case of type 3.
> > I have seen the code of the I love you virus and it belongs
> > to type 3. Type 3 virusses operate in accordance with specifications
>
> I don't think so. I think that unexpected side effects are things happening
> outside the specification of the object being manipulated. An unexpected
> side affect is Outlook Express crashing sometimes when you insert a
> signature, the crash was unexpected, because you went to "Insert-->
> Signature" not "Tools --> MS Crash Wizard".
If programs sometimes crash, implying that it is difficult to repeat
the problem, it is still an error, which has to be solved.
Often those problems have to do with (external) IO
for example datalink/Internet related.
Very often it is then difficult to pinpoint the cause of the problem:
either in the application which has requested/transmitted the data
or the underlying layer which manages the IO.
The new love virus has nothing to do with this.
> [...]
> > I agree with you. The manufacturer has this task.
> > I doubt if this is also the policy of Microsoft.
>
> You do? What do you think service packs are? Office Service releases?
> Hotfixes? The Technet Knowledgebase?
I agree with you that Microsoft takes actions to correct errors.
I checked the url as part of your signature for Windows 98.
> > The main responsiblity lies with the (OS) software manufacturer.
> > Ofcourse if the manufacturer does not do anything
> > then it becomes the task of the user to do something.
>
> ... But I think the amount of viruses that rely on errors in the host
> environment is so small as to be a statistical blip.
I agree with you.
Most virusses operate based on "lenient" specifications.
<snip>
> > First the manufacturer.
> > (Question do you or someone else know if Microsoft is going to do
> > something tangible ?)
>
> Anyone who does know of Microsoft's future plans for their products, whether
> within or (like me) without the company would not be able to comment one way
> or another on those plans.
I expect you have to make them public for other companies
to write new applications or modify existing ones.
I can give your more comments
but then I have to change the subject of this posting.
> I will say I have no plans to stop using Microsoft products
> where I deem them suitable for as far as I can see into the future.
For me the same.
> > IMO what Microsoft has done is to provide an easy
> > to use system.
> > My request for Microsoft would be:
> > Please make it less easy to use
> > i.e. tighten its security slightly.
> > (see my suggestions in previous postings)
>
> Agreed, at least provide this as an option, and make it the default option
> too... But if we are talking security why not run one of their more secure
> products? At least meet them halfway, if you want to talk about security,
> and use one of the products thats actually meant to be secure.
What products do you have in mind for the home user ?
What specific did Microsoft do make it more secure ?
(Compared to windows 98)
Will it give warnings if an application program wants
to modify anything in for example the root directory.
> > > the operator must choose to use these features,
> > > not circumnavigate them.
> >
> > What particular features do you have in mind ?
> > I hope it does not include AV software.
>
> I don't know that antivirus software will be disappearing any time soon, but
> it's not on my list of things for the future. As for problems with scripts,
> whether in Office or WScript or whatever, I've said time and time again in
> this newsgroup and others that a rethink of the security model of these
> products is in order.
I agree with you partly.
The problem can be both with the programming language (VB script)
or with the underlying OS.
IMO the main reason is with the OS.
> Microsoft is far from the only guilty party in this regard.
IMO the main reason of virusses are in the OS.
What Microsoft has done is to supply the application builder
with an excellent platform to build programs.
However it is (slightly) to open related to file access.
> Products should
> be designed from day one with security as an integral part of the product,
> again as I've said before, defence in depth.
You should add to this sentence the words: the same.
Now the sentence becomes:
" Products should be designed .. with the same security
as an integral part of the product .. "
Now my comments are:
a. What type of security do you have in mind.
b. how do I know that product xyz has implemented
this security (Quality label) ?
c. Why not implement that security in the OS ?
> However, you may also want to
> read the comments from David Chess on this subject.
Where can I find that ?
> Robert Moir, Microsoft BackOffice MVP
> Search the MS Knowledgebase using the link below
> http://support.microsoft.com/support/search/c.asp?PSL=1
> **Please post ALL replies to the newsgroup**
> ** I will NOT answer emailed queries **