Virus and Microsoft
David Mohring
Version 2.2 "To Err is Human"
This continued virus threat is not ONLY an email or Outlook problem
it extends to all Microsoft Office products, Microsofts internet
explorer as well as a lot of third party software for the Microsoft
OS platforms.
Microsoft Applications Security And The Internet
================================================
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared over
the internet.
Unrestricted Scripting
======================
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in which
a user can open,view and run untrusted documents. Any operating system can
run executables,shell commands and other scripts but why is it that Windows
9X, 2000 and NT applications run scripts and executables embedded in email
and Office documents at the click of a user assent.
To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting and Active-X within their templates,documents and
enterprise glue. Turning off Windows Scripting Host is not a viable option
for them.
The Threat
==========
Any teenager with half a brain can now grab a copy of a trojan love,
melissa or any number of new visual basic scripts. He can modifiy it by
trial and error until it passes the virus scanners. Then embed the trojan
in any type of Microsoft Office 2000 document. All he has to do to ensure
the spread of the worm is email them to known Microsoft Outlook email
users.
Once the virus is executed it has unrestricted access to all files that the
user has access to and all interfaces that the Microsoft allows Visual
Basic access to.
To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm from the
user. This is how the "worm" spread so fast.
This love letter virus demonstrates how such security holes can become the
biggest Denial of Service Attack threat to the whole internet.
The Failed Defence Strategies
=============================
Microsofts attempts to keep its applications vulnerabilities hidden behind
a proprietary veil of secrecy has failed.
Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email or other Office documents via the internet
is doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
To quote Mark Twain "You can fool some of the people all of the time,
and all of the people some of the time ...". When presented with a dialog
window with Yes/No buttons, a LOT of users click yes without even reading
the dialog.
All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will
allways be vulnerable to new and modified forms of attack. There is always
a delay between the release of a new virus or trojan and the detection
and clean up solution packaged and distributed by the Anti-Virus companies.
Just changing the client or server operating system to NT, win2000, MacOS,
or even a Unix based OS will not overcome the lack of security in the
client Microsoft Office suites. Any file that the user running the
script or executable has write access to is at risk.
Relying on data backup to protect your documents is currently the best form
of defence. However if a stealthy virus or trojan is not detected or does
not "announce" its presence to the users and system administrators, then
how do you know how many days/weeks of backup are required?
What date do you restore from to get clean versions of the infected
and damaged files? How much information and work has been lost when
users change the documents in between backup and restore dates?
What Is The Only Solution
=========================
Where distributed agents or embedded scripting is desired then a suitable
restricted mode must be provided that limits what destructive actions
the execution of the embedded script/executable can perform in its
environment.
What Should We Do In The Long Term
==================================
If you are worried about security of your files and information stored on
your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft. You should look to
companies and solutions that provide a proactive approach to security,
instead of just relying on a third party retroactive antivirus defence.
Look To The Open Source Model
=============================
The open source unix model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available forces
programmers and other solution providers to take a proactive approach to
system security. Putting the source code under peer review and fixing
the security holes in the design of the application and its source code.
What Should Be The Goal
=======================
Modifying Asimov's first law of robotics
"Computer software should never cause the user to lose any of their
documents or through inaction cause the loss of their documents"
Pete M
"David Mohring" <her...@heretic.ihug.co.nz> wrote in message
news:slrn8hqtbj....@localhost.localdomain...
> Any constructive comments are welcome.
>
> =============================
> The open source unix model may not be immune to attacks from determined
> crackers and vandals, but at least making the source code available forces
> programmers and other solution providers to take a proactive approach to
> system security. Putting the source code under peer review and fixing
> the security holes in the design of the application and its source code.
>
> What Should Be The Goal
> =======================
> Modifying Asimov's first law of robotics
> "Computer software should never cause the user to lose any of their
> documents or through inaction cause the loss of their documents"
Open cross platform interchange standards like XML and JAVA will help.
When the browser on my Linux partition works better than IE5 on 98
(Navigator 6?), and the DVD works on open source software (LiViD?), I'll be
ready to delete Windows.
MS preferential access to undocumented features in their binary code is one
monopolistic practise that is ultimately detrimental to users. The
promulgation of office formats full of macros, of DHTML, ASF, Frontpage
extensions SMB networking, the knot of obstacles is endless.
I am so grateful for the Open Source boffins who have recognised the dangers
inherent in this hitherto unchallenged and unproven evolutionary path. Their
day is coming.
Nominations now open for "First Up Against The Wall When The Revolution
Comes"
Steve Sinclair
Mohring) wrote:
>Any constructive comments are welcome.
OK. I'll try to keep this constructive.
>
>Version 2.2 "To Err is Human"
>
>This continued virus threat is not ONLY an email or Outlook problem
>it extends to all Microsoft Office products, Microsofts internet
>explorer as well as a lot of third party software for the Microsoft
>OS platforms.
Ultimately it extends to all software. A few years ago I wrote a worm
that searched a cluster of MVS mainframes. The programming language
was Easytrieve Plus (which is normally considered a report generator).
>
>Microsoft Applications Security And The Internet
>================================================
>IMHO(In My Humble Opinion) Microsoft Office applications are not secure
>enough to use in any environment where email and documents are shared over
>the internet.
Probably true. In a lot of ways it is that they have been developed so
quickly with a certain naivety of human nature. MS have developed
products that, when used as intended, can be very powerful but that
power can be used against the users as well as to their benefit.
>
>Unrestricted Scripting
>======================
>Microsoft continues to distribute applications that will execute embedded
>destructive scripts, macros and therefore trojans. Microsoft applications
>and operating systems do not even provide a restrictive environment in which
>a user can open,view and run untrusted documents. Any operating system can
>run executables,shell commands and other scripts but why is it that Windows
>9X, 2000 and NT applications run scripts and executables embedded in email
>and Office documents at the click of a user assent.
>
>To make matters even worse Microsoft have made Visual basic (VBS) the
>default embedded scripting language within all its Office 2000 documents
>and templates. Microsoft have sold large organizations on the use of visual
>basic scripting and Active-X within their templates,documents and
>enterprise glue. Turning off Windows Scripting Host is not a viable option
>for them.
To clarify something. VBA is the VB variant used with Office
applications. VBS is another variant used by IE and WSH. I still
haven't worked out why WSH was distributed with IE5 as it really has
no connection. It is potentially very useful for system admins but not
much use to Joe User.
>
>The Threat
>==========
>Any teenager with half a brain can now grab a copy of a trojan love,
>melissa or any number of new visual basic scripts. He can modifiy it by
>trial and error until it passes the virus scanners. Then embed the trojan
>in any type of Microsoft Office 2000 document. All he has to do to ensure
>the spread of the worm is email them to known Microsoft Outlook email
>users.
While Outlook made the spread of the LoveBug a lot worse, any computer
with WSH on it was vunerable to the payload.
>
>Once the virus is executed it has unrestricted access to all files that the
>user has access to and all interfaces that the Microsoft allows Visual
>Basic access to.
>
>To infect other computers the loveletter type script requires the Microsoft
>MAPI mail interface. This is installed with Office Outlook and Outlook
>express. We must blame Microsoft for allowing Visual basic scripts access
>to this interface to send email without requiring a dialog/confirm from the
>user. This is how the "worm" spread so fast.
True, but if for example Agent was the worlds leading e-mail software
then it would be possible to do the same thing with that. I have seen
code showing how to do it with Netscape as well. Admittedly it is
harder to do - but still possible.
>
>This love letter virus demonstrates how such security holes can become the
>biggest Denial of Service Attack threat to the whole internet.
>
<Snip>
>
>What Is The Only Solution
>=========================
>Where distributed agents or embedded scripting is desired then a suitable
>restricted mode must be provided that limits what destructive actions
>the execution of the embedded script/executable can perform in its
>environment.
The restrictions required often limit the usefulness of such
environments but I agree that MS have opened their apps far to much.
>
>What Should We Do In The Long Term
>==================================
>If you are worried about security of your files and information stored on
>your computers, then IMHO you should look to different applications and
>systems than those currently provided by Microsoft. You should look to
>companies and solutions that provide a proactive approach to security,
>instead of just relying on a third party retroactive antivirus defence.
Variety is probably the way to go, but large organisations need a
certyain level of conformity to keep costs down.
>
>Look To The Open Source Model
>=============================
>The open source unix model may not be immune to attacks from determined
>crackers and vandals, but at least making the source code available forces
>programmers and other solution providers to take a proactive approach to
>system security. Putting the source code under peer review and fixing
>the security holes in the design of the application and its source code.
With computers becoming ubiquitous this is a problem. Many small
businesses simply can't afford to keep a programmer around to be
proactive in fixing bugs.
>
>What Should Be The Goal
>=======================
>Modifying Asimov's first law of robotics
>"Computer software should never cause the user to lose any of their
> documents or through inaction cause the loss of their documents"
So I can't delete files anymore ? An active "Recycle Bin" that
automatically restores files I delete - neat.
But seriously - an OS that puts ALL overwritten/deleted files through
some sort of Recycle Bin would be a good idea. Not just the files
deleted via the user interface.
David Mohring
>Open cross platform interchange standards like XML and JAVA will help.
Unless Microsoft AGAIN "embraces" "extends" and "restricts"
XML http://www.biztalk.org/, Microsofts version of java,
and Now Microsofts assimilation of the Kerberos protocols.
David Mohring - Remember when all we had to worry about was Dr Whos Daleks
who could be defeated just by putting stairs everywhere.
David Mohring
<ste...@actrix.gen.nz> wrote:
>On 13 May 2000 15:22:25 GMT, her...@heretic.ihug.co.nz (David
>Mohring) wrote:
>
>>Any constructive comments are welcome.
>
>OK. I'll try to keep this constructive.
>
>>
>>Version 2.2 "To Err is Human"
>>
>>This continued virus threat is not ONLY an email or Outlook problem
>>it extends to all Microsoft Office products, Microsofts internet
>>explorer as well as a lot of third party software for the Microsoft
>>OS platforms.
>
>Ultimately it extends to all software. A few years ago I wrote a worm
>that searched a cluster of MVS mainframes. The programming language
>was Easytrieve Plus (which is normally considered a report generator).
>
The same thing happend with ghostscript ( an open source postscript
to printer rendering program ) a restricted mode/option was added
and most distributions compile it in restricted mode by default.
Even with the best programmers peer review is needed.
>
>>
>>Microsoft Applications Security And The Internet
>>================================================
>>IMHO(In My Humble Opinion) Microsoft Office applications are not secure
>>enough to use in any environment where email and documents are shared over
>>the internet.
>
>Probably true. In a lot of ways it is that they have been developed so
>quickly with a certain naivety of human nature. MS have developed
>products that, when used as intended, can be very powerful but that
>power can be used against the users as well as to their benefit.
>
But it is not like Microsoft has not had enough warnings about its
total lack of security in its products. This is not a new problem.
>>
>>Unrestricted Scripting
>>======================
>>Microsoft continues to distribute applications that will execute embedded
>>destructive scripts, macros and therefore trojans. Microsoft applications
>>and operating systems do not even provide a restrictive environment in which
>>a user can open,view and run untrusted documents. Any operating system can
>>run executables,shell commands and other scripts but why is it that Windows
>>9X, 2000 and NT applications run scripts and executables embedded in email
>>and Office documents at the click of a user assent.
>>
>>To make matters even worse Microsoft have made Visual basic (VBS) the
>>default embedded scripting language within all its Office 2000 documents
>>and templates. Microsoft have sold large organizations on the use of visual
>>basic scripting and Active-X within their templates,documents and
>>enterprise glue. Turning off Windows Scripting Host is not a viable option
>>for them.
>
>To clarify something. VBA is the VB variant used with Office
>applications. VBS is another variant used by IE and WSH. I still
>haven't worked out why WSH was distributed with IE5 as it really has
>no connection. It is potentially very useful for system admins but not
>much use to Joe User.
>
Doesn't Office 2000 use a lot of WSH for its scripting ?
>>
>>The Threat
>>==========
>>Any teenager with half a brain can now grab a copy of a trojan love,
>>melissa or any number of new visual basic scripts. He can modifiy it by
>>trial and error until it passes the virus scanners. Then embed the trojan
>>in any type of Microsoft Office 2000 document. All he has to do to ensure
>>the spread of the worm is email them to known Microsoft Outlook email
>>users.
>
>While Outlook made the spread of the LoveBug a lot worse, any computer
>with WSH on it was vunerable to the payload.
>
True and any email program can carry an attached Office doucument.
>>
>>Once the virus is executed it has unrestricted access to all files that the
>>user has access to and all interfaces that the Microsoft allows Visual
>>Basic access to.
>>
>>To infect other computers the loveletter type script requires the Microsoft
>>MAPI mail interface. This is installed with Office Outlook and Outlook
>>express. We must blame Microsoft for allowing Visual basic scripts access
>>to this interface to send email without requiring a dialog/confirm from the
>>user. This is how the "worm" spread so fast.
>
>True, but if for example Agent was the worlds leading e-mail software
>then it would be possible to do the same thing with that. I have seen
>code showing how to do it with Netscape as well. Admittedly it is
>harder to do - but still possible.
>
Its a Lot more harder to do than modifying a Visual basic script.
>>
>>This love letter virus demonstrates how such security holes can become the
>>biggest Denial of Service Attack threat to the whole internet.
>>
><Snip>
>>
>>What Is The Only Solution
>>=========================
>>Where distributed agents or embedded scripting is desired then a suitable
>>restricted mode must be provided that limits what destructive actions
>>the execution of the embedded script/executable can perform in its
>>environment.
>
>The restrictions required often limit the usefulness of such
>environments but I agree that MS have opened their apps far to much.
>
>>
>>What Should We Do In The Long Term
>>==================================
>>If you are worried about security of your files and information stored on
>>your computers, then IMHO you should look to different applications and
>>systems than those currently provided by Microsoft. You should look to
>>companies and solutions that provide a proactive approach to security,
>>instead of just relying on a third party retroactive antivirus defence.
>
>Variety is probably the way to go, but large organisations need a
>certyain level of conformity to keep costs down.
>
The problem is Microsoft will not allow any OPEN STANDARD API to its to be
used on its platform if it is in any way a treat to its market share.
Look at what has happend with Microsoft assimilation of the Open Kerberos
standard. Microsoft enforces its monopoly so that if you use Microsoft
products then the ONLY interoperable standard is Microsofts own.
>>
>>Look To The Open Source Model
>>=============================
>>The open source unix model may not be immune to attacks from determined
>>crackers and vandals, but at least making the source code available forces
>>programmers and other solution providers to take a proactive approach to
>>system security. Putting the source code under peer review and fixing
>>the security holes in the design of the application and its source code.
>
>With computers becoming ubiquitous this is a problem. Many small
>businesses simply can't afford to keep a programmer around to be
>proactive in fixing bugs.
>
Micosoft could never be called a small company :)
>>
>>What Should Be The Goal
>>=======================
>>Modifying Asimov's first law of robotics
>>"Computer software should never cause the user to lose any of their
>> documents or through inaction cause the loss of their documents"
>
>So I can't delete files anymore ? An active "Recycle Bin" that
>automatically restores files I delete - neat.
>
>But seriously - an OS that puts ALL overwritten/deleted files through
>some sort of Recycle Bin would be a good idea. Not just the files
>deleted via the user interface.
>
Or better yet a Versioned based directory/file service.
David Mohring - Thanks again - spread the word