IP: USATODAY.com: Windows too open to viruses, experts say

[Dave Farber <farber () cis upenn edu>]

> http://www.usatoday.com/life/cyber/tech/cth950.htm
>
> 05/23/00- Updated 03:51 PM ET
>
> Microsoft programs vulnerable to viruses
>
> By Will Rodger, USATODAY.com
>
> More than 45,000 viruses infect PCs running the Windows operating system
> worldwide. Several have caused billions of dollars in damage in the past 12
> months. Hundreds more viruses appear each year, requiring armies of
> anti-virus programmers to isolate and kill the offending bugs.
>
> By contrast, perhaps 35 viruses have been written for the Macintosh and four
> or five for the Unix-based computers that run most Web sites, says Eugene
> Spafford, director of the Center for Education and Research in Information
> Assurance and Security lab at Purdue University.
>
> This, a growing chorus of security experts say, is not happenstance.
>
> "PC operating systems have inadequate security," says Peter Neumann,
> principal scientist at SRI International in Menlo Park, Calif. "Attachments
> and executable content are features that should not exist if you are worried
> about security. Period."
>
> For even though Microsoft has produced the world's most popular operating
> system, its ease of use and the staggering number of features integrated
> into Windows and the Office applications has left the world's dominant
> computing platform uniquely vulnerable to a plague of troubles.
>
> Not Net viruses; Microsoft viruses
>
> Put simply, the last two big viruses were not Internet viruses. They, like
> virtually every virus that has made headlines in the last 10 years, were
> Windows viruses.
>
> Steve Lipner, manager of Microsoft's security response center, says the
> criticism is unfair:
>
> "That goes to what Willie Sutton said: The answer is, that's where the money
> is. The reason people write viruses for Microsoft Windows is there are lots
> of Microsoft machines out there, and that improves the chances for
> propagation."
>
> But that's precisely the point, critics say. Security specialists, drawing
> ever more on the language of epidemiology, have long warned that as networks
> expand and become more vital to everyday life, they become ever more
> vulnerable. Now, viruses face not just high-density populations but would-be
> victims that share the same weaknesses.
>
> Like the flu and the smallpox that killed 90% of the Aztecs or the blight
> that brought on the Irish potato famine, a single malady can ravage almost
> everyone's PC because they all have the same genetic makeup: Windows.
>
> As Windows grows in size - a typical Windows 98 installation can run
> anywhere from 120 MB to 295 MB vs. just 40 MB five years ago - the burden of
> checking code for errors grows even faster, Spafford says.
>
> But beyond that, he says, is another, more difficult truth: Windows and
> Microsoft's equally dominant Office Suite were designed neither for the
> Internet nor secure operation generally.
>
> Instead of forcing the operator to stop and check every new program that
> hits his hard drive, Windows offers the ability to automatically run any
> "script" or Internet-borne program without user intervention.
>
> And viruses are programs, after all.
>
> Windows usually hides telltale ".vbs" tag
>
> Security consultant Rick Forno (www.infowarrior.org) says Microsoft's
> now-infamous "visual basic scripting" is emblematic of the problem. VBS, in
> fact, can launch hidden programs without so much as notifying users they are
> there.
>
> The "love bug" virus that hit May 4 was such a program. Because Windows
> usually hides the final ".vbs" tag attached to the end of visual basic
> programs, most victims thought what they got was a simple text attachment -
> a love letter, in fact.
>
> As it turned out, the virus erased millions of graphics and sound files
> worldwide and stole an untold number of passwords from Filipino Internet
> accounts before authorities shut down the Web site to which the passwords
> were being e-mailed. The virus spread at record rates, thanks to the bug's
> tactic of sending copies of itself to every address in every copy of
> Microsoft's Outlook e-mail program - again made possible by VBS technology.
>
> That same mechanism showed up again Friday as the "new love" virus struck in
> much the same fashion. This time, though, the virus destroyed virtually
> every file on infected computers.
>
> A bug in the program, ironically, stopped the virus from spreading very far.
>
> Microsoft has promised a patch to "turn off" the VBS problem in Outlook
> sometime this week.Yet at least a half-dozen major viruses have duplicated
> themselves through Microsoft's Outlook over the past 18 months, Forno says.
> The infamous Melissa virus, Explore.zip, VBS/Bubbleboy and X97M/Papa viruses
> all used the Outlook address book to spread themselves.
>
> Other operating systems don't work this way
>
> Other programs on other operating systems could not behave this way, Forno
> says, because applications written for other operating systems - e-mail
> programs, word processors and the like - do not reach down into the deepest
> levels of the operating system to function.
>
> And true, Forno says, programs like Outlook and Microsoft Word work smoothly
> together in part because they share files that are also part of Windows. But
> that close connection to the operating system also let "new love" destroy
> those same system files, in effect destroying every file on the targeted
> computer's hard dive.
>
> The "love bug" and its progeny couldn't procreate so quickly on a Unix
> system, Purdue's Spafford says.
>
> For even though security specialists and computer vandals regularly find
> holes in Unix operating systems, they have one real strength that keeps them
> essentially virus-free: programs don't simply run of their own accord.
> Rather than clicking on an icon and waiting for a new program to set itself
> up, Unix users must go through a deliberate, sometimes tricky task of
> tweaking a software package so that a computer can actually run it.
>
> Is it as easy as Windows? No way, Spafford says. But that's a small price to
> pay, he says, when millions are clicking on files they should know better
> than to click on.
>
> Eventually, he says, all users will come to realize that ease of use and
> total security are at polar extremes of the same continuum. What you gain in
> one you usually will lose in the other.
>
> Fred Cohen, a security specialist who performed the first research on
> computer viruses, says Microsoft may be only the largest of a group of
> offenders.
>
> After all, he says, one could write a version of Microsoft's Office for Unix
> that would cause much the same sort of trouble. And Netscape's Internet
> browser and mail program is not only highly popular among Unix users but
> also quite insecure from a security specialist's point of view.
>
> "Go ahead and take a swipe at Microsoft," Cohen says. "They deserve it. But
> if 90% of the world was running Unix and everybody was running Netscape on
> it, we would have the same kinds of problems on Unix."
>
> Specialists say the lure of the quick and easy remains powerful.
>
> "There are a lot of businesses that really like that close integration,"
> says Pete Hammes, director of engineering at Para-Protect Services in
> Alexandria, Va. "It makes it a lot easier for users that don't have a lot of
> technical sophistication."
>
> German government considers dropping Outlook
>
> It is anyone's guess how long the love affair with simplicity will last. The
> German government said Friday that it was considering dumping Outlook
> altogether in the wake of the latest virus outbreak.
>
> "I think a really big issue is just design and quality," Spafford says.
> "Other operating systems have been designed with security at the forefront."
>
> As dim a view as he takes of Microsoft's work, Spafford concedes there is at
> least one factor over which Microsoft has no control: time.
>
> "Windows is relatively a much newer operating system than is the Macintosh
> or Unix, which don't have these sorts of problems," he says. "Part of it may
> be just maturity."
>
> For now, Lipner says, the company is working to improve its security
> practices while giving customers what they want. With its promised "patch"
> for its Outlook program in place, Lipner says, users will have to take extra
> steps to send or receive attachments that work. Those extra steps, he says,
> should give users fair warning before they blindly click on attachments.
>
> "It's not going to be the casual thing it is now," he says.
>
> Regardless of what it does in the future, Microsoft can be thankful that
> damage from the viruses hasn't been more widespread.
>
> At a gathering at the Economic Strategy Institute in Washington, D.C., last
> week, former CIA director R. James Woolsey said that he expected terrorist
> and spies would soon use password-sniffing techniques similar to those
> deployed by the "love bug." This time, though, the rogue programs would be
> aimed at specific computers, he said. And they would not announce themselves
> the way the latest ones did.
>
> "If you've had your computer or network hacked into or somebody's put a
> (virus) on your system and is reading out your files before the data is
> encrypted, you've got a serious problem," he said.
>
> --------------------------
>
>
>
> 05/22/00- Updated 03:30 PM ET
>
>
> http://www.usatoday.com/life/cyber/tech/cth951.htm
>
>
> Net has made virus writing easier
>
> By Will Rodger, USATODAY.com
>
> Virus writing, which has never been hard, is getting easier all the time.
> Want evidence? Look at the Internet itself.
>
> It wasn't long ago that virus writers gathered in small electronic
> communities that amounted to nothing more than individual computers
> connected to the outside world by a few phone lines.
>
> Communications about their illegal activity had to be confidential, so
> expertise spread slowly.
>
> But now anyone can post anything to the Internet. Add a few search engines
> to the mix, and there you have it.
>
> "Viruses have gotten easier to write because there are more examples to use
> and there's more literature about how to write them," says Dave Farber,
> professor of computer science at the University of Pennsylvania and
> Chief Technologist at the Federal Communications Commission.
>
> Statistics from the government-funded computer emergency Response Team at
> Carnegie Mellon University tell the tale. Reported incidents of computer
> vandalism have grown dramatically from 1990, when there were only 252, to
> 9,859 incidents in 1999. The first quarter of this year alone saw 4,266
> incidents.
>
> Automated hacking tools that require essentially no programming skills have
> accounted for much of the growth.
>
> Indeed, the Internet has become in some ways its worst enemy by offering a
> wide variety of tips on system cracking. At the same time, teaching computer
> security techniques means explaining how the attacks are done in the first
> place. So even if someone tried to censor information about virus writing,
> the effort would be pointless, experts say.