ILOVEYOU: rip out trouble-making functionality

Hats off to everybody who reads mail with an “ancient” mail reader like Pine, elm or even (shudder) the Unix “mail” command.

At least you didn’t help to propagate the silly ILOVEYOU worm-mail that cost a supposed US$10B dollars in lost productivity around the world. As you probably know, the ILOVEYOU bug spreads when you open an attachment (e.g. LOVE-LETTER-FOR-YOU.TXT.vbs) that launches a Visual Basic Script on your computer. The worm then mails itself to others in your address book, and overwrites certain multimedia files (jpg, mp3, etc.). What you may not have heard is that it also tries to find passwords on your computer and e-mail them to a central site. All in all, it’s a nasty, fast spreading and ugly little piece of code.

The spread of this pernicious little Visual Basic Script demonstrates several important things:

– somebody has too much time on its hands (gender neutral, plus the person who did it is really subhuman);

– we don’t learn real well – this is almost a repeat of the “Melissa virus” that pestered us over a year ago – and most importantly there are a lot of features in programs like Microsoft Outlook that we just don’t need or even want.

Scripts anyone?

Who really craves script-enabled Web pages? Maybe people who are so lonely that they send themselves animated greeting cards. And, of course, virus writers like scripts. But for the vast majority of business users, e-mail with embedded code is about as useful as banner ads – a bandwidth-eating annoyance.

I just checked my last 1,000 messages to make sure I don’t have the ILOVEYOU worm lurking around. And, surprise, although I have some attachments (spreadsheets, Word documents, etc.) I don’t see any Visual Basic Scripts (*.vbs) attachments. I get mail from hundreds of different people so this tells me that the world isn’t exactly clamouring for this feature. In fact, in all the coverage I read on ILOVEYOU and VBS the only halfway sensible justification for script enabled e-mail I saw was to allow employees to download expense account forms and ship them back to the home office via e-mail. Since you can accomplish the same functionality with a simple spreadsheet sent as an attachment, this is scant justification for a feature that has brought many companies to their electronic knees.

I have no doubt that Microsoft meant well when it introduced the ability to put Visual Basic Scripting into a piece of e-mail. I can imagine the khaki-clad types in a conference room somewhere egging each other on to work in this wonderful new advance that will push forward the frontiers of e-business. But why weren’t they smart enough to see the dark side? Or were they?

Microsoft allows you to set your security level up high so that you get asked about opening attachments, but that can quickly become annoying. The key problem is in the level of trust given to VBS once you let it start running. A VB script that originates in a piece of e-mail has the same status and power as one that you lovingly wrote all by yourself and stored on your hard drive. That just doesn’t make sense.

it’s all vulnerable

It’s time to either rip out trouble-making functionality or protect it with mainframe- and Unix-style industrial strength security controls.

Which brings us to what Microsoft could have done and should now do about its gaping security holes. Java has tended to be a lot less prone to this type of problem, in fact its chief architect, James Gosling, once told me it’s “virus proof.” Of course, he works for Sun so he would say that. Actually, there was a hole discovered (ironically in Microsoft’s Internet Explorer 5) that could allow a malicious user to read (though not write or modify) a file from a Java applet. Doing this required advance knowledge of the exact pathname of the file.

Some researchers at Princeton University have published (see a nice analysis that says “We examined the Java language and the Sun HotJava, Netscape Navigator, and Microsoft Internet Explorer browsers which support it, and found a significant number of flaws which compromise their security. These flaws arise for several reasons, including implementation errors, unintended interactions between browser features, differences between the Java language and byte code semantics, and weaknesses in the design of the language and the byte code format.”

They also scoff at the suggestion that Java is safe because hackers aren’t smart enough to exploit its weaknesses. “We’ve discovered several security problems,” they write,” and we’re pretty sure we’re not the smartest people in the world. If one group of hackers creates a Java-based attack and shares it with their friends, we’re all in trouble.”

less is more

It comes down to that amazing observation that software, in the final analysis, is written by people and people can mess up. Knowing this, all manufacturers, and Microsoft surely needs to take the lead, need to flip their switches on some of the advanced functionality. Sure, give us VB scripting in Windows XXX but leave it turned off by default. Figure out a way to distinguish a program that I made myself from one that I’ve just been e-mailed by a stranger.

Then, if I want to enable a risky feature for a specific reason, make it easy to turn it on, temporarily or forever. Sure that’s a pain, but as people who are still trying to pick up the pieces from the Love Bug will tell you, it’s definitely the lesser evil.

Dr. Keenan, ISP, is Dean of the Faculty of Continuing Education at the University of Calgary and teaches a course called Hot Issues in Computer Security.