Personal tools
You are here: Home Security Melissa, I Love You -- NOT!
Document Actions

Melissa, I Love You -- NOT!

Commentary on the Melissa and I Love your worms that attacked the Microsoft virus, Windows in 2000. This article was originally published in 2000 as http://www.celestial.com/iloveyou. Several of the URLs (links) are broken as the sites have been reorganized or disappeared. The link to the Microsoft support page on how they create virus free disks now goes to the ``way back machine'' as Microsoft removed it from their site.

Melissa, I Love You -- NOT!

Melissa, I Love You -- NOT

How many incidents like the recent I Love You virus have to occur before people learn that Microsoft Windows and the Microsoft applications are the real diseases? Windows is an open Window into the corporate network through which anyone can enter and take anything on the systems they want.

Why isn't corporate management held liable when they allow corporate assets to be destroyed either through direct data loss to viruses, or the employee's lost time waiting for their Windows machines to reboot after crashes, and recovering lost data when Windows applications suddenly ``freeze up''?

Microsoft isn't reckless enough to use Windows for their critical systems, so why is corporate America? As a case in point: ``How Microsoft Ensures Virus-Free Software''

``Disks are duplicated on a variety of industrial strength, quality focused systems. Most of these systems are UNIX-based. The UNIX-based duplication systems used in manufacturing are impervious to MS-DOS-based, Windows- based, and Macintosh-based viruses.

The few MS-DOS-based and Windows-based standalone duplication systems do not allow MS-DOS-based operating systems to access the duplication system. Virus protection systems used by these MS-DOS-based and Windows-based duplication systems strictly govern the duplication process, even when they are not running.''

Unfortunately too many people writing about this problem, and even many of the so-called ``computer experts'', don't have any experience on anything but Windows, and tend to believe the ``spin'' that comes out of Microsoft's public relations office (Such as their outrageous attempts to exploit this recent scare as evidence of the need to retain an undivided Microsoft, despite the obvious fact that it was the monolithic and monopolistic Microsoft that created the very security flaws that allowed the incident to occur, while many operating systems with smaller market-shares are relatively free of them.)

Many computer professionals have a vested interest because their income comes from cleaning up after Windows. Companies such as Norton and McAfee exist only because of Windows shortcomings. Their products are only provide temporary fixes, directed to the latest loophole being exploited, and they can't fix the fundamental security flaws in Windows.

What is the cause of the problem?

  1. Applications that execute programs without adequate safety precautions

  2. No security in Microsoft Windows to prevent unauthorized changes to the system when executing the programs in item 1.

There are actually two parts of the most recent attack: the flood of e-mail sent out from Windows machines that received it, and the damage done to those machines when files were removed or changed. The first problem occurred because the foremost design consideration of most Microsoft applications is not security, but ease of use. Any operating system hosting such unsafe applications could have exhibited the same unfortunate effects (and in my opinion, any system administrator who allowed them is negligent). The real damage happened because the vast majority of Windows systems have no security to prevent unauthorized changes to the system.

Unsafe Applications and Unauthorized Use of Computers. The Microsoft Windows e-mail programs, and ActiveX capabilities in Internet Explorer allow any program to execute on the user's system giving full access to the machine, and to the network to which it's attached. This is done do make life easy for untrained, and naive computer users to use. However well intentioned this decision might be, it drastically undermines the security of the computer, and is akin to designing a gun without a safety, or a bank without locks on the doors. As my friend Evan Leibovich noted ``everybody's screaming about the burglar while nobody notices that 90% of their houses have no locks on the doors''.

To make matters worse, web sites routinely put VBS (Visual Basic) scripts on their web pages which automatically execute when viewing the page unless one has specifically disabled this ``feature'' in the browser (not the default setting). This means that a Windows user browsing the net may well be executing programs without knowing it.

Here are just a few recent examples of exploits of these Windows flaws:

The I Love You program wasn't very sophisticated, and didn't require a lot of expertise to write or inflict on the world. It was written in Visual BASIC (Beginner's All purpose Symbolic Instruction Code), and could be written by anyone with minimal knowledge of Windows. It took advantage of a Windows ``feature'' (actually a ``bug'') allowing anyone receiving mail to purposely, or more likely inadvertently, run any program attached to the e-mail just by double clicking on an icon. (Most people would probably expect such icon-clicking to produce a photograph, rather than unleash a malicious program.) Due to the proliferation of this virus through personal "address books", those who might have been skeptical of the "Declaration of Love" in the Subject field would have been lulled into a false sense of security upon seeing that the message came from a trusted e-mail correspondent. I was amused by a Member of Parliament when asked if his machine was hurt when it hit the House of Commons who said that he didn't open it because nobody loves an MP.

Even more insidious is that e-mail message itself can be in HTML (the language of the web and browsers), and could contain VBS script which will execute automatically just by opening the message to read without having to double-click on anything.

Covert use of Windows Machines:. What if the virus writer wanted to be sneaky and get documents from your system or send out e-mail so that it appeared that it came from you? The I Love You virus was highly visible, but the author could have made it virtually undetectable, and even more pernicious. It could easily have found all Microsoft Word and Excel files on the system, then sent these files via e-mail to any e-mail address on the planet, with the user being totally oblivious to this covert breach of security. Just think of sending that program to every computer in the White House! Subpoenas would be obsolete. What if the virus uploaded kiddy-porn to your machine, and sent it out as e-mail that appeared to come from you? What if it were addressed to Janet Reno? That might make your life unbearably interesting.

The ``Love Bug'' and similar viruses have been very visible, and have been written by amateurs who want to make a name for themselves. How many covert attacks have been mounted by professionals intent on getting private information? In one documented case, Web Surfers accessing a German site unknowingly executed a program that would use Quicken if present, to schedule a bank transfer from the user's account to their own.

This isn't necessarily unique to Windows, but it hasn't occurred in the Linux or UNIX® applications yet, largely because the people writing software for these systems have grown up in a networking environment where security and reliability have been major concerns for almost thirty years so they make it difficult for users to shoot themselves in the foot without first taking the gun out of the cabinet and removing the safety. Windows will happily run automatically reading, changing, or deleting any information on the system.

Destroying or Changing Data on Systems. The second part of the I Love You virus was that it changed things on the user's computer systems and networks. The program that ran when users double clicked on the e-mail attachment went through the entire system, changed various system parameters, and altered many image and sound files by making a copy of itself in place of the original file so that somebody double-clicking on the image or sound file would execute the virus again.

Any e-mail system or browser that allows users to easily execute scripts can be used to access and change files that belong to that user. The problem with Windows is that everything on the system belongs to that single, often naive, user including critical system files. This is a fundamental design flaw in Windows because it's based on a single-user hobbyist program loader, and was never intended to be used on networks.

There have been numerous reports of web sites being changed, credit card numbers and personal data extracted from e-commerce sites, and user's systems altered in other ways, all due to the lack in Windows of a security infrastructure appropriate for a networked world.

Windows NT and 2000 are potentially more secure than Windows 95 and 98, but they're shipped with most of their security disabled to make it easy for inexperienced people to install it (and probably to cut down on the number of customer service calls).

Microsoft's security expertise (or lack thereof) is well known in the industry. See ``Microsoft's PPTP Implementation'' for some examples of Microsoft's ``kindergarten cryptographer'' mistakes.

On the other hand, Linux and UNIX® were designed from the ground up for use where individual user's files have to be secure from other users, and the system's files only can be changed by the administrator. A lot of their development was done at Berkeley and other universities where mischievous students constantly probed system security, Modern UNIX® and Linux systems have been honed to a high degree of sophistication by these decades of ``trial by fire'' security testing, and they show it.

When Sun Microsystems developed the Java they built on over twenty years of experience on the Internet, and designed it with security in mind from the outset. Java will not allow programs to run on the user's system other than those necessary to handle forms and data in the browser.

The current distributions of Linux from Caldera, Corel, and Red Hat all offer very easy-to-use desktop environments, and a degree of security impossible on Windows based systems.

This article is available at our web site at the following URL:

http://www2.celestial.com/Security/iloveyou

© Copyright 2000 Bill Campbell

« May 2024 »
Su Mo Tu We Th Fr Sa
1234
567891011
12131415161718
19202122232425
262728293031
 

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: