Security News > 2000 > May > Love Bug Prompts Security Experts To Poke at Microsoft's Weak Points

Forwarded by: Marjorie Simmons http://interactive.wsj.com/dailyedition/ Love Bug Prompts Security Experts To Poke at Microsoft's Weak Points Lee Gomes, Staff Reporter of THE WALL STREET JOURNAL Wed, May 24, 2000 Want the whole world to know the "secret" name you gave your Windows personal computer when you installed software for high-speed Internet access? It's easy: Just hook it up to your digital subscriber line or cable modem. Whether you realize it or not, you'll instantly be making the information available everywhere on the Net -- and giving the world an unwelcome peek inside your machine. That's just one of the security weaknesses that exist in Microsoft Corp.'s software products -- and one of the reasons that security experts say the world's leading software company still has a way to go in making its products less vulnerable to hackers and other malefactors. The world-wide attack of the "love bug" computer virus on May 4, and last week's less widespread replay, called attention to security problems in Outlook, Microsoft's e-mail program. The outbreaks highlighted the way Outlook can launch potentially dangerous software programs and spread them to the hundreds or thousands of other e-mail addresses in a computer's electronic address book -- with just a single click of a mouse. In the case of the love bug, all it took was the simple act of opening an e-mail attachment. Microsoft has taken steps to make Outlook more secure, but many security experts say the fact that the ubiquitous e-mail system was so vulnerable is evidence of fundamental flaws in many Microsoft products. For example, the powerful programming languages Microsoft includes with its Windows products lack "fences" that keep out destructive pieces of computer code and prevent them from hurting a machine. Such fences are a standard feature in other computer languages intended to be passed around on the Internet. Microsoft's consumer-oriented operating systems, such as Windows 98, also lack security provisions that experts say ought to be routine in a major piece of software. None of these shortcomings alone are showstopper "bugs" that could instantly bring down a computer. Instead, they are what experts describe as flawed approaches to software design that can lead to big problems down the road -- the way the flawed design of Outlook led to the global love-bug emergency. But the flaws are there to see for anyone looking for them. And with Microsoft software in such wide use, the stakes are high indeed: A single security flaw in a Microsoft program has the potential to bring organizations all around the world to their knees. Microsoft is well aware of the problems. The recent love-bug attack marked "a watershed" for the company, says Steve Lipner, manager of Microsoft's security response center, who helps plan the company's security policies. He says Microsoft has worked hard to keep up with users' evolving security needs. "We are constantly looking at what we can do, and what the threats are. It's not a static environment," Mr. Lipner says. A few years back, for example, following reports of destructive "macro" programs hidden inside Microsoft Word documents, the company introduced security features that made Word more selective about which programs it would run. What's more, Microsoft is now changing its basic software-design philosophy to emphasize security, whereas in the past it had emphasized having its products work together easily. For example, when questions were first raised about Outlook following the love bug, Microsoft executives strongly defended the program's ability to allow e-mail files to launch programs. Lately, however, the company says it is toying with removing the ability altogether. Of course, no software has a monopoly on security problems, and Microsoft's sheer size makes it a magnet for criticism. But experts say Microsoft hasn't moved fast enough to adapt to security threats in the Internet age. Too many Microsoft products were designed for the long-gone world of the stand-alone PC, where very little can go wrong, critics say. "Microsoft often takes shortcuts in security in the name of coming out with a product," said Gene Schultz, who teaches computer science at Purdue University and who has written books on Microsoft security questions. "I don't like to simply bash Microsoft, but the fact is, they are a desktop software company, and they don't have the years of experience needed to develop a product high in security." Another complaint: The company often ships its products with settings at their least secure positions. While it's possible to tighten those settings, doing so often requires knowledge that novice users don't have. For example, before Windows users can sign up for high-speed Internet connections, such as DSL or cable modems, they must name their computer and the "work group" it belongs to. The information isn't meant to be public, but Windows will, without telling users, make the names available to all comers over the Internet. Steve Gibson, an Irvine, Calif., security consultant, says that while the data alone wouldn't give someone direct access to files, it might give a hacker valuable clues to breaching the security of a machine or a network. What's more, many versions of Windows will keep certain internal access points on a computer, called "ports," open over the Internet -- another way potentially dangerous information could be revealed. It's possible to change all those settings to make everything secure, Mr. Gibson says, but it can be a complicated process. His Web site, http://www.grc.com, tells people how. Microsoft's Mr. Lipner said security concerns related to high-speed Internet access are "under review." He said the company plans to unveil its own Web site to tell people about changing the settings. Among the other concerns: Languages: Microsoft makes several powerful computer programming languages available with its products, including Visual Basic and Active X components. Most of them can be easily passed over the Internet. The problem, experts say, is that these languages don't let users change security levels. That means that once a program is inside a computer, it has full power to do anything it wants, even deleting all the files on the hard drive. Microsoft does provide the means to identify the author of a program and to guarantee that a program hasn't been tampered with as it made its way to a user's PC. But critics say the measures aren't enough. Mr. Lipner said Microsoft is examining the issue. Operating systems: Microsoft's high-end business applications Windows NT and 2000 allow users to change security settings when they sign on to determine how much control they will have during a session at the machine. Sophisticated users spend most of their time signed on at the most restrictive level: That way, should they happen to download a virus, it couldn't, for example, delete crucial system files even if it tried. But there is no such feature in the consumer products Windows 95 or Windows 98, and there won't be in the next version, either. Mr. Lipner said that Microsoft plans to bring the higher security level to consumer products two releases down the road, though the date for that version hasn't been set. Write to Lee Gomes at lee.gomes () wsj com ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".

News URL

http://interactive.wsj.com/dailyedition/