Truth About Computer Security Hysteria
Microsoft paves way for 'email macro viruses'Rob Rosenberger, Vmyths co-founder
Thursday, 7 May 1998
THINK OF A vigorously shaken soda can. Its volatile contents remain inert unless you open the attachment at the top, right? You could read the text printed on the can without getting sprayed in the face and, obviously, you can discard the soda without opening the attachment.
Numerous hoaxes say your computer can get a virus if you so much as read an email. In reality it works right now like a soda can: you must open an email attachment before it does anything. Nothing happens if you just read the email with your eyeballs.
Notice I said it works "right now" like a soda can. Windows 98 may combine with Outlook 98 to change the fundamental nature of email ... and I'll need to stop using my cute analogy.
The time has come for a serious discussion of what I'll call "email macro viruses."
First, let's face an important fact: email must evolve to meet the growing demands of Internet users. You know all those cool tricks you can do with a Word template file? Email software vendors know their customers want to do the same things in a message, and virus experts anticipate a day when you can infect computers with an email macro. To put it another way, soda will someday spray in your face if you read the text on the can.
It's no crime if Microsoft reaches this evolutionary stage for email. It's no crime if they reach this stage first. However, the folks in Redmond didn't put enough thought into the "concept" of email macro viruses as they moved along the evolutionary trail.
To its credit, Microsoft agreed to modify default security settings before Windows 98 ships. These last-minute changes will deter the spread of email macro viruses — yet we must ask why Microsoft suddenly revised its product security at the eleventh hour.
Gartner Group (a computer industry research firm) chided Microsoft in a July 1997 analysis for its overall neglect of security. "Its general demeanor toward [security and antivirus] developers is remarkable for its neutrality, not its support, in this critical area... Microsoft has chosen to release [important details] to only a select group of [developers] and has a history of stifling — not promoting — public debate regarding the security of Microsoft products."
Experts I spoke with believe Microsoft's security team tries hard but gets thwarted by autonomous programmers who ignore them without penalty. Indeed, Gartner Group dismissed the security team as "a public-relations effort." Editor Woody Leonhard said it best in a recent issue of his WOW newsletter: "the time has come for every design review group inside Microsoft to have a security analyst" assigned to it. Unfortunately, Gartner Group predicts the company won't achieve its stated security goals before the year 2000.
Microsoft weathered previous security snafus and will almost certainly do so again. This time, however, they face a no-win situation. Many people will automatically bash Outlook 98 if it evolves first with powerful macros. Microsoft could wait for someone else to pave the way for viruses, but competitors whose products evolve first would bash them as "a bunch of technological latecomers who'll do to email what they did to the browser."
Antivirus vendors will blame any delays of their own on Microsoft's historic failure to cooperate. Vendors may even warn users to stay away from Windows 98 "until the cavalry arrives." (Fear sells antivirus software, you know.) Even if Microsoft does cooperate, vendors will warn folks to upgrade their antivirus software before installing the "dangerous combination" of Windows 98 & Outlook 98. Oh, and they'll still blame their own delays on Microsoft.
Microsoft's Plus 98 bundling agreement with Network Associates (formerly McAfee) may create more negative publicity. I strongly suspect the bundled antivirus software will require a major upgrade when email macro viruses appear. Like I said: it's a no-win situation for the folks in Redmond.
Thanks to the media's fetish for virus stories, we can expect to see unprecedented news coverage after the first such virus comes to light. Numerous pseudo-experts will get 15 nanominutes of fame when they:
Antivirus vendors will present their own experts to any journalist willing to quote them. Frenzied reporting will propagate old myths, generate new hysteria, ...
In the end, frightened users will clamor for updated antivirus software and will believe pseudo-experts who claim "the Good Times virus is no longer a hoax." (According to this "some equals all" fallacy, the entire hoax becomes true if any part of it becomes true.) Oh, and antivirus vendors will sell a lot of software.
Virus authors with a sense of irony will put their handiwork in messages with subject lines such as "Good Times," "Win a Holiday," and "Penpal Greetings." The first malicious email macro virus will probably say "New virus alert!" in the subject line while the second one probably will say "Returned email: unable to deliver."
Some users will qualify as "Typhoid Macros" (similar to Typhoid Mary). Their email software won't recognize macros — but they might innocently forward a message to someone whose computer gets infected as a result. I predict Microsoft will resort to the so-called "ScanProt strategy," whereby they release a tactical utility (let's call it "MailProt") to deal with email macros until antivirus vendors come up with a better package.
I also predict a new wave of sophomoric hoaxes will prey on renewed fear about viruses. Let's face it: a panicky user is a gullible user. Visit the Computer Virus Myths home page to see what gullible users have previously done...
PS: Microsoft's approach to security may suck, but I still plan to upgrade to Windows 98 when it debuts. You can count on that, too.