Truth About Computer Security Hysteria
Microsoft paves way for 'email macro viruses'
Thursday, 7 May 1998
THINK OF A vigorously shaken soda can. Its volatile contents remain inert unless you open the attachment at the top, right? You could read the text printed on the can without getting sprayed in the face and, obviously, you can discard the soda without opening the attachment.
Numerous hoaxes say your computer can get a virus if you so much as read an email. In reality it works right now like a soda can: you must open an email attachment before it does anything. Nothing happens if you just read the email with your eyeballs.
Notice I said it works "right now" like a soda can. Windows 98 may combine with Outlook 98 to change the fundamental nature of email ... and I'll need to stop using my cute analogy.
The time has come for a serious discussion of what I'll call "email macro viruses."
First, let's face an important fact: email must evolve to meet the growing demands of Internet users. You know all those cool tricks you can do with a Word template file? Email software vendors know their customers want to do the same things in a message, and virus experts anticipate a day when you can infect computers with an email macro. To put it another way, soda will someday spray in your face if you read the text on the can.
It's no crime if Microsoft reaches this evolutionary stage for email. It's no crime if they reach this stage first. However, the folks in Redmond didn't put enough thought into the "concept" of email macro viruses as they moved along the evolutionary trail.
To its credit, Microsoft agreed to modify default security settings before Windows 98 ships. These last-minute changes will deter the spread of email macro viruses — yet we must ask why Microsoft suddenly revised its product security at the eleventh hour.
The time has come for a serious discussion of "email macro viruses."
THE REASON: MICROSOFT doesn't usually think about product security and doesn't usually cooperate with security firms. An unacceptable length of time passed, for example, before they provided details to antivirus
vendors about Windows 95 & Office 95 file formats. They took their time with antivirus vendors after Office 97 hit the streets and will probably do so again with the debut of Windows 98.
Gartner Group (a computer industry research firm) chided Microsoft in a July 1997 analysis for its overall neglect of security. "Its general demeanor toward [security and antivirus] developers is remarkable for its neutrality, not its support, in this critical area... Microsoft has chosen to release [important details] to only a select group of [developers] and has a history of stifling — not promoting — public debate regarding the security of Microsoft products."
Experts I spoke with believe Microsoft's security team tries hard but gets thwarted by autonomous programmers who ignore them without penalty. Indeed, Gartner Group dismissed the security team as "a public-relations effort." Editor Woody Leonhard said it best in a recent issue of his WOW newsletter: "the time has come for every design review group inside Microsoft to have a security analyst" assigned to it. Unfortunately, Gartner Group predicts the company won't achieve its stated security goals before the year 2000.
Microsoft weathered previous security snafus and will almost certainly do so again. This time, however, they face a no-win situation. Many people will automatically bash Outlook 98 if it evolves first with powerful macros. Microsoft could wait for someone else to pave the way for viruses, but competitors whose products evolve first would bash them as "a bunch of technological latecomers who'll do to email what they did to the browser."
Antivirus vendors will blame any delays of their own on Microsoft's historic failure to cooperate. Vendors may even warn users to stay away from Windows 98 "until the cavalry arrives." (Fear sells antivirus software, you know.) Even if Microsoft does cooperate, vendors will warn folks to upgrade their antivirus software before installing the "dangerous combination" of Windows 98 & Outlook 98. Oh, and they'll still blame their own delays on Microsoft.
Microsoft's Plus 98 bundling agreement with Network Associates (formerly McAfee) may create more negative publicity. I strongly suspect the bundled antivirus software will require a major upgrade when email macro viruses appear. Like I said: it's a no-win situation for the folks in Redmond.
Microsoft weathered previous security snafus and will almost certainly do so again. But now they'll face a Kobiashi Maru.
OKAY, ENOUGH ABOUT Microsoft. Let's bash the rest of the world — myself included. As you may know, I run the Computer Virus Myths home page where I tell people "your computer won't get infected if you read an email with your eyeballs." Antivirus companies say the same thing, but this truism will die with the debut of the first genuine email macro virus.
Thanks to the media's fetish for virus stories, we can expect to see unprecedented news coverage after the first such virus comes to light. Numerous pseudo-experts will get 15 nanominutes of
fame when they:
Antivirus vendors will present their own experts to any journalist willing to quote them. Frenzied reporting will propagate old myths, generate new hysteria, ...
In the end, frightened users will clamor for updated antivirus software and will believe pseudo-experts who claim "the Good Times virus is no longer a hoax." (According to this "some equals all" fallacy, the entire hoax becomes true if any part of it becomes true.) Oh, and antivirus vendors will sell a lot of software.
Virus authors with a sense of irony will put their handiwork in messages with subject lines such as "Good Times," "Win a Holiday," and "Penpal Greetings." The first malicious email macro virus will probably say "New virus alert!" in the subject line while the second one probably will say "Returned email: unable to deliver."
Some users will qualify as "Typhoid Macros" (similar to Typhoid Mary). Their email software won't recognize macros — but they might innocently forward a message to someone whose computer gets infected as a result. I predict Microsoft will resort to the so-called "ScanProt strategy," whereby they release a tactical utility (let's call it "MailProt") to deal with email macros until antivirus vendors come up with a better package.
- scream "it's the Good Times virus for real,"
- dismiss genuine experts as "shortsighted," and
- predict the impending death of email.
I also predict a new wave of sophomoric hoaxes will prey on renewed fear about viruses. Let's face it: a panicky user is a gullible user. Visit the Computer Virus Myths home page to see what gullible users have previously done...
We've lived with virus hysteria for over a decade. We'll survive the next wave of hysteria, too. Count on it.
YET NO MATTER what, I know — I absolutely know — the computing world will live long and prosper when email macro viruses arrive. We survived the Columbus Day virus hysteria of 1989, the Michelangelo virus hysteria of 1992, the Word macro virus hysteria of 1995, and the Hare virus hysteria of 1996. We'll survive the next wave of Chicken Little hysteria. Count on it.
PS: Microsoft's approach to security may suck, but I still plan to upgrade to Windows 98 when it debuts. You can count on that, too.
Microsoft's response as of today: "this issue is a non-issue now" because Windows 98 will disable the all-important
CreateObject() command as part of its default security setting. Users will receive a warning message about the "implications" if they choose to set security below default levels.