Microsoft to Blame for 'Love Bug'?

May 11 2000

Who is to blame for the "Love Bug" virus and its 25 or so nasty variants that ripped through an estimated 600,000 computers and caused computer-system shutdowns at corporations and government offices worldwide? As law enforcement authorities homed in on a cadre of technical-college students in Manila, Philippines, security experts pointed out that Microsoft 's operating system creates an environment that is vulnerable, if not virus-friendly.

The "Love Bug" took advantage of a feature in Windows called Windows Scripting Host, which allows users to automate routine tasks. The virus' author created a Visual Basic script that was directed to send itself to all recipients in a user's Microsoft Outlook address book and then delete image files and hide audio files.

The Scripting Host is not the only Windows feature that invites hackers. Other flaws include Outlook's automation feature, which allows external programs to command the application remotely. Security experts say such features should be disabled by default.

"The bottom line is that very few people need [the Scripting Host], and yet it's turned on by default," says Richard M. Smith, a security expert and Internet consultant based in Brookline, Mass. "Windows Scripting Host [is] almost like the Virus Scripting Host."

Microsoft's tight integration of its operating system with all applications - the Windows hallmark cited in the guilty verdict in the software giant's antitrust trial - also makes it vulnerable. Other platforms integrate and use active content far less than Microsoft.

A self-proclaimed California-based hacker who calls himself "Bronc Buster," writing in the online magazine Synthesis, says the Love Bug "couldn't affect MacOS or any kind of Unix system. Because [Microsoft's] applications are so closely tied with their operating system, their applications tell the operating system what needs to be done, and the operating system fires up the program to get it done, all without you knowing it."

"It's much harder to make this same thing work in Unix because Unix doesn't work this way." says Bruce Schneier, chief technology officer at Counterpane Internet Security, a network-monitoring service provider in San Jose, Calif. "From a security point of view, this is a disaster."

"Microsoft is focused on the simplicity aspect, and I can understand why," says Steven Bellovin, network security researcher at AT&T Labs, "but they've done it at a serious cost in safety."

Security flaws in Windows have long been known in the software-developer and hacker communities. Technology writer James Gleick, author of Faster: The Acceleration of Just About Everything, pointed out these flaws in a recent column in Slate.

The company's traditional response is that security is a trade-off between users' competing desires for both automation and absolute protection, and that pop-up dialogue boxes provide warnings of potentially dangerous attachments.

Critics like Schneier scoff at that defense. "Giving users functionality is bullshit because users never said, 'We want more viruses.' They might have said they want more features that Microsoft [then] implemented in a way that allowed this."

Microsoft's primary goal - shipping products - interferes with its security obligations, Schneier contends. "It's in Microsoft's interest to make products as insecure as they can get away with," he says. "They have no liability. They'll just do damage control."

Microsoft could fix the problems by turning off defaults for certain features that pose security risks and by requiring script writers to "sign" their work digitally. The latter is a requirement already built into macros, but it is one that virus writers avoid for obvious reasons.

Meanwhile, the new "Kak" e-mail virus has emerged, able to spread even if a recipient doesn't open its attachment. Kak affects users of Internet Explorer 5.0 and Office 2000, and it works with Outlook and other e-mail programs that recognize HTML. It doesn't damage files like the Love Bug virus does, but a destructive version of it is almost certainly coming to a computer near you.