Thanks Microsoft!

2003-09-18 15:17

It’s another Microsoft Virus Day.

The amazing thing is not that viruses target Microsoft; after all, Windows is the biggest target.

The amazing thing is not that there are so many new, critical, bugs in Windows.

The amazing thing is the apologists. People who say “yeah, well, there were nearly as many security reports for Brand X Linux as there were for Windows last month.” Never mind that the Linux bugs were things like “someone found a way to crash a screensaver” or “it is theoretically possible for an email message to be lost instead of delivered,” while the Microsoft bugs were “could allow attacker to take over a system,” “could allow an attacker to take over a system,” and “allowed attackers to take over systems.”

I don’t get it. The facts are simple. The Morris Internet Worm was in the 80’s. Since then, Unix systems and admins have been active in checking for and closing security holes, and we haven’t had a remotely comparable repeat. By contrast, I’ve lost count of the newly-discovered Windows holes that have done over a billion dollars in damage each in the last couple of years.

Today, I have gotten something like 127 copies of the latest MS Worm. It uses the exact same security hole as the one before that, and the one before that, and the one before that, and the one before that, which is that, of all major vendors, only Microsoft insists on making every email run attachments with no security, no validation, just BOOM, it’s running. On any other system, actually running a program attached to a message requires the user to make a conscious decision to activate a program. The user has to think “This is a program, should I run it?” Microsoft doesn’t want that, so Microsoft becomes the vector for every worm, because the single, simple, trivial, fix that would close this hole is simply not acceptable to them.

Instead, MS wants to push for tons of Digital Rights Management things, and “certificates” and “signed programs”, all of which have ABSOLUTELY NO EFFECT WHATSOEVER ON THE PROBLEM. Why? Because those things would help them sell more licenses. So, if they FIXED THE PROBLEM, they would lose one of the arguments they use to push DRM crap on people. So they don’t fix the problem, even though it is VERY VERY EASY TO DO SO.

It’s simple. STOP RUNNING ATTACHMENTS.

The irony of the latest one is delicious; it uses the technique of pretending to be a Microsoft-generated security patch, encouraging people to run it. Has Microsoft ever actually sent security patches via email? I’ve gotten enough spam from newswire.microsoft.com to assume that they probably have, although I understand they have an official policy against it.

Of course, this is where “signed content” would supposedly help. After all, you could “verify” that the material came from Microsoft. In fact, you probably can’t. A while back, someone tricked a certificate-signing authority into signing a bogus “Microsoft” certificate. All it takes is one cracked certificate, or one social engineering hack, and everything goes kablooie.

Or, you could just STOP RUNNING ATTACHMENTS.

If you’re out there, and you run Outlook Express, please stop. Any mail program other than Outlook will reduce the chances of you causing thousands of dollars of damages to everyone you know. If you run Windows, please reconsider. Even apart from the incredible number of security holes in Windows, the fact is that heterogeneous environments are more resistant to attacks. If you click on attachments when you do not have prior communication through other channels from that person telling you to expect that particular attachment, PLEASE STOP.

Anyway, all this does is remind me why I read mail under Unix. There’s an old joke about the Unix email virus.

>From: Virus Sender
>To: Virus Recipient
>
>Hi! I’m a Unix email virus. Please send me to all of your friends, then delete
>all of your files.

Curiously, the older folks out there may remember the GOOD TIMES virus scare. GOOD TIMES was actually a hilarious parody. It warned you of a “GOOD TIMES” virus which would send itself to everyone you knew, then destroy your files. It then told you that you should send this warning to everyone you knew, then destroy your files in case they were infected. GOOD TIMES was a pure wetware virus.

It was also a joke, because there was no way for email to run itself on someone’s machine.

Until Microsoft made one.

The net value of Microsoft Corporation is probably smaller than the net damage done to worldwide computer networks by their willful and continuing negligence in security matters.

UPDATE: Five hours and eleven minutes later, I have gotten another 170 copies of the latest Microsoft exploit. Yay.

UPDATE #2: While writing and saving that, another ten or so. I really value Microsoft’s contribution to my productivity.

Peter Seebach

---

Comments

 
---