Don't put all your apps in one basket

In the aftermath of the LoveBug worm, a share of the blame is beginning to gather around that old whipping boy Microsoft.

In the aftermath of the LoveBug worm, a share of the blame is beginning to gather around that old whipping boy Microsoft. US expert sources are blaming the power of the Visual Basic scripting language for effectively opening a security "hole" - yet another alleged gap in Microsoft's dealings with the Internet.

But this time, it's not a bug; it's an example, as one source put it, of "Microsoft's software operating exactly as it was designed to do".

Visual Basic and its scripting language were originally developed to allow several Microsoft applications to share a common vocabulary and even common routines.

This makes a lot of sense when you are simultaneously doing a number of tasks on the PC, but in combination with the Internet, it can be dangerous.

The language is comparatively easy to write in, but immensely powerful, laying open aspects of Microsoft's software that reach deep into the systems software. Accessing the user's address book - the means by which the latest worm propagates itself - seems particularly easy.

Moreover, Microsoft adopts some practices with Outlook email that almost invite danger. It allows the user to set a mode in which any Visual Basic Script (.vbs) file is automatically started up once an email is opened. There is no need to fire off an attachment consciously.

One local user reports that he didn't even notice there was an attachment. He simply opened the offending email and his system was compromised.

So your policy could be not to open any email if the title of it looks at all suspicious.

A bit difficult if you have your Outlook set to automatic preview mode, when the system also automatically opens an email to show you the first couple of lines.

Damage, it appears, may be done without any action on the user's part - courtesy of Outlook.

Microsoft naturally rebuts this argument, saying that to cause this chain of events, the user must have made a conscious choice to set security at a "low" level.

The default option is "medium", and this at least presents a dialogue box asking whether the user wishes to open the attachment automatically.

But the sad truth is that people fiddle with their PC settings.

While Visual Basic Script happens to have been the language of choice for the LoveBug's creator, the same effect could have been achieved through other email clients, a Microsoft spokesman says.

The worm creators might, for example, have used an .exe file. "Just because this virus was written in a scripting language and we happen to support scripting in our operating system, doesn't make it a security issue."

But there is little doubt that Outlook's sheer popularity is a significant reason for the LoveBug author(s)' choice of an Outlook attack route, and for its subsequent "success".

Shortly after the news of the bug first drifted out, I received two copies - neither of them, interestingly, from people whose names I recognised. I deleted them immediately, though I did open one of the messages - not the attachment - which may itself have been unsafe.

However, I did it in Eudora, the dependable dedicated email product I've been using since my first forays on to the Internet proper; so I took some comfort in knowing that even if I'd been infected, I hadn't passed anything on. That side of the bug is definitely an Outlook problem.

Perhaps there is a subtle warning here against too easily accepting the Microsoft one-stop solution for everything.

Attractive as a browser-mail-news-scheduling combination may seem, it is perhaps the wise course to use a few variant products, without those easy paths whereby they can all co-operate with one another to sometimes disastrous effect. Perhaps it is time for a few more of us to step outside the repertoire of Microsoft and explore some alternatives.

  • Praise, incidentally for, which sent a warning to a correspondent at Axon, copy to me, to the effect that he had tried (doubtlessly unaware) to send me an infected message, titled ILOVEYOU. It had been picked up by Axon's mail gateway and that third copy of the worm never reached me.

Stephen Bell is a Computerworld journalist based in Wellington. Send email to Stephen Bell. Send letters for publication to Computerworld Letters.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags viruswormVBLove Bug

Show Comments