A Note from Eugene Spafford on Microsoft Security

Back         Email GreenRiver

Computer Sciences at Purdue University

This note originally appeared on Dave Farber's Interesting People email list. It's reposted here with permission.

Date: Sat, 20 May 2000
From: Gene Spafford <spaf@cerias.purdue.edu>

Several of you have taken me to task for my comments about Microsoft software quality. I don't say these things to bash MS -- I say them based on over a dozen years of experience and research in infosec issues. Quite simply, Microsoft is the vendor that is putting arbitrary scripting commands into their email clients and servers, Microsoft products are ones that continue to exhibit security flaws and problems known to researchers for decades, and it is Microsoft's design decisions and products that result in problems such as Melissa, the "love bug," and a myriad of computer viruses. Couple this with the nearly total Windows population in some environments, and we have an extremely volatile situation.

Ask any biologist, doctor, historian, or agricultural specialist: what happens when you introduce a severe contagion into a monoculture population with little natural resistance? You get pandemic -- widespread infection and damage. Whether it is measles and smallpox killing something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay of the American forest, or ILOVEYOU in Outlook damaging files on machines worldwide, the result is a massive and quick-spreading epidemic.

Analyze statistics from anti-virus researchers, companies, and on-line documents. You will find that there are currently about 60,000 recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but traditional viruses). Of these (as of this week):

• slightly less than 52,000 are viruses for DOS/Window/NT platforms
  • about 6000 of these are Word macro viruses
  • about 150-200 of these are known to be widespread "in the wild"
  • in 1999, approximately 650 new viruses were reported each month (more than 20 a day)
• 680 are for the Amiga
• A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users
• 150 are for the Atari
• 31 are native to the Macintosh, and only two of them are known to exist anymore
• 2 or 3 are viruses native to OS/2
• About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"
• None are for BeOS, ErOS, or other small-population systems.

So, over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well). The rate of new reports -- especially for macro viruses -- means that pattern-based virus detectors can never be up-to-date and provide 100% protection. (Note: I'm not trying to draw grand conclusions here about the reasons for this skew, but simply point out where the overwhelming threat is.) Fast-spreading, self-propagating worms using Outlook move so quickly that they are likely to be upon us before an anti-virus vendor can even get a copy to analyze.

The situation is made worse by Microsoft trying to minimize the scope of the problem and claim that they aren't responsible in any way. The MS spin doctors are even attempting to blame the users! (One MS executive even claimed that we should beat our users to prevent problems such as the "love bug": http://www.digitalmass.com/columns/software/0508.html (NOTE: this URL is no longer valid as of 05/23/2001). Microsoft employees and apologists are attempting to claim that these are problems that every software platform has, as if this somehow makes the gaping vulnerabilities less of a problem. This is simply not true -- you can't construct a "Melissa" or "love bug" worm without Outlook and MS Windows scripting host.

So, we need to do what we can ourselves to help our situation. What should you, as Purdue system and security administrators, consider doing?

1. To make sure your anti-malware software is up-to-date to detect older, known viruses. We have site licenses for various NAI products if you don't have something installed yet. Also, install Tripwire if you are using NT or Unix boxes (we have this site-licensed, too). The use of Tripwire will help detect new, as-yet undetected viruses (after the fact, unfortunately) and also help in clean-up of damage by giving a snapshot of altered files and registry settings. (It also provides intrusion detection in addition to the change detection involved in detecting viruses.)
2. To ensure that your users understand good anti-malware practices. This can't stop all future problems, but it may help limit their spread. In particular, get users to cut and paste text in email rather than attach Word documents. If they need to send a file of some kind, then have them use ftp rather than embed the files in email. On the receiving side, users should simply reject any executable content rather than depend on virus screening.
3. Perform regular, comprehensive backups of all systems. If you do not perform regular, full backups of any systems, notify those users and ensure that they understand the procedures (and importance) to do it themselves. Files deleted by buggy software, viruses, worms, crashes or simple mistakes cannot always be recreated. Backups are critical for recovery. (Be sure to test your backups periodically to ensure they work!)
4. Be certain your systems are up-to-date on patches and security fixes, no matter what kind of platform you may be using.
5. If you use Outlook, disable the Windows scripting host feature (see article at the URL given above). Alternatively, think about switching your users from Outlook to some other email client (e.g., Eudora). For this to work, however, you need to de-install Outlook rather than simply install something alongside it. (There was at least one case on campus where someone using Eudora on Windows saved the ILOVEYOU code to disk and started it, and it then activated Outlook to use the global address book to mail copies to other users.)
6. If your users are using Internet Explore, be certain they have their security settings on the highest level for all zones unless you *know* it is safe to use a lower setting. Also, in the security settings, disable ActiveX if at all possible -- ActiveX supports threats that cannot be defended against. In all WWW browsers users should be careful about enabling Javascript and Java, with Java being safer than Javascript in up-to-date browsers.
7. When acquiring new systems, think carefully if you really need Windows/Word, or whether an alternative is available that is more resistant to attack. This is especially a concern if you don't have staff or expertise to be constantly dealing with security concerns. For instance, if you are only seeking a machine to run a WWW server, then a Mac makes a robust server with an almost non-existent history of security problems. In fact, last year the US Army replaced their NT-based WWW servers after repeated security problems and they have not had a single security incident since! Similarly, you can run Excel and Word on a Mac, and using StarOffice on a Unix box you can deal with the same files. There are also other word processing programs (e.g., Framemaker, AppleWorks, others) and spreadsheet systems. Windows and Office are not the only choices.

The key here is to think about total cost of operation and the needed core functionality. When you put a machine in service there may be the up-front cost of the box and the software, and in this regard a Wintel box seems the best choice. But add in the time spent applying security patches, strengthening the default installation, responding to (and cleaning up after) break-ins and malware incidents, and the time spent staring at blue screens -- time for you and your staff is valuable, as is the loss of productive work time by your users. Yes, Windows runs thousands more programs than does Unix or a Mac -- but do you ever need those in a work or lab environment? Most are games, or are versions of software you don't need or already have in another form. Consider carefully what you want: buying a system because it runs programs you will never use and that may cost more over its lifetime to operate is not a bargain.

This is not intended to suggest that Microsoft is the source of all evil, or that you should run out and replace all your Windows boxes with something else. There are good people working for MS -- and several of them are former students and colleagues. The university (and the world around us) would come to a very abrupt halt if we didn't have MS products for everyday use. Furthermore, other vendor products are hardly bug-free -- we continue to see security advisories for Solaris, HP-UX, Linux, and others. But the number of security problems for MS products and the near ubiquity of MS platforms in many environments means that we need to be especially concerned about this as a potential problem area. (See for some interesting numbers supporting this.)

Several security experts, myself included, are convinced that we have seen only the tip of the iceberg as far as new worm/virus code is concerned. Being aware of alternatives and threats is the first step in protecting ourselves. Trying to reduce the "monoculture" environment and replace the most vulnerable members of the population is simply one step towards protecting our environment against future threats.

You do have choices, and if only enough people exercised their choices we might find all the vendors paying a little more attention to security.

Eugene H. Spafford is a professor of Computer Sciences at Purdue University, the university's Information Systems Security Officer, and is Director of the Center for Education Research Information Assurance and Security. CERIAS is a campus-wide multi-disciplinary Center, with a broadly-focused mission to explore issues related to protecting information and information resources. Spaf has written extensively about information security, software engineering, and professional ethics. He has published over 100 articles and reports on his research, has written or contributed to over a dozen books, and he serves on the editorial boards of most major infosec-related journals.

Dr. Spafford is a Fellow of the ACM, Fellow of the AAAS, senior member of the IEEE, and is a charter recipient of the Computer Society's Golden Core award. Among other activities, he is chair of the ACM's U.S. Public Policy Committee, a member of the Board of Directors of the Computing Research Association, and is a member of the US Air Force Scientific Advisory Board. He regularly serves as a consultant on information security and computer crime to law firms, major corporations, U.S. government agencies, and state and national law enforcement agencies around the world.

More information may be found at http://www.cerias.purdue.edu/homes/spaf.

In his spare time, Spaf wonders why he has no spare time.