Slashdot Mirror
Intel FDIV bug vs ILUVYOU
geophile sent us a really interesting comparison of the similarities and differences between Intel's notorious FDIV bug of ages past (well, at least it seems like ages) and the recent ILUVYOU macro virus. Its amusing, but at the same time
it really gives an interesting perspective on the whole deal. Hit
the link to read it
The following was written by Slashdot Reader geophile
Pentium FDIV Bug Outlook Macro Viruses Nature of the bug Loss of precision in floating point division. Gaping security hole due to the combination of VBA scripting and Outlook. How to provoke the BUG E.g. x - (x/y)*y for some x, y. Open the ILUVYOU attachment. Damage caused by the bug Probably none in practice Millions of damaged files and registries Bug found by Thomas Nicely, Math Prof Numerous virus writers. Bug created by Intel. Microsoft. First response by bug's creator. Claims the problem isn't serious. It's a feature, not a bug. Second response by bug's creator. Free replacement of faulty CPU. It's a feature, not a bug. Cost to public Probably $0 Probably $millions Cost to creator of bug $billions $0
As you clean up your registry and replace your damaged files, just keep a few things in mind:
- Microsoft just wants to be free to innovate and to bring great software to consumers.
- We wouldn't have great software like Windows and Office if Microsoft hadn't violated anti-trust laws.
I live in Argentina, and here Bill Gates is regarded by the media almost as if he had invented computers himself. So this morning I couldnt believe this article was publihed in one of the country's major newspapers. ..."
The article not only says the virus affected Windows computers only, but it also says it's Microsoft fault. What is more, it mentions that Microsoft should improve the security in all its products.
It calls the different flavors of Unix "big winners" because they are "invulnerable to the attack" of the virus. It also points out that "... on thursday night, a set of rules already existed in order to stop the LoveLetter in e-mail servers based on Linux
Of course, these may sound as old news for you, but here isn't common to see the Linux name in the mass media, and is even less common to see a report saying Microsoft's products are less than perfect.
this be a quickie? first post too.
Actually, if you have the Preview Pane installed then it does auto execute.
,which can execute in the preview pane, with a VB script sent as an attachment. This is NOT the same thing. The attachement has to be opened by the user.
No it doesn't. You're confusing HTML embedded scripts
This Isnt The Real John Carmack !!!!
Except maybe in Los Angeles.
this is honestly the worst thing i've ever read on slashdot, and considering how shitty this place has been since it's ipo, thats saying alot.
I don't understand why slashdot compared the VBS/Outlook-combo with an intel processor bug.
I think these things are not even remotely related. As mentioned several times before:
There are no analogies here for the CPU-bug. Saying there are, is using FUD and being ignorant, which is not what I would expect from a "News for Nerds"-infopage
What is the real problem then, if it isn't MS? The level of education of the majority of the users is the problem. Everyone is supposed to use computers, but only a few have had a decent education for doing so (I'm not talking about 1 day courses etc). People just don't know that there is something like scripting, that it is called Visual Basic on Win32, that the script files have .vbs extensions and that they can be executed. Let alone that they understand that these files can contain malicious code.
So, give everybody a decent training, before there is a /real/ ugly virus. 'Cos -let's be honest-, if documents were deleted, the disaster would be far more devastating
Oh, for all the self-proclamed guru's out there. Please think a second before you start spreading your falsities
People using outlook don't know they are executing a script when they open the attachment. Even people who know not to open executable files would fall for this.
My email client won't automatically open a shell script when I open the attachment and I bet most others won't as well.
This is a bug as much as those browser bugs that messed up your computer when you went to a webpage. Why do you think we have all those "Be aware that you are sending information..." things?
I'm pretty sure Outlook warns you when opening attachments though, although it could be different in this case. It seems like just clicking on the attachment opens it.
Well if we get more than 20% oxergen in the atmosphere doesn't the world become a smoldering cinder after the next little forest fire breaks out? So you have a nearly homogenious network of untrained users running an immensly insecure OS. If the networks had been a little more diversified do you think this virus would have gone global in the time it did (less than 12hours)?
An "almost" useful scripting feature? Sorry, it does not even come close to useful. My productivity is not enhanced by visual basic programs sent through email and automatically run on receipt, which perform administrative functions. There is no godly reason that something like Outlook, which can receive files from anywhere, would allow ANY type of executable content to run. Least of all, if there was a reason, there should be a warning. A nice sandbox-type environment where the user actually has to give it permission to LOOK at the hard disk, let alone overwrite existing files would suffice But I would really like to hear you state ONE possible, productive use for embedding executable scripts in email. Be it VBScript sent to someone running outlook, or a perl script sent to someone running a unix email proggy.
To be completely fair to Microsoft:
Intel did <b>not</b> decide to take it on the chin immediately. They were perfectly happy to let the existing shipped processors be used, until about a month of news stories and IBM stating they would no longer use Intel-brand processors changed their minds.
IIRC, Microsoft recommends giving the principal user of a machine root priviliges, in case the root password is forgotten. I read this on the MS website. Sort of an intersting suggestion, given the rest of this discussion.
-Paul Komarek
Ooo, the dread "Overrated" moderation.
Would anyone care to reply to my post, instead of silently dissenting?
I'd love to hear some actual opinions, from real people...
Here's some ammunition, if you think it might help...
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Yes, but it's a lot harder to fool me when I can read the text first, and say "what the hell is that?" That's because it doesn't just have a "link" that says "Click Here" and does everything without telling me.
:)
I blame people who write e-mail programs that don't just send text, or try to run applications. Elm never does this to me. Heck, I could know absolutely *nothing* about computer security, and elm would *still* never do this to me because it can't do it, and that's the way it should be.
(although I got an e-mail the other day that was encoded in base-64, and elm tried to uudecode it or something, and I got gibberish, and it managed to execute a random command. I'd love to know how it did that. If I figure it out, I might have an "elm e-mail exploit" to post to BugTraq.
Also, the "Elementary Security" Information that Microsoft provides on their website seems woefully inadequate to protect against this style of exploit. And educating the user base is not the ultimate answer--because by and large, it's impossible. There have to be better security measures and design methodologies that can be used to minimize the damage.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I'll accept other people's shortcomings, until it starts affecting what I do.
Microsoft is left squarely out of this.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Cool, I didn't get the virus. (No one loves me. :)
:)
I've heard that it could be automatically launched by Outlook. Just citing that it wasn't for you isn't proof, but there's some conflict on this issue.
However, another virus could be written that *would* be automatically launched, and that's much more scary. (Just like the Melissa virus didn't do that much damage, but it's trivial to change the payload, like so...)
I blame Microsoft for VBScript, their Macros in Office, and their horrible security model.
I could run a perl script right now, and it could search through the hard drive, find all the files of a certain type, and try to delete them. But it would fail.
It could still spread itself, but it wouldn't be nearly as dangerous. And whoever gets it would say to themselves, "what is this, and how do I run it, again?" because there's no handy link to click. I don't think the average user is going to run it if they have to download and configure Perl first.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
For the record, I don't *care* whether you moderate my comment up or down as long as you have a *reason*.
;)
:)
This is supposed to be a *discussion forum*. If my comment were indeed so gosh darn interesting or insightful, I'd expect other people to think about it, and reply. If it's overrated, then I'd expect people to tell me why. If I'm moderated up, but no one says *anything*, then there's something wrong. (or someone posted a new story. ooo, get karma instead of posting real comments!
Incidentally, thanks a lot for the anonymous reply. I just wish it could have been to my original message, and on-topic. That's what I really wanted...
Moderate me down, mark me as Troll, Flamebait, or whatever you like, if you feel it's justified. But never use a moderation like "Overrated" that offers no feedback at all when you could be moderating up another post and giving them a good reason why.
Or, to make a long story short, read my sig if you haven't yet.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Yeah, I think I mentioned before that I thought this was possible. Now I don't have to do the research, though. :)
Actually, it looked like some outputted keystrokes (VT100 escape codes in there somewhere, probably) allowed the file to press keys in elm. Then you'd view the file, and it would do its magic, probably typing something like
!
/bin/sh
(or whatever, elm lets you execute shell commands with '!', just like everything else.)
...also, this virus would be multi-platform. Include some misunderstood attachment that executes first in elm, (or whatever Unix mail readers do the same thing) and have the Windows exploit in the message, or in another attachment...
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Yeah, you're right about that, and I'd accept that as a reason for the moderation too.
But I'd *really* rather get some discussion going, and this is apparently the wrong place to do it, as usual.
(But who has their threshold set to +5? Shouldn't that moderator be moderating someone *else* up instead? And why would they do it, after the discussion is essentially dead anyhow? I tend mistrust the moderators who go back through later and mark things that are +5 as "Overrated", that tends to be more personal than helpful.)
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Heh heh. You really don't want to know about *that*, but suffice it to say that my self-esteem is fine.
I guess I didn't intend for the focus of that message to be about the moderation so much as the lack of discussion.
But I still really hate that "Overrated" tag, and don't think it should be used. (or at least it should be officially deprecated, or subject to meta-moderation)
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Yay, a real reply! Thank you, korpiq! :)
:)
...or we might be using Solaris by now! ;)
I agree, and also make sure that nobody owns nothing.
(or, possibly, have two groups, "own no evil", and "run no evil", cause there's no point in making "nobody" own all the files, and running programs as "nobody".
Hopefully once Microsoft releases a popular consumer version of Windows based on W2K and users make individual accounts and installations use a separate account, this will be possible. It might require carefully designing the installer, though.
(I don't know how it actually works now, but I'd give the user the right to Add/Remove Programs, but not the ownership of the files themselves)
People want to send "cool stuff" to each other. What you really need is a popular, crippled "cool stuff" format that doesn't have the ability to cause trouble. Something like Flash, I'd hope.
(Flash can't execute arbitrary commands yet, right?)
I agree, this is a very important subject, and it scares me how little attention this gets. If the media could perceive that these are serious security issues that the vendor (Microsoft) needs to address.... well, if they *ever* could have done that, we might not be having these problems.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I was thinking that perhaps these viruses would be more successful if they were somewhat subtler in their approach.
:)
If, say, the ILOVEYOU virus professed to be some sort of chain Valentine's day greeting, and it showed some heart animation or something while it busily churned away sending and writing copies of itself, maybe it would have been even more successful.
Or, for that matter, if it were some sort of executable greeting that changed a few Windows system settings for later use, and perhaps just told users to forward it too, it could be successful at infecting and escape detection for a longer period of time.
The only real solution I can see here is to restrict what the attached program or the user can do in the first place. I see a lot of people suggesting virtual machines. I still don't see why VBScript attachments should be allowed to copy files, or edit the registry. I have a feeling Microsoft's answer will be "upgrade to W2K!"
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Can't you read? The person you "corrected" just told you that you have to explicitly run the script for it to be effective. You then say that you "clicked the attachment" (i.e., you explicitly ran the script) and that it "infected your computer". You've told someone they are wrong and then backed up what they've said!
I 'viewed' the message in outlook at work.
It doesn't run it automatically, it requires a user double click to execute it.
In fact, as I have 250 of them in my Inbox at the time, the first thing I did was save it as a file and right click->edit to view the source.
Every now and then, my karma sucks.
Of late, I have been a lurker more than a poster as the SNR went south.
It is not a bug.
ILOVEYOU is just another trojan.
The fact that windows mail clients recognise some file types and allow easy execution is a feature. Ultimately it is human error that allows a trojan to work.
A bug would be if some kind of mail client feature allowed the script to be executed on just opening of the message.
Really it is no worse than having . in your path.
"MICROSOFT BAD, DIE MICROSOFT!!!"
Microsoft has file name extentions turn off by default. Most people can't even see it's a vbs file.
If this was Red Hat they would be blasted for the default configuration.
Microsofts fault!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
Accidental gun deaths? Well, to lead this analogy further is to say MS has put guns in the hands of all their users. Oh well...
Milek
--
"Man in the Moon and other weird things" - wfmh.org.pl/thorgal/Moon/
This is a trojan horse that is conceptually no different to my sending you a perl or bash script as a attachment and fooling you into running it.
Actually, I blame ISPs. And idiot boosterish journalists.
Yup.
I blame people who market the virtues of email, and its ease of use, broadband access, and 24 x 7 connectivity, and fail to educate their user base about elementary security.
Please go read the "Washington Supreme Court Upholds Shrinkwrap Licensing" article again, and explain the reasoning behind your statement.
If you're referring to C2 certification, last I knew all of the C2-level certifications for NT were for non-networked configurations.
Wasn't that touted as as "feature" at one time? At least I can remember the phrase "good enough software" being touted. Of course, in other fields of endeavor, we have a slightly different word for this. We call it mediocrity.
Don't forget, part of the problem is the ignorant users who run a script sent to them! Ugh. It's kind of like saying, "Guns are responsible for killing a ton of people, therefore get rid of guns."
Yes, guns are part of the problem (as is Outlook/Windows), but someone has to pull the trigger on the gun, and someone has to run the attachment...
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
It does. I installed a more recent "security patch" which won't let you run executables at all from your email client. You acutally have to save them to disk first. Maybe that should be the default...
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
For ordinary users, the dot-files in their directory can do at most run something AS THAT USER UPON LOGIN. This is NOT the same as running something upon system startup. System startup programs are usually run from /etc/rc.d/* or /etc/rc* whichever flavor of UNIX you're using. Only root can modify those files, as it is a critical link in the security of the system.
the real at&t mix
"fell under the false impression that "Yahoo" and "Altavista" were application programs on their desktop" -- I've noticed that before too, mainly with my father. He's telling me "Oh, at work we got Yahoo, Altavista, etc, and they're nice. We also have MSN installed." Makes me sick, ya know?
the real at&t mix
It'll happen eventually you know. AOLinux 7.0 will have this feature in its mail reader, and everyone using it will have problems. And they'll be screaming, "But Linux was supposed to be secure". Never mind if their machine is still running, if their user account is hosed beyond recognition.
/etc/crontab for writing.
As a possible preventive step, I think it would make sense to have a "safe environment" to run potentially untrusted executables in. Use LD_PRELOAD to override many system functions to ask for confirmation before allowing something to happen that seems "suspicious". For example,
"untrusted application ILOVEYOU is attempting to open file ~/mp3s/SomeFile.mp3 for writing: [A]llow operation, [D]isallow operation, or [T]erminate application?
The untrusted environment could be configured for varying levels of paranoia by each operation checked for:
File Opens inside App's run environment: OK Ask Disallow Terminate
File Opens outside App's run environment: etc.
This would make the distinction between opening a file for it's own purposes in a temporary directory specifically allocated to the untrusted application, and attempting to open, say,
Thoughts? Ideas? Discussion?
How's my programming? Call 1-800-DEV-NULL
Maybe not let the email client say "here's a text file, click on it to read" but, "this fscking file ends with a .vbs, which means its a program that you run if you open it".
It does that in Outlook 2000.
Ok. Wonderful. The system files can't be touched. However, all of the user's files could be erased. All the presentations, pictures, documents, spreadsheets, personal items, etc. System files can be fixed with a reinstall of the application/os; user files cannot. You either lose whatever work you did since the last backup or you lose everything if you don't back up your files.
They will. http://officeupdate. microsoft.com/downloadDetails/O98attch.htm
First, there is no "bug" anywhere. I know people that got hosed using AOL mail and hotmail and eudora and whatever else have you. Technically, I could have hosed myself with PINE (and I got the mail) by moving the windows program over to a windows machine (where it would naturally have to be run) and run it. All these people ran the attachment (a program file) and it ate their systems.
.vbs, .exe, .com, .doc, .bat, .cmd, etc files. I should be able to tell IE/Outlook - Hey you programs can't access my registry or create files no matter what.
Now, I do think Microsoft is a little at fault for not allowing users to have very fine-grained control over security.
For example, I should be able to set my javascript security preferences to do things like prompt me to create popup windows or close windows or NOT if I so wish.
I should be able to set my Outlook (Express) preferences to warn me when opening
Honestly, I like VBS. It's very very very very useful for what I use it for.
~GoRK
A post telling people to read at -1, rated at -1. That is a classic. :)
-David T. C.
If corporations are people, aren't stockholders guilty of slavery?
I don't know where you got the idea that MS Outlook has the most marketshare. In the corporate market, for example, Lotus Notes/Domino has twice the seats of Exchange/Outlook.
It is true that Outlook has a lot of installations, because it comes free with MS Office, but nobody knows exactly how many users it has. However, as far as I know, nobody prepares market share figures for POP/IMAP clients.
This discussion, has turned into a gigantic flamefest, which I'm trying to stay out of. I'm just trying to point out that the Microsoft swagger projects the assumption that all of their products are the most popular and the defacto standard, even when that's totally untrue. It's important not to drink that Kool-Aid, even if your bread-n-butter is MS products.
(Although, I agree with your point - a local script could do something similar with almost any mail client, with the exception of Lotus running under a tightened configuration.)
--
Business. Numbers. Money. People. Computer World.
First of all its not the real john carmack, and second it has been fixed for a while
From the technote:
Customers can avoid being affected by this virus by following standard best practices:
- Never run an executable from someone you don't know.
- Always have a good-quality virus scanner
- Always keep the virus scanner's signature files up to date.
First, this was sent from people who they may have known. And when it was not, it prayed upon the gossip factor; what fool sent this to everybody.Response from MS security:
Hi -
Actually, the virus resends a copy of itself to the recipient's entire global address book, so in most cases the mail would indeed come from someone you don't know. But we're going to add some language to the first bullet to also note that even if you receive an executable from someone you know, you still need to consider whether it makes sense to run the executable or not. Regards,
Secure@Microsoft.com
Second, it happened in less that 24 hours. MS's own response with the tech note appeared after a large part of the danger had passed. So are users supposed to update thier stuff every day?
Social engineering will always get around poor security practices. Digital signatures as a security measure are a failure. MS needs a different model to protect it's users. Unsigned code should be run is a protected space.
Friggin trusted source should mean one run executables and scripts from signed messages.
With a single download of the attachment, without a warning. That's why theres a patch for outlook, 97,98.
That's just bad security.
The worst part is that MS said the trust model would work. You sign, you trust the signer, you can run safely.
This was not signed. It was trusted, big gaping hole in security model.
I was thinking, how hard would it be to make up another email whose payload is to change the security levels in Outlook to stop these kind of viruses.
Before it does this, it would propagate the message to all of your contact list.
There by you could immunise a great deal of the world and they wouldn't even realise.
Of course they are now a lot less likely to actually double-click on the icon.
You also have to give some credit to all the users who still open attachements willy-nilly despite the numorous other macro viruses that have been well publicised. Also the people who didn't bother to buy/pirate Anti-Virus software.
http://overwhelmed.org
itself to those people, it would be very very similar to the love bug.
Yes, except first you would have to view the attachment, save it to a file, and run it yourself. Given all those steps, you would more than likely figure out what it's doing and not actually run it.
Executable email is just a stupid idea.
No the bug (or feature... whatever) did not cause billions of lost files. That is not the point. The point is that this piece of software (Outlook on the Win* platform) is implemented without adequate constraints and allowed billions of lost files. To say that oxygen allowed WW2 is absurd, granted, but to say unconstrained VB scripting facilities and unconstrained file access allowed the virus to do its business, that's a perfectly valid argument. Would python scripting in some Linux mail client allow a virus to delete files? Of course it would, but only those in your home directory and not any programs/configs/other users' data that are not "yours" on a Linux or any Unix system. Arguably, these are the ones you value the most, since you can replace everything else from some external source, but it still highlights the major shortcoming of Outlook/Windows 9?. That is, Windows allows a program run by any user to do anything to any part of the system. Outlook extends this by allowing an email from anywhere to do anything that Outlook itself is allowed to do. There was another post by someone else about leaving your window open on vacation and not blaming yourself for the consequences... a very apt comparison to your own logic about this not being Microsoft's fault, indeed.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Intelligent person: Knows the difference between reading an email and running a program.
I take it you don't use Oulook 2000, then - it very "helpfully" runs any attached/embeded scripts for you when you preview the mail. You don't even have to open up the attachment.
(No, I don't run it either, but a depressing number of people at work insist on using it, despite at least one having had to appologise to clients in the past because "he" sent them a virus...)
You don't run anything; Outlook does it for you, without asking or informing you.
Cheers,
Tim
It's official. Most of you are morons.
That's a bunch of bullshit. Outlook doesn't run ANYTHING for you unless its scripting (which runs in a sandbox) in an HTML page.
;-) ) and a sysadmin or two who claim otherwise.
:-)
Well, I know a marketer (yeah, I know..
Oh, and incidently, arguments generally carry more weight if you manage not to swear...
Cheers,
Tim
It's official. Most of you are morons.
Actually, you can read the text for ILOVEYOU just as easily (if not easier) from outlook as you could a perl script from Pine.
.txt.vbs extension on the first one and immediately examined it. I saw it was bad. I did not run it.
Just right-click the attachment, then choose EDIT.
I got lots of ILOVEYOUs, and I use Outlook, and I never had an issue. I noticed the unusual
I find most of the people who blame Microsoft/Outlook don't understand the nature of the virus or the programs. This virus was NOT automatically launched, it required the user to run it, just like any script.
Bzzzt, sorry. Wrong answer. The virus does NOT run itself from the preview panel. You MUST open the attachment to be infected. I use Outlook. I use the preview panel. I saw the attachment. I did NOT run it. I did NOT get infected.
Sorry, incorrect.
I have Outlook with preview pane on, and NO code runs that I don't want to. If a HTML page is presented that contains scripting, it TELLS me before running the script, and I refuse to run it unless I know it's ok.
Once upon a time you could run scripts in HTML in Outlook, but they fixed it long ago.
But most linux distributions don't come with
'bin/sh' enabled in their mailcap files.
No.. Shell scripts for Linux, Apple script for Mac and Dos batch files for Windows are not vulnerable.
So long as no application passes commands from a networked application this isn't a problem...
I use Linux and before that Unix..
The problem isn't in the Windows applications so much as in the e-mail handler.
There isn't any pasthrough for scripts.. even with Windows... If there ever was then we'd have a problem...
But a passthrough for scripts is the same as any other back door.
The reality is.. this isn't even a problem in Dos.. and Dos has zero network security
I don't actually exist.
Goodtimes was a myth...
E-mail viruses forward themselfs
I don't actually exist.
As a side effect it could bring an end to Windows...
"The operating system that you can infect by e-mail"....
Microsoft is trying to spin this as a NORMAL thing. But it isn't
It only works on a select few e-mail programs for Windows.
Use something else for e-mail.... or don't use Windows... eather way fixes the problem...
Or don't open file attachments..
Stick with RFC standard text e-mail
I don't actually exist.
How should it be improved? Be specific.
--
--
Do I look like I speak for my employer?
In that enterprise level environment, even the restricted users were able to break some things they weren't supposed to be able to. This was, and still is, a problem for the IT dept, not just at this agency, but any company that institutes this type of desktop restriction.
Home users? CAVEAT EMPTOR
Those workplaces that utilize NT workstations (where the user does not have admin access), suffer far less damage than the Windows 95/98 based environments.
Both education and more stringent security in sofware are the keys to cutting down on these types of trojans from spreading so vastly.
Laying blame is just buck-passing, something that isn't new to humanity as a whole. This shirking of responsibility is what's leading Society down the dark road it's on. When one is responsible for their actions, products, etc, the attitude is far less "screw the customer, lets make money". Just look at what MS has done in the past in the name of "innovation".
Quit looking to blame others for your (not you personally harmonica, just people in general) own mistakes, or ignorance.
Mac's aren't completly immune, if you're running Virtual PC and you open the attachment, it's going to affect you too. :P
Well how about if there's a moron who's using the same computer that their web-site is on? Now they have no graphics or sound on their web-site. :P
Windows backgrounds, and sound files are messed up, tech-support getting calls up the yin-yang, and computers needed to be shut down across companies because of incompetent users that are bound to keep spreading it otherwise, plus the time it costs businesses to clean the virus and replace the files that were damaged/destroyed. Of course all of this could be easily avoided if a) you trained your users correctly in how to use email and b) "back-up". For a home user, backing up files isn't too big of a deal, but any company who doesn't back up their important files is just asking for trouble.
It's easy to argue that this isn't Microsofts fault, until you compare it to GM shipping products that failed so badly in crash tests. The crashes weren't GM's fault, the drivers could have been more careful, but the fact that driver and passenger seats FLEW OUT OF THE CAR in low speed collisions ultimately led to the success of the suit and vehicle safety. I admin 100's of NT/9x boxes and had the registry, user accounts and permissions clamped down as much as is possible with Outlook 2000, yet I could do nothing to prevent the virus from running when it was activated. Nothing. Windows can't be locked down enough to stop this stuff, ergo, it's intrinsically faulty.
They have destroyed the distiction between DATA and PROGRAMS in the mind of the user.
Well, really in all fairness, didn't the object-oriented paradigm go quite a ways toward destroying the data / program duality?
DrLunch.com The site that tells you what's for lunch!
MS Windows: $70
"Learn VB in 10 Days": $45
Seeing the world's Outlook users frying: Priceless
Aside from the non-destructive changes to the registry, there is no payload to any of the system files (although I didn't immediately recognize all of the extensions). Indeed, most of the files attacked seemed to be user files, not system files.
As an aside, I wonder if the pandamonium caused by all of this could have been worse, say if the guy had just taken an already prevalent joke attachment, and used proper puncutation/case in the e-mail, so much for being 317173 (or whatever the fsck...)
-sk
--
JADBP
Why arent ALL of America sueing MicroSoft,
they have been knowingly releasing products
containing backdoors (there has been updates since the first macro-viruses, that has NOT fixed the problem). The (repeated!!) damages to end users and coorporate licence buyers are staggering.
The focus is on the virusmakers and getting them to jail, why not get them M$ billions and get ALL of Redmond into the fed-pen...
Stopping Kevin M. doing "potentially" bad things wont stop anyone else, stopping M$ hurting everyone will.
this Jpeg illustrates the first step to
prevent this in this future
http://www.Lenny.com/store/store1.jpg
http://Lenny.com
so what. it comes from "trusted" people because it went through outlook's address book. what's you point?
how does that make it more microsofts fault?
ReadThe ReflectionEngine, a cyberpunk style n
Beacuse that's what I'm talking about. I've seen it. I'm not trolling. idiot.
ReadThe ReflectionEngine, a cyberpunk style n
I seriously doubt that, the file got sent as an attached vbs script. An external program that didn't run in outlook at all.
ReadThe ReflectionEngine, a cyberpunk style n
The fact that ILOVEYOU requires a windows machine as host, dosn't mean that the fact that it exsists is a bug. You actualy need to run the attachment, I mean what's the problem, the fact that you can run programs in microsoft sofware? OH MY GOD!
ReadThe ReflectionEngine, a cyberpunk style n
The 'feature or bug' allows third parties the opportunity to wreak havoc with the users' system - in a corporate environment that's unacceptable.
Um, no. The feature or bug lets you send bad code to somone, not run it. They have to run it themselves. This is no diffrent from any other computer system in the world. Why don't you try to understand whats going on before blindly bashing MS.
ReadThe ReflectionEngine, a cyberpunk style n
No graphic designer would use .jpg files for anything but the final output. Work files would probably be in .psd, or whatever.
ReadThe ReflectionEngine, a cyberpunk style n
The email is oppend by default, but opening the message dosn't run the script. The script needs to be run by the user.
ReadThe ReflectionEngine, a cyberpunk style n
Regardless of the rest of your content, you said The problem is the receiver having no choice as to whether or not the code is run on their system,. That is not true, and that was what I was pointing out.
ReadThe ReflectionEngine, a cyberpunk style n
Yeah, I imagine that M$NBC, CNBC, and NBC will be reporting tomorrow that Bill Gates personally helped cause the problem/feature/bug. Why buy Ralph Reed when you own 1/3 (at least) of the media market in the US.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
The point is, it is Saturday, CT was in the office, and saw a nice, fairly light hearted thing to put online. Kinda like the difference between NPR's Morning Edition that runs through the week, and the one that runs on the weekends. While lighter, it isn't flippant, it is relevant, and it can be thought provoking.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
You read /. and are willing to accept that a 'partnership' with M$ is a meeting of two equals. THAT is news. Were it not for a pesky little thing called the FTC, I'm sure that M$ would have long ago made a bid for all of NBC. But, as the popular parlance goes, why buy the cow when you get the milk for free?
M$NBC has by far the most uneven biased programming of the the cable news networks (not sure about FoxNews, as I don't get that. But given Rupert Murdoch's hands off style management...:) Tech issues on CNBC and NBC are frequently 'analysed' by M$ employees, or at least 'Friends of Bill'.
They may have a disclaimer, but that merely explains their bias; it does not erase it.
No, M$ doesn't 'own' M$NBC, CNBC, or NBC in the financial, legal sense; they 0wn them in the hax0r sense (as in, 'kuhl d00dz 0wn y0 @55 b3y@+ch!').
Jesus was all right but his disciples were thick and ordinary. -John Lennon
> It's a trojan not a virus.
Its a trojan AND a virus. A trojan is a program that makes itself out to be something the user wants, lulling them into executing it so that it can carry out its own unauthorized actions (hard drive format, file corruption, even propigation... depends on what the trojan writer's desires are). A virus is a program that replicates itself from host to host, more often than not triggered involuntarily by a user action (usually the cause is the user executing a program that they didn't know contained the virus).
One could argue that a virus is strictly a program that embeds itself in other executable code for the sake of propigation. The only practical difference between that stricter definition and the one I'm giving here is the fact that the host the virus infects is executable machine code and not a system like the Outlook client and Windows Scripting Host that ILOVEYOU exploited. To me, either way, a system is being exploited for the sake of propigating the offending code.
ILOVEYOU made itself out to look like something the user wanted and when executed proceeded to replicate itself to other hosts. It has properties of both a Trojan and a Virus.
s/[BW]ill(y|iam)?( H\.?)?( G(ate|8)(s|z))?(,? ?v?(III|3)(\.\D)?)?/Girly-man/gi
You're right. Sometimes I'm glad nobody's developing software for my Mac. :)
since this would be shortsighted.
.txt file, and doubleclick it, too...
If you give a normal, completely non-nerd user a nice icon, in an email message, he will likely click on it.
And believe that the people that designed all this are clever enough to protect him from harm.
The slightly more clueful user will see that its just a harmless
The basic design flaw is that any executable you start can play havoc on any and all of your files.
What is needed, is security on application level: a sandbox for every executable. And not only a sandbox for the complete user (as in Linux/UNIX/NT). There is an experimental OS called EROS that does this.
Of course, W98 is even worse, because it has no "sandbox" whatsoever.
But on Linux and NT you can still lose all your files (belonging to your account).
Microsofts stupididy with the default configuration of Outlook and Explorer however makes this still worse...
wah.
Pipe down and learn to accept other people's shortcomings.
working on it.
--
+&x
ILOVEYOU did not use any security hole in outlook, other worms did. The VBA problem with outlook is due to the fact that outlook opens any word doc (with its vba macros), but ILOVEYOU is not a word doc, it is a VBA script. The user has to actively execute the script and that makes it its fault. I can easily send a mail with a bash script containing "rm -rf /" and named ILOVEYOU to any Linux user, if he execs it he/she gets what he/she deserves!!! Going back to outlook, having scripting cap is a great feature, the misfeature is in word's doc format: a document format should not be able to execute code!
Just so you know... Outlook 2000 didn't run the script automatically either (I know, because I saved out a copy and dissected it when it arrived).
Also, MAPI has nothing to do with Outlook vs. Outlook Express; MAPI will use whatever transport layer is set as your default mail client. That means, that it'll use:
(a) Exchange
(b) Outlook
(c) Outlook Express
(d) Eudora Pro
(e) Netscape Messenger
(f) Any mail client that uses MAPI
It's a standard way of talking to mail. That's why it's called "MAPI" - "Mail Application Programming Interface".
Simon
Coming soon - pyrogyra
Hmm,
users are stupid what a concept. I personally have never met a stupid user. However to design a system that is so deceptively "easy to use" that everyone , is now an expert and absolve the producer of any product liabity is just plain nonsense. It would be like putting a button in the dashboard of a car, mislabeling it as a dome light and having its function to be to blow the motor. Then coming out and saying well its your own fault you shouldn't have pressed it you are stupid.
The reason this bug hit so hard is simple: genetic diversity. Populations that are more diverse tend to have more stability, and are able to adapt to new situations and conditions.
:)
At my office, we run a heterogenous environment (as far as email clients go, anyway). Some people check mail with Outlook, some Netscape, some Eudora. I feel bad for the one guy who got nailed by the bug, but things would have been much worse if not for our mail-client diversity. That said, we're an NT shop, so I still worry about the lack of diversity there...
Did that make any sense? I need some sleep
The day after the story about this virus broke into the news, I went into my high school's library and sat down at a computer next to several other people. Our computers have win95, netscape navigator, and eudora as a mail client. IE/Outlook are no where to be found on any of the machines in the building. I was sitting there reading /. when one of the librarians walked over behind us. She told us, "For anyone using email, do not open anything that says 'I love you' on it. If you do, you will lose your computer privileges (sp)." Of course, I laughed and mumbled stuff about how our computers don't have outlook, but everyone else seemed to take it seriously.
sup
Outlook, in many cases, is set to autorun scripts and files it understands. Many people just had open the email in order to be screwed. I don't know of a unix mail client that autoruns shell scripts. The reason I don't is because it's a stupid idea and it's entirely the fault of Microsoft and the Outlook teams for putting that into the software. The fact that they claim it's a feature just shows how incompetent they realy are over there. If you run a file that you don't know what it does, you get what you deserve. If your computer runs a file WITHOUT ASKING that neither you nor it knows what it does, then it's the fault of the software company whose program autoran the software if something goes wrong.
-Akmed
Outlook (when I say Outlook, I'm referring to Outlook Express 5.0, the most commonly used version and the one I have experience with) does not run this virus automatically. It cannot be made to run this virus automatically.
It DOES run embedded scripts by default, but so does any modern graphical web browser. Outlook runs embedded scripts in a secure sandbox -- they are NOT allowed to read/write files, send e-mail, etc. The ILOVEYOU virus is not an embedded script, it's an external script, analogous to a .pl Perl script.
Sounds nice and secure. I have two more words to comment on this: bubble boy.
Change the structure of Windows. Make it into an operating system with premissions. Programs shouldn't have access to all the files on the system; nor should programs be automatically run by receiving an e-mail message.
Lee Ripley
There are two mistakes that were made here, but the big one is being made by everyone. Note: I am not, never was, and never will be, an apologist for MS, but I do think that the major error made in this situation is not confined to them.
.cshrc file? How often does vi have to send mail? In reality, *any* program I run could have a bug which deletes all of my files, mailed President Clinton a threatening letter, and dialed 911 on my modem.
The thing that everyone seems to be focusing on is that when an attatchment is opened, it is automatically run. In current systems, this is a big mistake for obvious reasons. Executing helper programs to handle attatchments is a good thing---I *want* to be able to see JPEGs when they come in without having to load up xv on my own---but one should *never* set up the system so that an incoming attatchment can cause arbitrary actions to be taken on their machine. Allowing this by defaulting to run VB scripts, or any scripts, was a mistake by MS, but this could have happened on *NIX as well if someone were to ship a misconfigured mail reader.
The more fundemental issue is that when I run a program on any of these major systems (WinNT, *NIX, MacOS) that program executes with all the permissions that *I* have. In reality, I very rarely want that to happen. How often does my CD player need to overwrite my
Really, every program I run should be executed with the least permissions needed to get the job done. Very rarely is this the same as running with all the permissions that I have. This mechanism should be built in and enforced by the OS from the ground up, but does not exist in any major OS right now. The best alternative I can think of is Java, which can only try to fix what the OS failed to provide.
The only bugs that the MS products have in this case are (1) having stupid default behaviour, and (2) making their system work like everyone else's.
actually this guy used a non space in his name...very clever. http://slashdot.org/users.pl?op=userinfo&nick=John +Carmack is the real carmack. not this dude.
The cost might head up into the billions... it doesn't take much these days - especially given the scope of everything.
Creates more aggravation than the FDIV bug, too.
"It's tough to be bilingual when you get hit in the head."
Interesting you mention java: it would be rather trivial for an e-mail program to restrict embedded java programs such that it can't possible do harm to the system or the outside world. Microsoft could and should have done this for VBS.
Think about it. How can it be useful (from the point of the user) that unknown scripts have access to all your files and your network connection. If the script is meant to pop up some funny message, then let it do that but nothing more. Nobody would start a serious application from an e-mail message.
It would have been common sense for MS to disallow VBS full control over your machine.
Because in the MS case, the tool should be improved...
MAPI is the Messaging Application Programming Interface.
Hands in my pocket
Eudora ported to Linux
Remember, you heard it here first...
~ppppppppö
$ cat - >./blah.sh /* &>/dev/null ./blah.sh ./blah.sh: Permission denied
#!/bin/sh
rm -rf
$
bash:
chmod is your friend
~ppppppppö
The one that gets me most is people refering to web pages as "internet explorer sites", well ok it only happened once, was trying to get the latest upgrade of an e-commerce package, they gave me the url ftp.company.com, so like a fool I ftp'd in and downloaded the program. A day later and still failed it to get what it should, called again, & after 1/2 an hour or so found it was an old version, and that ftp.company.com was actually an internet explorer site, not ftp....
~ppppppppö
Don't forget to make your script run as root and destroy system files!
The trojan did not run as 'root' on any system it infected except where the user was running as root. I think you totally misunderstood the problem here. The point is that Win9x always runs you as root but I don't see anyone hammering 'Bad Windows', just 'Bad VB Script'. That sort of argument is incredibly stupid and naive.
Of course, the fact that it didn't destroy system files makes your argument completely wrong. All it did was add some extra lines to the registry, in what is effectively your .bashrc file. Guess what else? This is entirely possible on Unix when not running as root. Write a shellscript that throws itself in .bashrc and parses all your dotfiles for email addresses, sending it self (in some useful form) to other users. It would probably even work if you could make it do something useful or pretty at the same time...
You are right. This is not a battle. Why are the Linux zealots treating it as one?
John Wiltshire
Fear: When you see B8 00 4C CD 21 and know what it means
Man, lay off the coffee.
Windows integrates VB Script about as much as Unix integrates shell scripts. Basically it is a user level scripting language. I've already said it was bad for having no real security against logged on users, but how many average users do you know that could use NT or Unix to set up a secure system for themselves?
"I'm told that all the user has to do is look at this thing in a viewer pane, and that thier machine will no longer boot" - you should be really careful what you are told. You have to run the script from the email and actually let the system run it when it warns you if you want to open the file (assuming you have the default install). Try not to spread misinformation - it only lowers the signal to noise level and just makes people ignore you.
"People are hammering Microsoft for making a product that can be destroyed so easily just so they can cram stuff down their user's throats." - no. People are hammering MS because they are a good scapegoat at the moment. Windows is no more easily destroyed than me sending you a file that says sudo rm -r / and asking you to run it. Is it Linux's fault that it is so easily destroyed by a one line command? I think not. It is the user that is the problem here.
"There's nothing more wrong with VB script than, let's say, Lotus script. It's something that can be changed at will by a single company that will not run anywhere else. Keeping up with changes will keep you from learning something usefull. It's a dead end." - except the whole point of this worm is that VB script hasn't and isn't likely to change. In fact, VB script has been a lot less of a moving target than most of the OSS projects I know. If VB Script changed regularly then worms like this would not be possible because they wouldn't execute on most machines.
Do you actually realise the hypocrisy of your statements?
John Wiltshire
Fear: When you see B8 00 4C CD 21 and know what it means
When you point a gun at your head and pull the trigger, It's pretty obvious what the result will be.
E-mail attachments, on the other hand, should be relitively safe. If it's executable, your Windows email client should helpfully ask you "Executable files can compromise your data and security. Are you sure you want to execute this file?"
-- The act of censorship is always worse than whatever is being censored. Always.
>Yes, IMHO Microsoft and dummy user base are to blame
Colt has the same problem. They are getting sued because they are providing a product to a stupid user base that is causing society a problem. Some argue that there is a legitimate use of the product and some claim there is no ligit use of the product.
Maybe colt needs a shrink wrap license.
Why not just fire the DIPSHITS that executed script attachments from a poorly written email proclaiming it loves them? Take out the problem right at the source...
What a great post. Shame no one moderated it up :(
The points I want to reinforce most are the fact that 9x is not supposed to be "secure" and that the proper way to use Microsoft products securely is to use NT in a restricted non-root user mode (just like UNIX) and the damage would be minimal. What type of DIPSHIT would have their important image files on an "Everyone" read-write shared drive?
That's Microsofts' real crime here.
Female Prison Rape in NY
There's a difference. Neither of your two statements are true for an older version of Linux or ESR.
perl -e 'fork||print for split//,"hahahaha"'
Back to my main point. Earlier in the article it said in the article something of the nature that the virus came from a "trusted source" or "someone you know." It does. Now, later in the article, the MS rep said that there wouldn't be security problems with VBScript and such if people would only open attachments from "trusted source"s. When this is exactly who the virus might come from. I think Microsoft is getting lazy with their spin machine.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
How bout this from Salon:
i rus/index.html
l issa/index.html
http://www.salon.com/tech/log/2000/05/04/love_v
"The holes in Outlook have been widely known
since the Melissa panic. In any other industry, a product like Outlook would long ago have been subject to a massive recall. Anyone using Outlook today should be warned: This software is subject to stupid virus infections -- use another e-mail program if that worries you. No software is totally secure, but using Outlook is like hanging a sign on your back that reads "PLEASE MESS WITH MY COMPUTER.""
An ealier (4/7) article about Melissa
http://www.salon.com/tech/feature/1999/04/07/me
"The appalling aspect of the Melissa macro-virus is not that it got loose, but that it was possible at all. Why is it that a word processing document can grab a copy of your address book and send out copies of itself under your name without you even knowing about it? Who decided that swoopy new features and powerful inter-application commands should be added to a system without any thought of
security? We should be grateful that the Melissa author chose only to be annoying, and not truly malicious."
A very interesting article that equates "Windows
everwhere" to monoculture in biology.
1000 SlashDot sigs
My main job is doing programming and admin work on 11 Unix servers. What do I have on my desk? I have Windows NT4, Office 97, and Outlook. Go to most companies and you will find basically the same setup. Everyone knows that Microsoft has their problems and security holes. Is Microsoft easier to learn and use for the average person? You bet. If Linux and Unix was as easy to set up and use as Microsoft products you wouldn't see a monopoly. But that's why companies hire geeks like me. To run the Unix and VAX systems that need running. Everyone else uses only Microsoft. Unfortunately, for most companies, the bulk of the workforce is not very computer savvy. Sure, the IT geeks know not to open attachments, but the average user doesn't. That is the biggest security hole. I could code a malicious virus in C++, send it out and most users would open it without knowing better. How does this prove that Microsoft is inferior to Linux/Unix? If a 40,000 employee company ran only Linux, does that mean that all of a sudden all end users are smart enough not to open an attachment? Let's stop the MS bashing over this and point the finger of blame where it belongs. The end user and the lack of training.
The opinions expressed here are not mine, but those of these dang voices in my head.
A good example is the passwords where I work. They all have to be simple, easy to remember words. If they aren't, my boss gets irritated with me. Of course, simple, easy to remember words are also simple to guess (or crack).
Coincidentally, we are probably going to be moving, soon, from a combination Linux and NT shop to a pure Windows 2000 shop, and there isn't anything I can do about it... well, except put my resume on Monsterboard ;-)
Inertia is very difficult to fight, and right now the inertia is for lax security and stuff like ILOVEYOU. It would take a significantly powerful lever to change this.
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
NOTE: The statement below is not a flame and is not meant to be responed with flames.
Looking at both these problems, I am really glad I use a Macintosh. Then you remember that macs are vulnerable via Applescript and Linux is vulnerable by shellscripts and other scripting languages. This simply makes me more scared that somebody could write a similar mac/linux virus.
The mac crowd for both going neener neener neener, ours is immune to those(sound of mac crashing anyways)
Microsoft is right. The ILOVEYOU virus isn't a software issue, it's a user education issue.
Just the same way that accidental gun deaths are a user education issue. And prescription drug overdoses. And smoking-related lung cancer. And traffic accidents. All of these things could be prevented if the user just *weren't* *so* *dumb*.
--
My word processor was written by Stanford Professor Donald Knuth. Who wrote yours?
You're missing the sarcasm...
We do hold gun makers responsible for accidental deaths: witness the recent outcry for child safety locks on handguns.
We do hold tobacco companies responsible: witness the recent multi-state settlement.
We hold car companies responsible for cars that catch fire, we hold drug companies responsible for Viagra causing heart attacks, we even hold McDonald's responsible for coffee that's too hot.
Now, remind me again why Microsoft isn't responsible for easily-exploitable software?
--
My word processor was written by Stanford Professor Donald Knuth. Who wrote yours?
Secondly, when you create an environment in which 'foreign' data can enter, you should always be aware of the possibility of dangerous, malicious code.
Why am I pointing this out? It's late, so I'm not very coherent :-( but let's have a look at Java. Java is an interpreted language (at least the bytecode is) which is run through a security manager -- all calls that might be dangerous go trough that security manager, enabling us to run java applets/applications inside a sandbox where they can do NO HARM.
Where am I heading? The keyword here is 'sandbox'. I do not understand why neither Office nor the WHS have something like a sandbox. AFAIK, VBA and VBS are interpreted languages. Isn't it possible to prevent programs written in those language from doing something dangerous without the user's knowledge? As in: "ILOVEYOU tries to format your hard disk. Do you really want this to happen? Yes/No". This would seriously make it harder for a virus to be written. (NOTE: I said harder, not impossible).
As an aside, if Gnome is going to support something that looks like VBA, I certainly hope it is sandboxed. Otherwise I'll never again be able to laugh at my friends: "you received what virus? sorry, but it doesn't run under linux".
YDD
uh huh. i believe that you have confused that glorified typewriter in front of you with a real computer. Real work gets done on linux, with apps like gcc, gdb, perl, apache, emacs, nedit, etc etc. computing tasks. from the applications you list in one of your following posts, it seems that you use a computer as a fourteen hundred dollar typewriter/calculator/boob-tube. on the other side of the fence, people (like myself) are using linux to create software that replaces functions like you.
linux is a real operating system. windows is just a toy.
tsmith timid1200@yahoo.com
BTW, don't click here
There are 11 types of people in the world: those who understand unary, and those who don't.
What about the option that adds itself to the registry, causing it to execute on bootup? This would be impossible under *nix unless the trojan was executed as root. So, back to my origional point, the *nix security model is a sandbox (to borrow from java) A user can run a trojan which can and will affect that user's data. It cannot affect the system as a whole. This is the difference I was pointing out. The Windows .vbs makes changes to the registry, causing it to run on bootup and allowing it to selfpropigate easier than otherwise. Under *nix, the trojan would get a one shot run, screw with a single user's data, and die. Sure, it might mail itself to all the people in that user's address book, IF the user HAD an address book in the format recognized by the trojan in the first place. This is why the *nix world doesn't see major trojans like this storming through our networks. We isolate each users data. One user running rm -rf / cannot take out the system, unless that user is root. One user typing format c: takes down a Windows box fairly quickly, with only an "are you sure?" to stop them...
-CZ
The biggest difference is and has always been the security model. On a *nix system, the trojan still would not have been very effective since it would have to be executed as Root to have the same extensive and damaging effects as it's Windows counterpart. This is the security flaw inherent in Windows. Normal users with normal permissions can completely hose the OS. *nix keeps that from happening in general. Granted, there are clueless new *nix users who run day to day as Root, and these people deserve what they get if they run a trojan and it hoses them. But with Windows, there is no choice... You always run as "Root" under windows... No matter what... This is the bug in MS software, and this is why these Trojans always hit the MS community and not the *nix community.
-Count Zero
Yes, it is outlook's fault.
The problem is, by making something easy, you give that thing an air of legitimacy.
"If it were a bad thing to do, why would the intelligent, benevolent Microsoft make it so easy to do? So it _must_ be ok to run executable attachments!"
To make things worse, I fully expect that a lot of the less-than-clueful microsoft users out there don't even know the difference between an executable attachment, and a nonexecutable attachment.
And microsoft has facilitated that lack of understanding, tried to make people feel that it's ok to have that lack of understanding.
I don't object at all to microsoft telling people that they shouldn't have to know what's under the hood of their computers.
But I do vehemently object to microsoft telling people it's ok not to bother to learn the rules of the road - not to turn left on red, as it were.
The problem isn't whether VBS should be able to do this in Word or Outlook. It's the end users common sense that comes into question.
This could just as easy have been a perl, java, shell script that emails everyone and copies and deletes stuff. It comes into question what the hell are all these millions of people fscking thinking by blidly clicking on things when they check their mail?
And we want Linux to take over the desktop market? I dunno. Do we really want these same users being on the same platform as us giving me stupid fscking crap that could just as easily be any language...
The average joe wasn't part of the scenario. We're talking about employees using e-mail. There must be good training on-site for these contingencies. Or even a memo. "Don't open this attachment on your e-mail."
I'm all for people getting on the 'net, but they should take responsiblity for what they do, and that includes running files.
Education is key.
Dan
I blame the user because many users got the mail and did NOT click on it. It's really simple. The users action caused something bad to happen. I acknowlege (if you read the entire post and not just a few lines) that Microsoft should have improved security and so on.
.5 of a second when I post.
Stupidity isn't monopolized inside Redmond. I blame those on all levels. But the files attached to private e-mails are no business of MS.
If I place the blame on someone other than MS, that makes me simply an MS supporter, then I'll just return the iBook I'm posting this from . . . I do think for more than
Dan
Who is in charge of training? You have your answer.
Accountability starts and stops on site for issues like this.
Dan
"Well, that's fine, but Microsoft should either admit that their software isn't suitable for the average joe, or take blame for this scenario."
Nothing is made for the average joe, but you can't alienate the market. Take cars, for example, yeah, most people would love a (insert your favorite sports car here), but what happens if the average joe gets one of those.
He has to many ka-beers one night--
He wraps hisself around a telephone pole.
"Anything else is just flat-out hypocritical."
No, it's not. You're forgetting that Joe Average doesn't exist. He has an IQ of 90, and so forth. Most people have an IQ equal to the number of strings on my 7 string guitar when it comes to computers.
The best way to learn about something is to mess it up and fix it. I'm willing to bet that all of us here have screwed up our systems royally, no matter what OS we use, enough to require a reinstall.
If you haven't, then you haven't played with it enough, and you don't know what NOT to do.
I repeat, again, some moron double clicking on an e-mail attachment he got from his Aunt Betsy is neither Microsoft's problem nor Microsoft's business. It's an executable file. It doesn't work it's way through the Preview window.
Of course, the merits of a Unix-like permissions security system should be examined and possibly (IMO) added into NT. We're always learning, whether we're kernal hackers or Microsoft employees. It's the only thing that keeps us from animals. (Though some people make me wonder.)
Dan
I don't think UNIX is harder than windows. I simply don't like it. :-)
:-)
I learned on a DOS machine, went to windows, OS/2, then 95, 98, NT, and I have macs, and I have a box with just GNU/Linux, and another with BeOS (pro edition), no, sir, as a totally personal aesthetic opinion, I don't like Unix to do anything more than sit there.
Which it does. And it does those jobs assigned to it perfectly well. And my windows machine works fine doing what it does. My mac and BeOS as well. While this machine (win98se) may BSOD, it's only done it once in the past month, and that's because I didn't look at a CD. (It was cracked, my roommates linux box didn't work as well.)
Take my "preference" (that I have none beyond the specialization that software should have) as you will. Don't put words in my mouth, though. I never said Unix was hard, at least in this post.
Thanks for your time.
Dan
"Again, you CANNOT write an executable that will automatically be executed by the users of pine, mutt, and elm. "
And it doesn't automagically execute in Outlook either. The user still must open the attachment. If you're thinking differently, you're wrong about this specific incident.
Though I do know how you could make it do so autmoatically (HTML, vbscript[activeX] is evil in e-mail), and this error is one that I do blame on MS.
For an example, visit the 2600 hacked sites archive. I've seen one run a VBscript that screwed up somone's windows (i am unaware how), and another seperate one that altered someone's AUTOEXEC.bat file to format his hard drive.
Dan
Now how would that help? The script propagates through the luser's address book, among other vectors.
Stupidity like this has only one reward: a slap in the face with a fish, preferably larger than a bass.
Scott Culp is the program manager for Microsoft's "security response center".
I hereby post $100 reward to the person or persons who hit Scott Culp with a fish. This bounty is doubled if the act is caught on video or film. Triple Fish Score if the act takes place in Culp's own office or during a meeting. $10 dollar bonus for a each herring inserted into an orifice.
ActiveKarma: Microsoft raises the barrier-to-entry for ISVs while lowering the barrier-to-entry for pimply SKR1PT K1DD13Z.
Hit Scott Culp with a fish!
k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Thinking about this, mainly how incredibly easy it is to write a virus such as the ILOVEYOU one, and have it spread like wild fire is insane. I think Microsoft simply never thought about this kind of issue. At some point, they let programing become way to easy (VB) and also intergated everything too much (IE).
If Microsoft had spent time desging all of their componets, they would have been intelligent enough to not give a script inside of Outlook access to such things as the registry. Duh! This is just poor deisgn. How does MS get it's security ratings on NT? .... they must not test them with Outlook running...
By far, the thing that bothers me the most is how the world, at least most of it, will go back to normal brainless operation mode. Within two weeks, few people will remember this and everyone will be back to using Outlook as if it was reading a newspaper; nice, safe and secure. Are coperations that stupid?
Last year we get hit by Milessia, basicly using the same 'features,' then this year its the same but nastier. Hell, if half the companies who got hit with Milessia last year, abonded outlook and some other crap ... this propbably wouldn't have been half as bad.
I wonder why they don't. I guess most people just listen to the 'its a feature not a bug' speel and feel safe'n'secure. Stop being dumb people! Just becuase it's default doesn't mean its worth the space on your harddrive.
On a side note that i realized, with Mozilla ever nearing completion ... will this kind of thing be able to plauge users of Mozilla as well? Will i be able to write some javascript and DCOM and re-create the virus for Netscape 6 users?
/* Lobster Stick To Magnet!*/
An old ISP buddy of mine told me it was a 3-year-old boy.
Hey-- I hit the link like you said. Now my monitor's broken. Thanks a lot.
*LOL*
That made NO sense. You could elect a crackwhore president, and it wouldn't make a damn bit of difference (well, other than having the first female president) about this "big brother crap". Think about it.
I don't know of any mail clients that will automattically run perl.
I don't know which version of outlook you are talking about, but outlook 5 i believe will...i had the preview pane on that, and it would do stuff automatically...not once i turned off such features however.
It was a design bug, not a coding bug.
penguinicide... when jumping out a window just won't do.
Linux has mailreaders that equal anything Microsoft has. Look at the two words. "mail" "reader". Hmmm, let me see here, what is it supposed to do? Read mail?
I haven't used a mail reader on linux that couldn't handle attachements. So whats the difference?
Perhaps linux does have stuff designed for the lowest common denominator. What you forget is that so does windows. They build a product that appealed to the widest possible market. (read - so that even an idiot could use). The difference is that the lowest common denominator is much higer in linux due to the technical expertiese that used to be required to intall it. That left the linux world with a muck more skilled and able population that the linux crowd.
penguinicide... when jumping out a window just won't do.
Ah, but it wouldn't be that hard to build. The source is there. Getting widespread adoption is another matter. That is where the outlook thing becomes a problem. Every peice of software (except for "Hello Wrld") has flaws. They are just much more pronounced when a massive number of people us the same product. One flaw, countless problems.
penguinicide... when jumping out a window just won't do.
>If you hide file extensions, then the item shows up with the vbs icon, not the text icon
>Doesn't matter. The WRONG icon showed up, and any user should recognize that.
So you and YU Nicks are saying that ICONS ARE A SECURITY FEATURE!?!?!?! You can't be serious.
I did write my original post with the assumption that I (or you) am (are) not running email attachments a root. I can't help it that some people are that stupid.
-Peter
Slashdot cries out for open standards, then breaks them.
First I would like to say that myc is absolutly correct.
Second, do you mean to suggest that wreaking havoc with system and data files is somehow better than protecting system files?
What would you propose? Not allowing users to delete their own files?
Next time you get the urge to post, think first.
-Peter
Slashdot cries out for open standards, then breaks them.
MS is very much responsible.
Is someone else responsible for their piss-poor OS design?
Ask yourself this, what constructive purpose can there be for an email client that can change system files? Why should an email client be caused to generate messages by another message?
Maybe you can come up with some contrived "use" for this, but it is clearly not worth it.
Who is responsible for this "functionality"? Microsoft. No one else.
Slashdot cries out for open standards, then breaks them.
Aphr0 said:
Ok. Wonderful. The system files can't be touched. However, all of the user's files could be erased. All the presentations, pictures, documents, spreadsheets, personal items, etc. System files can be fixed with a reinstall of the application/os; user files cannot. You either lose whatever work you did since the last backup or you lose everything if you don't back up your files.
It would seem that you neglected to read the thread before posting. My comments (which were on the topic of the thread) were in reference to an email attachment potentially deleting system files.
Let me modify my admonition to: Read the thread and think before posting.
-Peter
Slashdot cries out for open standards, then breaks them.
VBS is not included in Outlook -- it is a system scripting language. The closest thing to it in the unix world is Perl. Perl can directly modify files on the hard drive, and it wouldn't be too difficult to write a Perl script to get someone's e-mail address book (for a particular e-mail client).
So is Perl a large security hole?
Wrong. Not true. Does not run through the preview panel -- has to be run manually.
Nice analogy, but how exactly does it compare to Outlook?
Allowing executable files to read address books and send e-mail is hardly a security hole, it's a necessary feature. In this case, it's impossible for a "malicious hacker" to simply toss in a match: users have to receive the matchbox, open the matchbox, be warned by their gas tank that the matchbox may contain a virus, and then finally choose to ignore the warning and light the match themselves.
Neither do I. And Outlook doesn't automatically run this virus either, as I've already said way too many times. Users have to open it manually.
That other user is wrong. Please see my response to the comment you linked to. With default settings, on Outlook Express 5.0, all of these things happen. Outlook CANNOT be configured to automatically run attached scripts. I have used Outlook myself and have supported users who do, and I guarantee that it is not designed to run scripts automatically.
.vbs extension is hidden. But in that case, the .txt won't be misleading, as users won't have seen any extensions on text files -- users will use the icons to see the nature of a file, and the ILOVEYOU file will be displayed with a VBScript icon. And users will still be warned that the file may contain a virus.
It's true that with default Windows settings the
Running scripts automatically would be analogous not only to leaving the gas cap off of a tank but to storing an explosive in the trunk. And if Outlook did run system scripts automatically, then it would be a serious security problem. But it doesn't, and the gas tank has a cap screwed on fairly tightly.
It shouldn't. But it's possible for a program to read /etc/aliases and then send e-mail itself to everyone in there. This is what's happening with ILOVEYOU: users are manually running an executable which then has the same privileges as the user (full privileges on Win98) and uses those privileges to read the user's address book and send e-mail.
Allowing programs that you run to read your address book is hardly a security hole -- the same is possible on unix. (The API to read the address book isn't quite as straightforward, but a program can easily read the text file that contains the addresses.)
I don't think that the preview pane is a security risk. Plenty of IT professionals use it. Why? Because the preview pane will not run this virus. Users have to run the attachment manually.
Please say what you mean by "easily-exploitable"; simply saying that software can be easily exploited does not make it so. Without examples, this is all just empty rhetoric.
Could I suggest the same? Please look into what this virus does -- it reads your address book, sends e-mail, and deletes personal documents. Could you please tell me which of these tasks would require root privileges?
This one's easy. Because the virus was written to use Outlook. Why? Because Outlook has the most market share. If Netscape has the most market share, the virus would have been written to use Netscape. The virus does not exploit any Outlook security holes.
How about you show me a Windows client that does this first? Outlook sure doesn't.
.vbs extension.
1) It does not say "this is a text file". It displays it with the "script file" icon, not the "text file" icon, and unless you have the display extensions setting off, shows you the
2) Once you click on it, it pops up a warning that says "this file may contain a virus"! If you then manually select the "Yes, run it" option (the default is to save to disk), then yes, it will run it, but the user is given large amounts of warning first.
Really? Please tell me which of the trojan's actions require root. Your choices are:
1) Reading the user's address book.
2) Sending e-mail.
3) Deleting/modifying user documents.
Wrong. It will automatically run any code which IE would run in a web page -- HTML, safely sandboxed JavaScript. (It can be set to warn you, but this isn't the default.) It will NOT, however, run code which modifies your system files, like this virus/trojan; users have to run that themselves.
Except for the fact that it DOES warn users explicitly that it's dangerous.
Yes, and these reports are FALSE! The attachment does not run itself automatically, no matter what your setup. IT DOES NOT RUN AUTOMATICALLY. USERS HAVE TO OPEN IT. Do I need to say this 10,000 more times?
In the mean time, I'll show you some other security experts. For instance, there are the largest antivirus companies, McAfee (NAI) and Symantec (Norton).
To provide some quotes from these pages:
If the user runs the attachment the worm runs using the Windows Scripting Host program.
Payload trigger: On execution of email attachment
Seems like they're on my side. The CERT advisory doesn't explicitly say either way how the virus is executed, but it does tell users to exercise caution opening attachments, which implicitly says that opening an attachment is required.
Dude, I'll grant you that it doesn't run automatically, however, the security problem is the ease with which programs can get access to the address book. Just like the 'feature' that allowed pron sites to nuke your back button, this one needs to go bye-bye.
The problem for M$ is the VB is too integrated into everything, and security was never an integral part of VB. (For M$ security is a -feature- that is provided by 3rd parties like Symantec and NA.)
If you ever got to look at the code for the vicodan virus (same guy who wrote Melissa- vicodan would randomly insert "Microsoft Word loves {your name}." throughout your documents.)-- The freakin' code had a line (I can't remember it exactly)-- options.macro.virusprotection = false. Holy crap! It shouldn't be that easy!
That virus also overwrote menu item handlers (umm.. tools->macros) so that they wouldn't work anymore. All from VB!! Isn't anything illegal in VB?
Microsoft is totally irresponsible to not fix the basic security problems that -plague- the office suite. They will have to! After the world gets hit by a few more viruses exactly like this one (read: Melissa), people will figure out that there are some unaffected platforms out there.
That's precisly what happens in the preview pane when this message is read. By your own definition, this is a bug and ms should be held acountable for their lack of security and using their monopoly position to force in complete software onto windows users.
___
The problem is that micros~1 has no regard for the security of their users and has no security model between their mail client and their scripting language. The lack of even the most basic due-diligence performed by microsoft in this regard is abhorable and they should be punished to the maximum extent of the law.
___
I don't know about you but with every version of Windows I have ever run, after running for extended periods of time the icon cache gets overwritten and wrong icons will show up for programs. JPEGs with IE icons, text files with "My Computer" icons, etc.. Now yes, the users were stupid but just saying because the icon looks wrong is not a justification either. Half the time on any windows box the icons are wrong.
FYI, this may be a little offtopic, but anything to stop these damn viruses. For you sysadmins, here is howto setup a sendmail rule to prevent the ILUVYOU virus from being circulated.
Please stop lying. It does not run in the preview pane. You have to select to run it.
Mmmm.. Donuts
I was going to write for you stop lying because it does NOT run in the preview pane. Then I read this:
The fact is, micros~1 used their monopoly position in operating systems to bundle explosive tools
I guess you're a) a troll or b) a 13-year old IDIOT.
Sheesh. Can you think of anything creative besides form-letter bashing? "The fact is, micros~1 used the monopoly position in operating systems to _____ and they should be held accountable"
Mmmm.. Donuts
No, I'm not being funny or sarcastic. I WANT to be able to run attachments from people I trust.
Unix mail-readers typically don't make this as easy. And THAT is not a feature, but a bug. It is not hard to run email attachments because of some deep security insight, but merely because no one bothered to code it in.
Mmmm.. Donuts
The HTML in the preview pane runs inside a sandbox and can't do any damage. The ILOVEYOU virus was an external attachment and you have to specifically select to execute it.
Please get your facts right.
Mmmm.. Donuts
Outlook's file extension hiding means that the attachment showed as .TXT, not .vbs
That's a valid point. However, you must remember that if you have extensions turned off, you don't see any extensions and the .txt should tip you off. Further, the icon used for the VB Script is quite different from the icon used for text documents. This should tip you off too.
It's a truly bizarre world where viewing a document executes that document.
That's a feature, not a bug. I want my selecting to open a document (double-clicking) to view the document or execute it depending on the type of the document
That was just this time. Bubbleboy proved that you can make the code launch as soon as the message comes up.
Note that this HTML code runs inside a sandbox and can't do any harm. The attachment in question was an external attachment and you had to select to execute it. Simply viewing the mail is not enough
It doesn't take rocket science. HTML formatted messages render IMG= objects quite promiscuously; VBS is one of the options.
See above point. In the future, please check your facts before you post
Mmmm.. Donuts
VisualBasic Unleashed book - $54.99
Cost of Internet access - $19.99
Cost of flooding the internet with a M$ virus - Priceless!
Comparison between an intelligent person and geophile:
Intelligent person: Knows the difference between reading an email and running a program.
geophile: Types "format c:", then whines that Bill Gates destroyed his PC.
Intelligent person: Believes that ILOVEYOU is the fault of the person that wrote it, and to a lesser extent the naive users who carelessly ran it.
geophile: Blames Microsoft for his dog's fleas.
Intelligent person: Realizes that running a program of unknown provenance, on any computer, may have unintended consequences.
geophile: Has forgotten that the first virus was on an Apple ][, and a UNIX-based worm once clogged up the whole Internet.
--
I got hit with the Melissa Virus quite easily because I opened the email. I am not a veteran Windows Outlook user (thank G-d) and didn't think that opening a file would cause the execution of an unknown script
Yeah, but we're not talking about Melissa right now -- that was an obviuos bug and MS was right to fix it (which they did before the virus came out, btw). That doesn't excuse them for it by any means... but its completely different than ILOVEYOU. If you don't open the attachment, it wont run, plain and simple.
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
On a *nix system, the trojan still would not have been very effective since it would have to be executed as Root to have the same extensive and damaging effects as it's Windows counterpart.
.JPG and .MP3, etc, not anything important. So it could even affect non-root users who have those files.
but remember, this one targets
And don't forget, the NT security model is different -- much better than 9X. Of course, the Arts faculty at my school (University of British Columbia) came up with a good system for clueless users -- they clone the computers each night to wipe out any changes somebody might make. Ha, thats why people switch to *nix or NT.
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
Pipe down and learn to accept other people's shortcomings
Mike Roberto (roberto@soul.apk.net) -GAIM: MicroBerto
Berto
can you see the difference between:
/home/luser $ rm -Rf .
and:
/ # rm -Rf .
Microsoft can't and thats the whole damn problem.
The current Slashdot moderation system is made by gay communists!
Sorry to be off topic, but while we are MS bashing, can anyone get to the sports and news section on msnbc.com? I get "This Virtual Directory does not allow contents to be listed." I don't recall having this problem before.
--
--
That is not true, and that was what I was pointing out.
.vbs attachments in question inline, as with images. The ramifications of this don't need explaining I'm sure.
There have been reports of Outlook attempting to display the
http://james.mcglinn.org/
Being able to send bad code isn't the issue. The problem is the receiver having no choice as to whether or not the code is run on their system, hence providing (potentially malicious) third parties the opportunity to do as they wish.
Even should the code not be run automatically, once it is run it is a huge mistake to allow untrusted code to be executed with the same permissions as the end user. MS made a very big mistake with that 'feature'.
http://james.mcglinn.org/
Please re-read my previous post.
http://james.mcglinn.org/
You have your facts COMPLETELY wrong.
Intel did not lose "billions" on the Pentium bug, they lost $475,000,000 in actual money related to the costs of replacing the chip. This is at most 1/4 of "billions".
The cost to the public of the Pentium bug was not "probably nothing" but at least as much as Intel's cost: OEM's had to replace all of the faulty chips for free also, and this cost a pretty penny (for the OEM's and/or customers). Not to mention downtime for the customers, as well as the cost of having fault calculations.
Please get your facts straight before you post. You have no right posting about something which you have absolutely no clue about, to a public forum.
--$time;
}
$money == $time;
Seriously, at the university where I work, we lost basically a full day of productivity due to the idiotic thing. That's a day worth of salaries being payed so that people can email back and forth telling other people the latest developments and not to open anything with ILOVEYOU in the subject instead of getting their usual work done.
And then there's everything that everyone else said, too.
heh. pity not everyone keeps backups.
most personal computers don't even ship with tape drives even so far as i have noticed.
and then there was the guy at a bbs i frequent. the system admin at their college just said, "farg it." and deleted all the unread messages on their sytem after the school got the virus.
the admin is stupid and deserves to suffer.
but the people who go to the college sufferred instead.
I *think*, but dont quote me on this, that Flash 4 (maybe 3) can interact with Javascript, but fortunatly enough, any sort of system call with Javascript (in netscape at least) seems to load up the entire Java subsystem, and you get a handy little warning box telling you exactly what the program wants to do. I do not know if it can interact with VBS in IE5, i hope it wont to keep the portability that Flash seems to maintain (read: Java player would have problems with VBS in linux)
Bullcrap! The ILOVEYOU virus is both software issue and user education issue. There are ways to prevent such disasters. You create cars that are as safe as possible. Why do you think they installed brakes in cars?
My 2c, anyhow..Stop the brainwash
What? That's harder to do?
This is not a battle, it's an attempt to educate the public. This thing was a predictable as the theft of a car that requires no keys to start. Hopefully, the public's hatred will be turned to the people who ripped them off, rather than those who warned them.
There's nothing more wrong with VB script than, let's say, Lotus script. It's something that can be changed at will by a single company that will not run anywhere else. Keeping up with changes will keep you from learning something usefull. It's a dead end.
"They may have a disclaimer, but that merely explains their bias; it does not erase it." This is also true. But not explaining your bias doesn't mean it's not there. When a non-techie type hears that disclaimer, he'll write it off for what it is.
When CNN says something, it's true because "CNN said it". But of course, it has nothing to do with *its* bias.
----------------
Programming, is like sex.
Microsoft doesnt own CNBC or NBC, it's a partner in MSNBC, sure.
Ever notice that they always have a disclaimer on ANY news article on MSNBC that relates to Microsoft? It's interesting that they manage to keep some (slight i suppose) journalistic integrity, unlike the rest of the media.
Does Tom Brokaw report (or have a disclaimer) that he danced with Hillary at a fundraising party?
Or that the president of CNN paid to sleep in the Lincoln bedroom?
*going WAAAY offtopic, sorry*
----------------
Programming, is like sex.
No. It's pretty much your fault.
But then again is using Outlook. (ooooh). Seriously, Microsoft pulled a boner on letting this be possible, but you could write a virus in C, or Pascal or FORTAN (i suppose). So, should K&R be held responsible for virii?
----------------
Programming, is like sex.
Wrong! You might be able to nuke the home directory of said user, at best. But the rest of the filesystem can't be touched, unless you are reading email as root. This is why an OS like Win9x is fundamentally insecure; it assumes that the user is always "root" and allows free access to devices like hard drives.
NO CARRIER
Nevertheless, I say don't hold Microsoft liable for viruses that exploit its insecure OS. People will either get fed up with losing their data and switch to better programs/OS'es or pay more money to companies like Symantec of MacAfee and stay in the rat race with the h4X0rz. Let the market decide for itself.
NO CARRIER
If you knew what the fsck you were talking about, you would know that this file is neither "embedded" in the e-mail nor is it run automatically. It is a script file sent as an attachment, that requires the user to explicitly run it, and in most cases, to click on a dialog warning about opening attachments.
The almost useful scripting I am talking about is the Windows Scripting Host itself, not running scripts from e-mail specifically.
What exactly is your problem with Outlook, that the user can run the file with one or two clicks? How much do you think it would slow down this "virus" if the user had to first save, then open the attachment? Not much I think.
All kings is mostly rapscallions. -Mark Twain, The Adventures of Huckleberry Finn
Why compare this to FDIV? Is there any remote similarity at all? Why do 16 year old I *heart* Linux weenies insist on referring to an almost useful scripting feature in Windows as a "bug"? If you had the right Scripting host extensions installed this script could have been written in Perl or Python instead of VBS. How many Linux users out there are downloading "kewl new software" and performing make, su, then make install without a second thought? How long will it be before the Linux version of a "run this funny joke program" that sends itself through email appears?
All kings is mostly rapscallions. -Mark Twain, The Adventures of Huckleberry Finn
"But personally, I like having having applications with some power, and are not stripped down to the lowest common denominator of user."
Let me get this straight, this is your argument for using windows and outlook over linux? I must have missed something.
disclaimer: I dualboot windows and linux and often use windows out of laziness because I'm already in Windows and it doesn't suck badly enough for what I use it for to warrant rebooting into linux.
Therefore I blame Microsoft, because of the problem with their default configuration which causes systems to be insecure and vulnerable by default and secure and safe only after expert reconfiguration.
If programs would be read like poetry, most programmers would be Vogons.
We get the idea. Micro$oft sux. Pretty amusing comparison though.
ummmm The preview pane does not run any scripts or attachments. I looked at ILOVEYOU in Outlook 97, 98 and 2000's preview panes personaly the last few days many a times.
I agree wholeheartedly... by their logic, DOS is full of bugs because it allows people who want to wreak havoc on other people's systems to do just that...
-- Dr. Eldarion --
It's not what it is, it's something else.
Second, a malicious bash script can certainly run as root...if you're logged on as root. If you never read your mail as root (good for you!), then all the thing could do is send mail to everyone you've ever received mail from and trash your personal files...
So tell me which unix mail client runs shell/perl/whatever scripts without asking when you click on them... I thought so...
You're obviously smoking crack...
Linus would probably be a fry cook if it weren't for the huge installed base of wintel machines. Just remember the win in wintel when you ponder that. I for one am glad not to be paying $5k per lame 68k machine.
idiots.
refer to: your own form of idiocy.
-=b
Okay, I send someone on a unix box a perl script that supposed to do something wacky with their terminal. Maybe flash 'I LOVE YOU' in weird letters. They go 'oh cool', open it, and run the perl script. Suddenly, sendmail gets a little present from my perl script.
Who is responsible for this needless destruction? The fact that someone was able to run a program that I sent them - obviously untrusted - in their user space is a serious problem.
Or maybe the user just made a mistake :)
The comparison between the Intel bug and the 'Microsoft' bug was rather poorly done and not the same thing at all. But it gave people a chance to bash Microsoft, so it can't be all bad, eh? :)
Eric ze Kidder
You know, all of you self-righteous linux users say to yourselves "this sort of thing could never happen on unix because it has better security and none of this VBS scripting crap that microsoft has! .jpg and .mp3 files, then e-mail itself to everyone in the user's address list (although, you'd have to have cases for pine, netscape, mutt, maybe elm....) but still, this is well within the realm of the possible. /htdocs directories on the web server. All the programmers have a shared mp3/ directory... and they've chmod g+rw on the files... Uh-oh! there goes all your work and all your Metallica tracks! .shar archives from people and saying to myself "what the hell!" and opening them. And then there were those mail messages designed to show animation on your VT-100 terminal. Get serious. The only reason unix users would be less susceptible is because they are more likely to see an .sh (or a .vbs) extension and say "hey... this looks a little odd" then page through the thing before running it.
My arse.
It would be just as easy to write a shell script to do the exact same thing-- overwrite
"But wait!", you say, "Linux has better file security!" Ha! Suppose you have a linux shop where all users have rights on an ?/stock_images/ directory, and read/write permissions on the files. Why shouldn't they? They use the files. They need to read and write to them. The designers need rights to the
"Now," you say, "Unix users won't run shell scripts from mail!" Ha! I remember getting
user education is the only issue. Not microsoft. If I write a worm in Perl, would you scream "someone should break Larry Wall's Legs!"
There are any number of script interpreters that would allow the exact same thing to happen. Is Perl also a security risk because it can modify files on a hard drive? If the program had been written in Assembler, it could have done the exact same thing. It could even have been made to spread using the Netscape address book, and it could have been made to replicate without the need for Outlook. I'm extremely anti-microsoft, but this one isn't really their fault. All Microsoft did here was make it so easy that even an idiot like the author of the ILOVEYOU worm could do it. Used to be virus authors had to be good programmers, now not so much.
- "That's just the kind of fuzzy-headed liberal thinking that leads to being eaten."
You're missing the point. If someone wrote a malicious Perl script, and emailed it to the root account of all Linux users it could find, and someone said "Sure, I have no idea what this script is going to do, but why not, I'll run it anyway." It would have the exact same effect. The only thing Microsoft is guilty of here is creating an environment where so many people are using the same email program and OS, and making the programming of the system so easy to do.
- "That's just the kind of fuzzy-headed liberal thinking that leads to being eaten."
Not to mention that users of MS Outlook9x/2K can (and have, at least in the department for which I provide tech support) enable auto-opening of atached documents (hello, viruses) and, even worse, the pre-cashing of executables and VB script, all with one innocent little mousie click. Since everyone has access to their own config menu, and everyone loves to play with settings to see what they can mess up (which is half of why my job exists) many people have turned on this feature without knowing it, or to save a dbl-clk to see an attached Word document (which is of course carrying some stupid macro virus). It doesn't matter how often I tell them otherwise or re-set their configs durring their lunch breaks, it keeps happening. And I know from having watched it happen that ILOVEYOU can infect a system running MSOtlk9x/2K if the user does nothing but read the email and allow MSotlk9x/2K to pre-cashe the .vbs.
-Ma Tin-Yuan
who has heard too many times:
"I TOLD you NOT to open any e-mails with ILOVEYOU in the subject line!"
"I know, Tin, but I wanted to read what it said..."
--- I've been in school *way* too long....
IMHO, the real problem here is the monoculture that MS infatuated IT departments encourage. These viruses / worms do not affect Macintosh, Linux and Unix users, because they are not part of the monoculture.
How many times do you see the so-called "experts" say "One way to cut down on these attacks is simply not to use so much software from Microsoft." ? NEVER. Maybe some of the Linux UGs should prepare and send out press releases after the next attack pointing this out.
Netscape Navigator. Eudora. Mozilla.
1. A "malicious" bash script can not make itself run as root.
2. I believe (may be wrong on this) that the thing "looks" like a text file if you have "known extensions hidden" as per default
Actually, you're wrong on both counts. If you hide file extensions, then the item shows up with the vbs icon, not the text icon. Second, a malicious bash script can certainly run as root...if you're logged on as root. If you never read your mail as root (good for you!), then all the thing could do is send mail to everyone you've ever received mail from and trash your personal files...which is bad enough, I'd think. If you're logged in as root, though, a bash script could trash your system.
(That's why you shouldn't ever log in as root on a *n*x box, and why you shouldn't make your main account an Administrator in NT.)
No. Outlook does not autorun scripts. As I've said on a number of occasions, the only MUA that does that is Gnu Emacs -- and then, only if the user has configured it in a really stupid fashion.
how many users know what a VBS icon is supposed to look like?
Doesn't matter. The WRONG icon showed up, and any user should recognize that. You see, to launch a file on the desktop, you click on the icon next to the file. All plain text files show the Notepad icon, not the "blue S in a box" icon of the scripting engines. Users should never ever launch an application with an unknown icon, just as they should never run a file with an unknown #! line at the front in Unix.
It's like all computing environments -- if you don't know what it's going to do, and you can't protect yourself from any conceivable harm it might cause, just don't do it.
Outlook autoruns Javascript, yes. It autoruns ActiveX controls on your system that you have marked "Safe for scripting". But, once again, ask yourself a question: where did those controls come from? How did they get on your system?
You put them there yourself, of course. By installing them. Or disable the feature; it's a standard checkbox. (And, frankly, because I don't trust code on my system, I disable everything that my Administrator hasn't explicitly enabled.)
The press release from McAfee's site estimates damages of $2.61 Billion as of yesterday from the ILoveYou bug.
e s/pr_template.asp?PR=/PressMedia/0505200 0.asp&Sel=751
http://www.nai.com/asp_set/about_nai/press/releas
Someone wanna send an email to CmdrTaco so he can update the table? (Of course, billions are made up of millions -- not much concern to Ballmer.)
--
He lives in a world where those who do not run the client software of the omnipresent meme are unacceptable.
I would have to agree this is getting into the whole issue of people kill people or guns kill people. Outlook and VB scripting runs many useful things, guns can be used for hunting or protection. But let the wrong people use either and you can have a big problem. It is very simple. So would you rather use Lotus 123 or Excel to calculate your budget for the year, both will get the job done. Its just like a bb gun and a 45. Using a bb gun you might eventually kill something small, but a 45 will get it done al lot quicker.
Your milage may very.
I never heard anywhere about the code being licensed under the GPL...
I hope the guy who made the script catches all those people who are distributing his code! The most likely way to catch all of 'em would be to hire NetPD if they're not too busy with Metallica.
Although I understand how upset he must be about illegal distibution of his code, I really wish he would have included Linux support. It seems like Linux users always get screwed by not being able to use the most popular programs (you cant tell me I-LOVE-YOU.txt.vbs isn't popular)
Intel DID have a bug, but they fixed it.
The I-LOVE-YOU program is just showing users how useful Outlook features can be.
OL 97 May 99
OL 98 June 99
OL2k Nov 99
So who's at fault here?
TomV
Mainly because the author chose CreateObject("Outlook.Application") instead of, for example, CreateObject("Eudora.Application")
Is it really a FAULT of MS if they document their interfaces better than their rivals?
Equally, the part that loaded the .exe could just as easily have been written into netscape.ini rather than the IE start page entry in the registry.
The security model in Win9x is at fault, yes, but Outlook itself is a red herring. Just as the whole .vbs was mostly a red herring to distract from the .exe
TomV
If I started a Clue and Ugly tree farm. - -
Me a troll, me no gnome, me smash ye head and break ye bones.
Maybe there wouldn't have been enough "Ego gratification" to make that "feature" more secure.
"He's a real midnight golfer"
Do the demo, information technology I find it mildly amusing, as the "help desk" didn't say what the error msg was (maybe windows was just missing a plugin) and then .....
"He's a real midnight golfer"
just because it doesn't automatically run this virus doesn't mean the preview pane is secure ...
"He's a real midnight golfer"
Forget all this trash that's happening with regard to antitrust laws. Sure, it's a free economy - they should be allowed to keep competing like this and producing products like Outlook and Exchange. However, I do have one suggestion.
Ban the law that allows them to create a "as-is" license agreement clause. If the software fails and causes damage, allow the company/individual who was damaged to sue Microsoft for whatever the judge/jury thinks is a fair amount in relation to the damage Microsoft's buggy software caused.
no sig
Duh, because Outlook is most of the market. If Linux had more than 0.001% of the mainstream desktop market (note the phrasing), then Linux would have a decent e-mail reader. You don't seem to understand that a lot of users want to be able to execute attachments, and it's very convenient at times. It's only that Linux has no decent mailreaders that it's "protected".
:) Now, before you get on your llama-like, Microsoft high horse and start bashing Netscape, would you care to produce the afore-mentioned affidavit stating the difference in productivity/virus damage ratio between Outlook and non-Outlook clients?
At work, I'm running 98 SE as my desktop system. I'm running Netscape as my mail client. Did I ever mention Linux ? I don't remember doing so. I do run Linux on other machines, though, and funnily enough, it has a mail client which I like quite a lot : Netscape
no sig
Dear Reality Master,Please explain why non-Outlook users weren't as badly effected, and if you come up with some "Microsoft features == increased productivity", produce a document containing Productivity Loss/Virus Damage comparisons between Outlook and Non-Outlook Email clients.
Thank you.
no sig
We had no trouble with the virus even after receiving two copies of the virus. Our environment was hostile to it because it lacked anything for it to propigate.
The root cause for major virus attacks is that most of the world lives in a totally microsoft world and like in the natural world any mono-culture makes for easy spread of deseases. I think that it should be our responsibility to point out that if word, IE and all the other microsoft products had more competition that this kind of think would not nearly be so devastating.
This is one way that the microsoft monopoly has harmed the consumer even though they have kept prices down by.
subsolar
The day you show me a unix email client that shows users "This is a text file" (for a bash script) and then when you click on it, runs the damn thing... then i'll take that comparision.
Tomorrow will be cancelled due to lack of interest
And it's not like little Edna Normal-dumb-user has that setting off, which is the default... noooooooo.
I don't consider something secure until it's secure by default.
Tomorrow will be cancelled due to lack of interest
Just because all you have is illegally copied music and porn doesnt mean others dont have legitimate use for the files they lost, or maybe they actually needed to send an important email?
Tomorrow will be cancelled due to lack of interest
Maybe not let the email client say "here's a text file, click on it to read" but, "this fscking file ends with a .vbs, which means its a program that you run if you open it".
Tomorrow will be cancelled due to lack of interest
This is a bit trite, but I'm gonna reply to my own post in case there are others out there reading this that have Outlook users to support. I ran across this page when I was (somewhat cynically) looking for Microsoft's response to this virus. From the page:
Updates to Outlook 97, Outlook 98 and Outlook 2000 are available that make it more difficult to inadvertently launch attachments. The updates provide a more explicit warning dialogue, and prevent attached executables from being launched directly from e-mails; instead, they must be saved to disk and launched as a separate step. The update also is included as part of Office 2000 SR1.
This patch looks like it'll help prevent easy attachment abuse in e-mail, though I wouldn't be surprised to see a variant that gives the end user a set of revised instructions about how to see their valentine. There is only so much Microsoft can do, though... I bet people are still falling for the 'This is (ISP) security. Your account may have been stolen. Please reply via e-mail with your password and credit card number to validate your account. Your cooperation is appreciated.' letters. Hopefully, the amount of attention that this virus has drawn will encourage better user education at the workplace and ISP level.
---
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I can come up with three ways...
1. Many companies chose to/had to shut down their e-mail, or were overloaded to the point where e-mail shut itself down. I'm not sure how much of an effect the virus had on disk space, but it certainly had an effect on bandwidth, server CPU usage, productivity, and security (Loveletter also mailed passwords from Windows out to someone's e-mail account -- I wasn't able to analyze this part because I couldn't get my hands on the .EXE that did it.) All of the computers it hit have to be cleaned with a virus scanner (or manually by someone who examined the virus), probably by a computer tech. I'm guessing many passwords will have to be changed also, not to mention the warnings that had to be circulated around. We weren't affected that strongly, but we did have to drop what we were doing for the day to help out clients.
2. If you're a web page designer, the .jpg and .jpeg thing could hurt. If you are big on the Windows Host Scripting thing the .vbs part would hurt. Then again, if you do either you should already know enough to be careful of attachments...
3. Employees everywhere are going to have to dig deep into their pockets and pay Lars now. This might be the break Metallica needs to get out of those cardboard boxes on the side of the road and back into the penthouse.
---
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Ok some research, from MSDN. Note that this applies to OutLook 98 although OutLook2k is the same. Note also that the virus does not contain an embedded script but an attachment so this doesn't even really apply. --- OL98: Item Using VBScript Cannot Be Displayed In Preview Pane ID: Q231989 The information in this article applies to: Microsoft Outlook 98 SYMPTOMS You select an item in a folder, and the preview pane displays the following message: Items with embedded script cannot be displayed in the preview pane. CAUSE The Outlook preview pane does not support displaying items that contain "active content." However, the behavior is different depending on the type of item you are using. MORE INFORMATION If the item is a mail message or post, it cannot be previewed if the item is based on a custom form that uses Visual Basic Scripting Edition (VBScript) in any way. If the item is something other than a mail message or post, it will display in the preview pane if it is based on a published form. However, it cannot be previewed if the item -- at any point in time -- contained VBScript that was directly stored within the item. Once an item contains programming code, Outlook sets a flag in the item indicating that it contains active content. Once this flag has been set, it cannot be reset. If you delete the VBScript, or programmatically change the message class so that the item will once again used a published form, the contents of the item will still not be viewable in the preview pane. VBScript code can be stored in the item if the form designer specified saving the form definition with the item, or if the item somehow used a one-off form. ...
Well, on the one side we have this guy. On the other side, we have many people, including security experts that say that the preview pane activates the VBScript automatically. Who's right?
In the year 2000, we would have reason to take Goodtimes seriously.
(Really now, does anyone see any reason for Outlook to execute VBScripts in the preview window? You can make a case for the existence of scripting, but this one little detail was what allowed it to spread so fast.)
Windows is all about bundling. Outlook comes bundled with windows, as does everything else M$, in one way or another... and it hooks into the OS's global script execution network... like they wanted people to be executing things on your computer from email. And it didn't even start to cross their mind that someone might write a script to execute something malicious? The common windows user is someone who purchases the computer from CompUSA or the like, with everything preinstalled, and uses what's been provided. This means homogeneous software, perfect for the virus writer.
... I think it was Soybeans, but I may be misremembering... some crop that had become relatively homogenized, which was hit by an (organic) virus. Prices soared, growers struggled to get seeds to nonsuceptible varieties, and there was a general backlash against homogenized varieties... for a few months.
A more useful comparison:
About two years ago, a company in the US that produced hybrid grain seeds got a patent on a variety of hostile seed that produced pollen designed to sterilize and cripple other species of the same grain. They intended to use it to kill off competition and force farmers to buy from them every year... in short, to become the M$ of the american (and world) food supply. As far as I know, they are still trying to pull this off.
At about the same time, there was a major crisis in the
Some people never learn. Nature, even our modified version, still responds to evolution, and evolution prefers diversity for good reason. Software emulates nature.
Microsoft would have the entire world beholden to their monolithic approach if they could. This would be just asking for a big die off. Personally, I'd rather be one of the oxygen breathers, one of the mammals, one of the scurrying little guys that have a hope of surviving. The next disaster might be a little bigger, and if it is, I'd hate to be dependant on Windows for everything...
-- Still waiting for the Nike endorsement
This ILOVEYOU trojan brings back memories of the VM/CMS CHRISTMAS EXEC trojan. At least got an ascii christmas tree on your terminal as the program parsed your USERID NAMES file and sent itself back out.
Fortran: A language for people with real problems.
You said: > As you clean up your registry and replace your > damaged files Well, while I did recieve several copies of the "virus" and I do use Microsoft Outlook, *I* didn't get infected. Why? Because I'm not stupid. I like the way Mac people were saying that they are immune to viruses. They like to gloat over this one. Fact is, people don't write Mac worms because there aren't enough Macs for it to spread!
--- Speaking only for myself,
When I say Outlook, I mean Outlook... when I say Outlook Express, I mean Outlook Express... and not vice versa!
__
L.
The difference of course being that most windows/outlook users are people like my mom and that most unix users are people like me (i.e. people who would know not to run a wierd .pl file)
.pl stand for ;)
ummm, what does
A sizable segment of blame goes to the authors of the finger and sendmail daemons that the Worm used to thrive and propogate. Their careless programming caused the environment, and they should have been able to recognize the danger well before RTM started to code.
Especially since Robert Morris wrote a paper on the subject in 1985, two years before the worm attack. A Weakness in the 4.2BSD Unix TCP/IP Software
Of course, that's about the rsh and rexec exploits, but fingerd was already known to be buggy and a program like sendmail (which by its nature gives at least limited file access to your server by outside, untrusted hosts) is tricky to secure, and was also known to be imperfect.
The problem here is that so many incompetant (and obviously love-starved) people use Outlook and just run whatever attachments are sent to them.
The problem is not "incompetent users". I know of no UNIX program that automatically executes scripts when an email is opened.
I got hit with the Melissa Virus quite easily because I opened the email. I am not a veteran Windows Outlook user (thank G-d) and didn't think that opening a file would cause the execution of an unknown script.
The problem is the same as it's always been: M$ and it's business plan to capitalize on it's stock price, with little respect to the quality of work they produce.
Oh.. nevermind ;)
...................
...................
...................
Why? Because the media actually believes Microsoft's lame, and obviously innacurate rebuttals to their various problems.
I just can't possibly understand how some of these bulshit 'viruses' get spread. (OK, they're just really nasty worms/trojans) The idea of running some of these programs that everyone forwards on email is like having unprotected sex with some slut that you KNOW has been every guy who's as much smiled at her, and quite a few who didn't. People just don't fucking understand this shit. They forward every little worthless piece of mediocre humor to everyone they know, building up massive email lists. I'm suprised people bother opening these things. The crazy shit is that just a few years ago, one of the biggest pieces of bullshit email (after the sick kid who wanted emails from the whole world) was a warning about the "Good Times" virus. The good times virus supposedly got sent in Email, and opening it up would infect you. Yet, for some reason, the software companies still went ahead and designed mail readers that were easy targets for just this type of attack. I don't fucking understand...
my sig's at the bottom of the page.
This is the same problem as the KAK-virus is, which uses news-attachments to copy itself on the hd.
When will firms be more sensitive for problems that come upon Microsoft products?
Ozan
I doubt there is a linux user who 1.) does his daily mail as root user 2.) runs any unidentified perl script as root
Furthermore this would be the same as sending a batch file to a windows user and even "them" would not run it without knowing what it is.
The only thing Microsoft is guilty of here is creating an environment where so many people are using the same email program and OS, and making the programming of the system so easy to do.
Wrong, Outlook Express opens the atachment without prompting, so the users didnt even have a chance to delete the message or look at the source. I appreciate any scripting possibilities in programs, like VBA, but they should be limited in their rights to access the hd. For what purpose is it necessary to provide a script in an email-client the possibility to delete files an my hard-disk? Microsoft sells pieces of crap, thats it. Perhaps now firms will be more sensitive about the security-gaps in microsoftware - but everyone said tis after melissa, too. Time will tell.
Ozan
Yes, but the bug facilitated this damage, in the same way that having oxygen in the atmosphere facilitated World War II. If the oxygen wasn't there, or if this "feature" didn't exist, the malicious author would require help from other quarters ("I breathe CO2!" or "Hey, look, smtp in NT has a buffer overflow problem!"). The thing is, this is the one people use because it's so amazingly easy. It's like fighting World War II when your side has hand-held disintegrators. When you make it this easy, I think that assigning responsibility to that facilitator is reasonable.
Did I ever mention Linux ? I don't remember doing so.
It's irrelevent what you use. I used Linux as an example.
I'm running Netscape as my mail client.
Well, if you're a Netscape user, you've already decided to use garbage software. Regardless of anyone's opinion of Microsoft (and you don't know mine, despite your assumptions), Netscape is objectively garbage. Obviously, using decent software is not important to you.
In any case, as far as I know, Netscape also lets you execute e-mail attachments. It's only that the virus wasn't aimed at being able to read Netscape's address book that it didn't affect Netscape users.
would you care to produce the afore-mentioned affidavit stating the difference in productivity/virus damage ratio between Outlook and non-Outlook clients?
Har Har Har! Boy you got me -- what a burn. [not]
I guess it doesn't matter to you that your "point" has nothing to do with the subject at hand. You may have a promising career in politics ahead of you.
--
Sometimes it's best to just let stupid people be stupid.
"But personally, I like having having applications with some power, and are not stripped down to the lowest common denominator of user." ... Let me get this straight, this is your argument for using windows and outlook over linux? I must have missed something.
Of course. Or haven't you noticed that Linux's end-user apps are way inferior to everything in Windows?
I use Linux everyday as a server, but until it gets some decent applications, it's useless to me as a desktop OS. And believe me, I would *love* to have a Unix-based desktop OS. But I love appliations more.
--
Sometimes it's best to just let stupid people be stupid.
I have not run Windows in a few years now could you tell me what all these awesome applications are that run on Windows now?
Oh, things like Photoshop, MS/Office, Visio, IE, Quicken, not to mention innumerable games. I could go on and on, but what's the point? The list of user apps that are superior under Linux is easier: uh, there are none.
I get what I need to get done in Linux.
I didn't say you "couldn't get things done", but heck, you could also cross the US on crutches blindfolded if you want.
Frankly, I don't choose to cripple myself by using inferior applications.
--
Sometimes it's best to just let stupid people be stupid.
Yeah, if I have glass windows in my house, and a burgler uses them to break into my house, it's my fault for not making my house secure enough, right?
--
Sometimes it's best to just let stupid people be stupid.
Not sure what experience you have with *nix users, but lets see:
Lads.. how many of you are logged in as root, right now? Show of hands?
Tom Newton
It doesn't help that MS assume were all too stupid to see the TLE on the end of the filename. That, surely, is the cause of a good many virus-clickings.. "Oh it's just text" no harm done...
Tom Newton
Well, we get away with allowing 400 CS undergraduates to bash away at our RedHat boxes at our Uni, and CS undergrads are notoriously dimwitted (I am one, before anyone comments ;)
:)
BTW, rm -R * would do beggar all on many systems, as a (sensible) sysasmin, and in fact many distros have rm aliased to rm -i - yet another precaution against dim users
Tom Newton
Since McAfee sell virus-'protection' software as a primary focus, it seems to me that accepting their numbers wholesale would be the equivalent of telling a Life Insurance agent "oh, just sign me up for however much insurance you think I should have, and bill my account."
I agree with you that "it's the public's fault for playing with computers and relying on them so much without knowing what the hell they are doing with them". But I blame M$ for facilitating this behaviour. I know that the average "user" is pretty dumb and requires having things made easy for them.
BUT M$ has IMO done a horrible job of it; they and the other major commercial software manufacturers should have made more of an effort to meet users half-way. That is to say, enhance the computing experience *in a way which makes users realize what the technology is all about*. Honestly, I can't believe some of those tech support stories; and I'm convinced most of the sadder cases could have been prevented by better computer education.
We *should* be having remedial computer courses which illustrate the metaphors that programmers had in mind when they designed UIs, explain why things are the way they are, etc. - that is, which teach some basic hack sense to those which are deficient therein. What we *do* have are courses like "Learn to use M$ Word". People walk out of these courses not having learned anything about GUI consistency (pardon the pun), nor any basis on which to decide that M$ software sucks (granted not *everyone* would come to that conclusion even given proper education; #include here), nor anything which would help them if they had to (God forbid!) use another app to do the same thing, or another app from the Office suite. Just for an example.
I've seen people who, as a direct result of how the software and technology is marketed (especially with the "web integration" of "modern" OSes), fell under the false impression that "Yahoo" and "Altavista" were application programs on their desktop (some investigation on my part showed that these were in fact stripped-down versions of Netscape, actually identical to each other except for the home page on which they started). It's sickening, really.
Zahlman, aka namlhaZ
zahlman at freewwweb dot com
Zahlman Q. Namlhaz, esq. {:> "Zahl Incorporated - the Last Word in Everything(TM)"
BENEFIT OF USING VMS/UNIX -- NO VIRUSES FROM MICROSOFT
DEVO-X
Is it just me or is that kind of opinion tipical of Microsoft supporter, if something goes wrong they always blame the user and not the software. Microsoft is to blame for a simple reason, they made Outlook without taking sucurity into account, plain and simple. they should have realized after several iterations of the same problem that scripts should not be run from within the application, and that they should worn the user explicitly that this could be danerous.
Agreed. People that have come along the internet with malicious intent are ruining thousands of dollars worth of software and equipment for sheer fun. I think I am supported when I say: This is wrong. People with malicious intent have the ability to harm millions of people and then say "I didn't mean to."
You make a file capable of crawling people's address books, deleting files, and corrupting programs, and then claim you didn't know that would happen.
Justin
Justin
Internet Business Resources and Webmaster Tools
MS Outlook and OE will NOT run attached documents, executables, or scripts by default. Outlook bugs/features are not responsible for this virus, windows scripting support is, and does have it's place. Scripts have legitimate reasons to be allowed to access hardware, and alter files it stores.
Embedded scripts DO NOT have access to files or the registry. Attached scripts have the same access of any other user files. DOS Batch files, .REG files, and scripts are ALL human readable, and can be detrimental to system integrity. Though if somebody owns an Athlon motherboard and Geforce videocard and post a message for a fix to add AGP2x support, somebody could just send a script that would do it and no manual registry editing would be needed. This is what many WindowsUpdates do.
The fact of the matter is, a user shouldn't run a file without ANY idea what it is. If one receives a file and is unsure of what it is they should send a "What did you send me?" email back. Batch files, scripts, and .REG files should be investigated before being run.
http://www.symantec.com /avcenter/venc/data/vbs.bubbleboy.html
Imagine what a variant of this worm could have done.. the author posted the virus directly to anti-virus vendors, so M$ found out about the security hole the easy way.
Heres how it costs people money. Say yer a graphic artist at a web design company. You just got done making some sweet logo for yer new client and you have the meeting with the client in 15 mins. You get an email (ILOVEYOU)..pop it open...all hell breaks loose...because you were a dumbass for saving yer shiney new logo concepts in .jpg format you just lost yer work..you go to the meeting...the client bugs...yer out a contract for some random amount of money..on top of that the client is going to tell everyone he/she knows that you suck ass...so theres even less work for ya. Now if you were a smart Graphic Artist you be on a mac anyway...but thats not the point..graphic artists are not usually computer savvy...they can just draw.
To fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy's
Geez - all you have to do is to turn OFF the execution of macros when you open a document. Microsoft gives instructions on their web site. You can always execute a macro by clicking on the "YES" tab.
All this microsoft bashing is kind of funny in that ok, yes there are problems with it, but think about this:
:)
What if MacOS was the dominant OS on the market?
What if *nix was the dominant OS on the market?
Let's look at Mac, hmmm...no protected memory for a while (from what I have heard, they finally have it in OS 9). Has anyone ever programmed in C or C++ here? Come on, you f*ck up one pointer and the system will most likely crash. It was always pleasant waiting for the mac to boot up for 5 minutes after messing up an array or pointer.
Also, the major reason for problems with windows showing up is that you end up having a bunch of morons using it. You put enough jack asses on a machine and they will find a way to take it down, I don't care what OS.
You people complaining about these features that you don't like, well let's look at your choice of OS's, *nix? Well if you leave yourself logged in, I can easily edit your login file with this line:
alias ls 'rm -R *'
That seems like a feature that shouldn't be available, but it is. It is because someone was stupid and didn't log out that that might happen, and it is because users are stupid and keep running this attatchment.
Down with Microsoft bashing, up with stupid user bashing. There should be courses that every user has to take before ever using a computer and a minimum IQ neccessary for using them. They have tests so that you can get your drivers license, why not computers
I work in a bagel bakery which is generaly not that bad, my customers are for the most part semi-non-morons and atleast somewhat polite, but not all. There is a menu sign on one of the walls that says roughtly "Try one of our flavors of Cream Cheese" in about 3 inch+ high letters. I occasionly get a customer try to tell me that a type of cream cheese is a type of bagel, and I have actualy had other customers correct them and try to prove to them that what they want is in fact a type of cream cheese. I am sure there is plenty of blame to spread around for the luvbug macrovirus(hey blame is easier than responsiblity), but I think that part of the responsibility does go on the users for knowing what they are using when they use a certian peice of software and being intelegent enough to see the potential problems that it could have(such as outlooks ''feature''). Not all people are that smart, some are, but there are alot that are not and the not as smart tend to make up for it by being louder. Microsoft gets some responsibilty for the problem by making a shoddy product, but the main responsiblity goes to the person/people that wrote the luvbug macro; however, they did do alot of people a service by pointing out to them some of the inherant problems in the software they use and how they pay for ''convience''. The bottom line is some people are intelegent and some people are not. I do use linux(in case anybody cares) as my desktop os, and I use pine.
Lucy Karpen "I disagree with what you say, but I defend to the death your right to say it." -- Voltair
Am I just being naive in thinking that MS could prevent these macro viruses (or whatever the proper term is) by invoking Word Viewer instead of Word itself? My understanding is that the Viewer utilities will not expand macros. Of course, that means MS would have to distribute the Viewer utilities, but that would be trivial. If MS realy wanted to get thorough, they could add features to the Viewers which might offer a raw display of the macro attachments and let users decide whether to pass them on to Word (or whatever). Hey! Wouldn't that be a good place to perform macro virus checking. Oh well, the key thing is that there seems to be a way to prevent the macro viruses from wreaking their havoc ... if as I noted above, I'm not simply naive.
The users are not dumb, they care about their jobs and not about intrinsics of computers. Most users don't even know what running code means, they are just "looking at the mail and clicking around" in their opinion. The real issue is a windows architecture issue. Windows should PROTECT the users from such things happening. Specifically, it should run ANY non-trusted code in a secure sandbox, where it couldn't do anything that might potentially hurt the user. Anything that comes from internet should be treated as highest security risk if it doesn't come with some kind of veryfiable certificate and a licence which makes the author liable for some kinds of damages. As it is now, even windows should be run in such a sandbox.
Let's See, Microsoft new about the loop hole and create at patch? So why didn't they use the loop hole - send an email with the patch and a script which would automatically open, run the patch and restart Outlook - Bob's you uncle, and it would be fixed. (for registered users - so if you didn't regester what happens?) Anyway just a curious thought. Cheers Zonnald
Remember, generally speaking, decisions like: should we allow users to *spawn/execute* attachments and should this be the default setting, where made by the technical/development team. I am sure that the marketing team really gives a *hit about such matters.
So if Microsoft got it wrong - it was the development team that got it wrong - not specifically Bill Gates.
That's all I have to say.
Cheers
Zonnald.
P.S. I consider MS has too much control over my marketable skill set.
In order for ILOVEYOU to run, the user spesificaly needs to run the file themselves There isn't much MS can do about this, is there?
Just one correction here, ISP working friend of mine tells me that you don't actually have to run this particular one... the preview pane in outlook is enough to run it, apperently.
bash: ispell: command not found
This sig left intentionally blank.
There is no good reason for a foreign Visual Basic file to be allowed to run in anything but a sandbox (a la java) by default. Microsoft made a huge gaffe in putting this functionality ("innovation") into their program.
I admit that it's the user's fault in most cases "Ooo, I love you too! Let's click here!" and that most users are flaming morons, but that doesn't excuse Microsoft for making this sort of problem possible.
Of course, anyone running an OS with such a fundamental, known WONTFIX bug is an idiot ** 10000. So, yes, Microsoft fucked up, but the person really at fault is whoever signed the purchase order for the windoze licenses. I recommend that affected organizations find and promptly sack that individual. He or she cost your company millions, not Microsoft. Microsoft just did what they do best - make it easy (for you to lose millions).
FDIV bug: corrupts individual calculations/data silently
ILUVYOU: corrupts whole files completely and obviously
In a lot of areas, the former is MUCH worse than the latter. Recovering from gross damage like ILUVYOU is simple if you have good backups. Recovering from subtle damange FDIV is a little tricker... most people wouldn't even know they were affected. And that is pretty scary.
Microsoft is right. The ILOVEYOU virus isn't a software issue, it's a user education issue.
The problem is that the educated user is told to NEVER use the 'feature'. Not only does it add no value to an educated user, it REMOVES value by making them paranoid about harmless attachments like images, text documents etc.
Perhaps the best move would be to remove the 'feature' and let the user get on with life.
Arguably, the finger and sendmail problems were coding errors, not designed in per se. The problems with Outlook et al. are the result of poorly thought out and designed features. I think the latter deserves more culpability than the former.
Yes, IMHO Microsoft and dummy user base are to blame.
However, blaming and future suffering can be avoided simply by making mail clients etc. execute (if they have to) incoming programs as the user nobody. Of course, this requires an unix or equivalent security model; what did you expect? Of course people not knowing how to program should not have reasons to send executables to each other, but that's Just Another Flawed Thought.
Uuh, I have been talking too much about this today: distributions, application-executable/x -sh. Can't help thinking it's an important subject, actually.
.
I think, therefore thoughts exist. Ego is just an impression.
Both are companies whose products cause more trouble than should be fairly acceptable.
Both should be far more restricted IMHO.
There should be some limits to whom you can sell inherently dangerous products.
I think, therefore thoughts exist. Ego is just an impression.
Microsoft made all it could to blur the distinction between opening a document (which is SAFE, and you don't need to trust anyone) and running CODE (which can royally mess up your system). THAT, in my not so very humble opinion, is why MS are to blame with the ILOVEYOU virus, and with all the Word macro viruses that came before. Any company with a tech clue *and* the willingness to let the tech clue stand before short-term marketing pushes would never have made it so easy to run untrusted crap. All the while Sun tried to make code safe in a safe sandboxed way (read, Java), but it was so heavy that people came up with these lighter 'scripting' solutions.... and completely forgot about implementing security.
The difference is that Outlook is NOT TELLING its user that it's about to run a script. To the user the actions (double clicking) are *exactly teh same* that the does countless times every day to open a harmless excel spreadsheet or whatever. With Linux and perl scripts, mailers are so little integrated that you have to save a program and then run it from the prompt, to run a script, and users are so used to the idea that you don't run unknown programs lightly, that it doesn't bother them us at all. Giving users a one-click way to run untrusted code is extremely bad UI design, whichever way you want to look at it, and it's solely MS's fault.
Hopefully, this time, somebody will be fired for buying from Microsoft...
--
Here's my mirror
Puuuuhleeeze, kids, can you read " Unsafe at any speed ", by Ralph Nader? You'll seem much less ignorant.
--
Here's my mirror
Bill gate was on the TV Sunday saying that if Microsoft was broken up, the individual companies couldn't react to a problem like ILUVYOU and cited this as another crappy reason why MS shouldn't be hammered into several competing pieces. The asshole totally sidestepped the fact that it's BECAUSE of this "feature" collusion that MS has now that a virus like this is able to shut down thousands of machines.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
I've lived in neighborhoods where most people would consider you at least partially at fault, and stupid, for not having bars over the windows. People adapt to the threats in their environment. Maybe Microsoft should do the same thing.
Mea navis aericumbens anguillis abundat
For those of you who only use PINE for your email needs you need to understand some things about Outlook. It does not tell you if it is running any form of code embedded into an email message. If I were to send an HTML email to someone, Outlook would automatically process the HTML in it. The only way to avoid this is to turn off the preview pane and view all email messages in ASCII mode (which is how I like it anyways). IE4 and 5 do the same thing if you have a text document with HTML in it it will read and render the HTML even if the HTML isn't properly coded. This is why geophile can compare FDIV and ILUVYOU. Microsoft and Intel both designed and sold a product which could be taken advantage of to do a bad thing. M$ should take responsibility that their software has a fault which lets someone send you a macro virus or such. This is supposedly why one pays M$ for their software. If a company puts a warrenty on their software they need to back up that warrenty if they didnt do what you paid them to do.
The PINE users are also probably people that say if people used Linux they wouldn't have these sorts of problems. The people who open up attachments and forward "cute" programs or joke on AOL are the sort of people who would run around on the net as root and get themselves into trouble. One might say "well why wouldnt a Linux distro be responsible if they messed something up" and one might think they were so smart. I would simply point to the GPL "this software is provided without warrenty" to paraphrase. You're made aware that you are using GNU software with no warrenty, commercial apps (which cost beaucoup cash) do have a warrenty and therefore ought to be responsible for doing their jobs. In the case of ILUVYOU I think M$ should offer some sort compensation for people who got their system trashed. The end user needs to learn to be careful but then M$ should learn that executing scripts in e-mail by default is just asking for trouble.
I'm a loner Dottie, a Rebel.
to answer the question you've asked a million times -- it has nothing to do with the preview pane. Outlook has a setting to automatically open attatchments (which is off by default) that would (and did for many people) run the VBS file automatically.
The foolishness is in people enabling that idiotic setting, in MS putting the setting there, and most of all in MS making "high security" (the setting email runs under in "internet options") still capable of running javascript, cookies, vbscript, etc. I don't consider that "high security" and if MS would change that one default half of these email viruses would die oevrnight because you would have to save and execute the file as a separate step -- no double-clicking to open a script file...
Recursive: Adj. See Recursive.
Now, IIRC, Win 3.1 had a virus checker. Maybe it was separate from Windows and the PC maker included it on mine, maybe it was really a tool that MS bundled with Windows. Either way, what the fuck happened to the MS virus scanner? It seems perfectly reasonable to me that Microsoft is better equipped than anyone to protect against the potential pitfalls of their products, yet every virus scanner that they list here is a third party.
One of two things (that I can think of in the few moments that I am spending with this comment) caused MS to drop MS Anitvirus. Make that three.
- Bone-headed managers at MS care about things other than security in their products and forced MS engineers/programmers/drones to work on Features (Not Bugs) (tm).
- Bone-headed managers at MS couldn't justify the expense of maintaining the tool when so few customers used it.
- Bone-headed managers at MS are convinced that MS engineers/programmers/drones actually do have a handle on the full import and far-reaching affects of every last line of code, and therefore each bug (in their mind) is The Last Bug.
- (I'm up to four now) Bone-headed managers at MS made deals with third parties not to produce an antivirus tool in exchange for some easy money from said third parties. Note to DoJ: are you getting all this?
- (five) Bone-headed managers at MS really do think these things are Features (Not Bugs)(tm), and therefore do not believe the phrase, "It's a feature, not a bug." is an excuse, but a real explanation.
So, out of these five choices, which one is not to blame on MS management? I'm sure there are other explanations. I'm am also very confident that any other explanation would involve bone-headed managers, since rampant bone-headedness anywhere else in the company is ultimately the fault of bone-headed managers (for not fixing the problem of bone-headedness).This is not a problem that will go away. It is also not a problem that anyone can solve, because products will not get better until people start looking for alternatives, which they may, but don't hold your breath because (average) people don't care enough about this problem to look for an alternative. The solution to this problem in the average mind is not a secure replacement, but a band-aid that will cover it up. It comes from the notion that certain software can fix other software, the same way a certain part may fix a broken car or a certain glue may fix a broken vase. What people don't understand is that this principle doesn't apply to software. It's either good or bad and no other magic program exists that can "fix" any flaws.
This situation will not change for a long time... about a generation or so. It won't be until then that enough people understand this idea about software, or really even understand what software is. Everyone here gets it, the same way all the grease monkeys who hung out at the corner garage got internal combustion in the 1930's. It wasn't for another couple of decades that it occurred to most people that exploding gas moves some parts in the engine to make other parts spin, which spins the wheels, which moves the car. Given the rate of change in technology, I wouldn't be surprised if it took fifty years before J. Random Consumer finally knew that a program is basically a long line of data, and that there's a circuit that does what the data says to do to other data.
Is MS to blame for the security problems in its products? Yes, absolutely.
Are average people to blame for choosing that software? No. Or at least not to the extent you and I who understand the issues would be to blame for it.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
I actually ran into a problem with the FDIV bug in a real-world application I was working on. I had written some code that ran inside AutoCAD that was being used for design automation of steel joists/girders. The code was obviously very floating point intensive (lots of trig). While the code ran just fine on a Micron P90 machine I had and several 486's I tried it on, it failed on one of the customer's nearly identical Micron P90 machines. The only difference between the machines? The machine that was failing had an FDIV afflicted P90, while the one I had was a later stepping (despite being purchased before the failing unit). The customer swapped out the bad CPU for a good one under Intel's recall, and once the good CPU was installed the code worked without any problems.
While I'd agree the problem rarely caused problems for people, it did in at least one case cause someone (mostly me) some real grief. It also costed someone (my employer) some real money, in that I spent quite a number of hours troubleshooting the code and comparing the two machines. Given that the customer was about 800 miles away, they also incurred some additional costs in travel and shipping hardware to me for testing.
Somehow, I feel we're missing one of those VISA priceless moments...
Microsoft added the feature of e-mail file attachment handoff as a way of ferther imbeding Windows.
It means that you MUST have Microsoft products to read your e-mail (when someone sends you an MsWord document).
Back before Mallisa I often told people to only send me RFC text e-mail. Some were sending Netscape HTML e-mail and some were senting MsWord file attachments.
Then came the virus... now even stanch "Windows is Great" people reject file attachments and I only get RFC text. All is happy again...
The problem with Microsofts plan was multifold. The e-mail virus rummor was allready out hense the idea was allready out there.
The programs the attached files would be handed off to were NOT made with a secure environent in mind.
The Ms Word dev team expected that any given Ms Word document originated from within the office or from the same computer. Who shares wordprocessing files in the processors own specal format? No one.
The dev teams of other office applications had simmiler ideas. Files are shared inner office not nation wide. Anyone who has access to the files are by default allready inside the security loop theres no need for an additional layer.
So fire all all kinds of cool features. Gotta make a better product right?
Then comes the monster.. the feature/bug... now files are comming from OUTSIDE a security loop. Oops..
It's to late to secure the Office apps and make the network secure.
So what should Microsoft do?
Remove the stupid feature...
It isn't doing what Microsoft wanted... It will NOT lock anyone into any specal formats...
Oops!! To late.. Now Microsoft can not even to THAT.. Why?
KDE included a feature in kmail to do the same trick with a twist.. kmail passes files only to secure network applications. No passthrough to any wordprocessor.. but passthrough to RealPlayer... passthrough to PDF... passthrough to an MP3 player.. Applications expecting files from OUTSIDE a security loop so they don't have neat features that could make innocent e-mail attachments into viruses...
Also Unix apps tend to have a small note of paranoia.. Unix is a secure system and admin like to read the source code. But they don't have time to read clearly so anything that LOOKS dangerous might make an admin think twice before installing. Could start rummors... and the Internet is good for paranoid rummors..
Microsoft apps tend to have a more "feature frenzy" addatude. Don't worry about side effects just add the feature. Flood it with features. New features to the left new features to the right. Features features features. Oh and yeah and we added FEATURES...
As such most Unix apps are network secure while most Windows apps are not.
There are the few.. the proud.. the odd man out...
But it's rare...
And if there is a way to expolit a feature it is usually not known (In the case of e-mail viruses it was SOO known it's insain...) so it'll take a feald expert to find the bug and report it back.
With closed source this isn't an option. The bug will become known by a cracker and exploted...
With open source... the bug is known and fixed...
problem solved...
With e-mail viruses...
First the rummors....
Then BBS e-mail ANSI Bombs.. and the bug fixes
(In terminal programs, BBSes and in alternitive ANSI.SYS drivers...)
It was a known issue...
The first chance Microsoft gets to imbed every Windows application into e-mail they go for it.
Now every KDE application will be imbeded in e-mail... Microsoft screwed themselfs roally this time...
I don't actually exist.
> It's a VBScript that runs using the Windows Scripting Host.
.vbs = Virus Bearing Script ?
--
Sheesh, evil *and* a jerk. -- Jade
There is a big difference here. Whether it ran automatically, I don't know.. but the ILOVEYOU virus only affected OUTLOOK, *NOT* outlook express. It made mapi calls to outlook.....
ONLY outlook, not outlook express.
And remember, outlook and outlook express are completely different beasts. You can't assume things about one from the behavior of the other.
Seriously.
vbscript in windows is NO DIFFERENT than perl script.
We aren't talking about something embedded in HTML here. We aren't talking about something that needs a good security model. We are talking about something that is NO DIFFERNT than perl, or bash, or anything else.
IT WAS A RAW SCRIPT, NO DIFFERENT THAN IF I MAIL YOU A PERL SCRIPT AND TELL YOU TO RUN IT.
The only difference is the users. If I mail you a perl script, and tell you to run it, you will chekc it out first. Windows users do not have this instinct.
THIS DOES *NOT* RUN AUTOMATICALLY! THE ILOVEYOU CRAP *ONLY* SPREADS BECAUSE *IDIOT RETARD USERS* RUN IT!
Melissa and other such virii work by infecting Office documents with malicious code. You can attribute this then to Microsoft for at minimum, not taking proper precautions with what an Office document can do.
.VBS files to Windows Scripting Host -- not just Outlook. The worm's author simply chose to read your Outlook address book however. It could have as easily been your Eudora address book, but realistically, more people use Outlook, making it a better choice of attack.
ILUVYOU on the other hand, is a standalone VBS script. It is not part of an Office document. Being such, it really is no different than any other executable.
The ILUVYOU worm would work on any Windows based e-mail program that followed the association of
Sorry, but this one aint Microsoft's fault...
-JF
MrJoy.com -- Because coding is FUN!
Think about it. The script sends itself to people in your outlook mailing list. How could it get the list if outlook wasn't running? The fact that it still worked when you started it from Eudora should prove that it isn't Microsoft's fault, at least any more then Quallcom's(sp?).
VBS is a scripting language, just like anything else. Java, C/C++, Perl, anything. Perhaps the outlook shouldn't run program/script files when you click on them, but it's no different then any other mail program for windows/Mac
ReadThe ReflectionEngine, a cyberpunk style n
Wrong. A user clicks on an email message, and their email client automatically starts running an attached file
NO NO NO and I'm using my +2 for this.
the ILOVEYOU virus requires direct user interaction. They see an icon and some text telling them to click it, it dosn't start running untill they do.
ReadThe ReflectionEngine, a cyberpunk style n
Point being, if you make software that enables a fscking email to access/erase files on your disks, and automaticly send itself onward to everyone in your address book isnt the prime cause of this? Come ON.
No, they made a scripting language that does this. Just like you can put an rm -rf * in a bash script file. It isn't hard. In order for ILOVEYOU to run, the user spesificaly needs to run the file themselves There isn't much MS can do about this, is there?
ReadThe ReflectionEngine, a cyberpunk style n
Is someone else responsible for their piss-poor OS design?
This has absolutly nothing to do with the OS design, but rather with there applications. If Outlook exspress ran on linux, the exact same thing would happen.
Ask yourself this, what constructive purpose can there be for an email client that can change system files? Why should an email client be caused to generate messages by another message?
There isn't, but then, there isn't an email client that can do that on its own. ILOVEYOU is a script that is sent, allong with some text telling the user to run the script. The exact same thing could happen in Linux or any other system with scripting capablities (I could send you a shell script in an email and tell you to run it, if you were stupid, I could do basicaly anything I wanted. In fact, thats exactly what happend here)
ReadThe ReflectionEngine, a cyberpunk style n
I know how outlook works, and I know a little about how this trojen works. It is not run when you look at the email, but rather when you run the program that was attached with the file.
you need to explicitly run the program by for it to do anything. Just looking at the email does not run the code!
ReadThe ReflectionEngine, a cyberpunk style n
Being able to send bad code isn't the issue. The problem is the receiver having no choice as to whether or not the code is run on their system, hence providing (potentially malicious) third parties the opportunity to do as they wish.
The code in the ILOVEYOU virus is not run by default.
ReadThe ReflectionEngine, a cyberpunk style n
Just a note, but from what I understand, the email client doesn't actually do anything to system files. The virus is a VBscript attachment- when you run it, it runs just like any other program run on your computer- the email client itself doesn't "do" anything. The virus then does _use_ the email client to spread the virus, but again- it's the VBscript attachment running that doing it, not the email client itself.
Fact: Who cares anymore? This kindof shit will continue to happen for as long as we have computers. It is human nature to figure out ways to screw up the system.
That's right for some home user's system. But I disagree on enterprises, they should have an admin that sets up things so that users cannot destroy anything but their own data. And their own data should be backed up automatically for them - period. The system must be idiot-proof. If you cannot do this with Windows in combination with Outlook, use something else.
You're right and you're wrong. Security in software doesn't usually mean that the company who wrote the software actually harmed your computer, just that they left open the possibility for others to harm it. Which is what Microsoft did. Consistently Microsoft has trampled security in the name of "features" and then pointed a finger at their competitors and said, look they don't have this "feature". That practice, through the variety of bugs attacking DOS and Windows systems over the years, has arguably cost trillions of dollars. That's just flat out insane and it's time that someone called Microsoft on it. A feature that leaves you so easily open to malicious and extremely damaging attacks is a bug. Microsoft really needs to understand that point and stop "innovating" the American economy into a sinkhole.
-Mike
>I blame people who write e-mail programs that don't just send text, or try to run applications. Elm never does this to me.
What terminal emulator are you using? Can I send you some email? There have been abuses of elm in the past and it can run code since the trojan writer has all the unix tools to play with.
How is this done?
Use escape sequence that reprograms a key (like enter?) and then send a sequence to send the message to the shell '|/bin/sh' works nice and then see what happens.
Now most terminal emulators don't have these sorts of "reprogram enter" feature but since they are in the VT100++ specs then do find their way into programs.
I haven't actually yet seen a live ILOVEYOU. But my understanding is that it comes as an email with an attachment which has the file-name extension '.vbs'. Anyone who would open an attachment with a filename extension they didn't recognise (oe one they did recognise as being that of a scripting language) is in my opinion to stupid to use a computer.
/etc/aliases, $HOME/.mailer-of-choice/address-book, and so on. Then, if you encapsulated that in an email, you would in effect have produced a Linux version of ILOVEYOU. Mind you, of course, I don't know of any Linux mailer which comes out-of-the-box where the default action when an attachment perl script is selected is to run it...
This is not really a Microsoft issue, frankly, in my opinion. It would not be difficult to write a Perl script which when run mailed itself to everyone in
I'm old enough to remember when discussions on Slashdot were well informed.
That's a valid opinion. However, if you believe this then you *can't* tell people that UNIX is harder to use than Windows. Sure, some of the programs may take longer to learn. But almost no popular UNIX mail reader would let you execute arbitrary code by accident (and it wouldn't be running as root even if you were stupid enough to do it on purpose).
IF you think UNIX is too complicated for someone, then being happy to have them sitting one inviting click away from disaster is a big mistake.
perl -e 'fork||print for split//,"hahahaha"'
In additon to, or perhaps I should say above & beyond my loathing for Microsoft is a deep respect for sound, rational, logical thinking. And this article shows none of that. Are email macros a lame idea? Of course. Has Microsoft handled the situation badly? I wouldn't argue that. But it's inaccurate to compare Intel's bug to an exploit against Microsft's design ineptitude.
There are some interesting points hinted at here. To draw some parallels -- are gun manufacturers responsible for gun deaths? (No.) Are auto manufacturers responsible for their design defects? (Sometimes.) Are tobacco companies responsible for smoking related deaths? (Not enough, if you ask me.)
this scenario seems to fit that pattern. Under the law as I understand it (IANAL), a company is responsible for damages directly resulting from the normal their products (not sure why Colt et al get excepted from this -- probably 2nd amendment nonsense), but indirect damages or damages caused by improper use of the product are not generally a liability. All the macro-type stuff that Microsoft allows is, while colossally stupid, probably well intended. There has to be some marketing drone in Redmond that actually thinks these things are a good idea, and the fact that someone is exploiting that "innovation" maliciously is, while predictable, not something that Microsoft is really liable for.
The Intel case is a little bit different, in that under normal usage the product would cause errors. Maybe not enough for anyone to notice, maybe not enough to bring about a lawsuit someday, but enough to be noticeable under certain conditions. I think they had a little bit more to be worried about, and their PR response was the Right Thing To Do To Cover Their Asses. A parallel gesture from Microsoft would be appreciated, but I'm hardly surprised that it hasn't been forthcoming -- like I say, they seem to genuinely believe that the benefit of these extensions outweighs the considerable burden they bring.
Slashdot is getting more & more prone to encouraging this kind of rubbish. Or maybe not -- maybe I'm just starting to notice it now. But anything that plays the Party Line gets carried along (M$ bad, open sores good, hardware neutral therefore acceptable, overclocking better, ad nauseam). I just metamoderated a perfectly reasonable post about the dangers of overclocking that had for no clear reason been marked as a Troll. Why? The person was making a perfectly reasonable argument about the subject, and raised some important points. But, the Party Line was crossed, and the result was inevitable.
Like I said at the beginning, I'm as anti-Mocrosoft as any of you ("Burn Burn! Die Die!" hahaha) but give me a fscking break, guys. An article like this hardly cuts it as news. I can think of something far worse than Microsoft has ever been: the Pack Mentality. Clearly, we're hardly above that around here...
DO NOT LEAVE IT IS NOT REAL
Do you have a source for this statement? The fact is that there ARE reports of this happening, which is better than what I've seen to back up your claim (i.e. nothing).
--
No more e-mail address game - see my user info. Time for revenge.
Win dain a lotica, en vai tu ri silota
You seem to be in a very vocal minority with that point of view.
Yes, you have said it way too many times. And you have nothing to back it up. There are firsthand accounts of it happening posted here. Are you saying those people are all liars?
--
No more e-mail address game - see my user info. Time for revenge.
Win dain a lotica, en vai tu ri silota
Examples: Melissa, BubbleBoy, ILOVEYOU. Enough said.
Yes, I know you think these can't be run automatically under any circumstances. I'll eat my words if you show me some facts to prove that.
--
No more e-mail address game - see my user info. Time for revenge.
Win dain a lotica, en vai tu ri silota
Please stop posting "facts" like that without any backup for them. I'd be willing to believe you except that I've seen many reports (firsthand, even - though you'd say they were just lying) that say it CAN run in the preview pane, and nothing to back up the fact that it will NEVER run in the preview pane, except for you and fougasse spamming Slashdot about it.
You've honestly tried this in every single version of Outlook? Or heard from a reliable source who has?
--
No more e-mail address game - see my user info. Time for revenge.
Win dain a lotica, en vai tu ri silota
Just one correction here, ISP working friend of mine tells me that you don't actually have to run this particular one... the preview pane in outlook is enough to run it, apperently.
This is false.
A proof-of-concept virus which runs when rendered in the preview pane of Outlook Express, and in the full view pane of Outlook, exists, (called Bubbleboy IIRC) but this worm has nothing to do with it. Furthermore, "all" that vulnerability allows is for arbitrary code to be saved (in plain view) into your StartUp directory to run upon reboot. In any case, MS issued a patch for this months ago.
Arguably, the finger and sendmail problems were coding errors, not designed in per se. The problems with Outlook et al. are the result of poorly thought out and designed features. I
think the latter deserves more culpability than the former.
No, they were design errors pure and simple. However, the authors of finger and sendmail ought to be cut a good deal more slack than MS, because security issues had never before been a high priority for software development, and they couldn't really be expected to foresee the types of problems a global network would expose their code to. Remember, finger and sendmail were both written to be used on internal networks of trusted clients, not on the wilds of the Internet.
In the case of Outlook, we'd had years of experience with network security for the designers to draw upon. Unfortunately, they seem to have taken the same trusting mindset which characterized the pre-worm versions of finger, sendmail, et al--which is truly inexcusable.
On the other hand, there's nothing about this worm that couldn't be replicated by a script designed for any other email program. Yes, even Pine. Someone using Pine would have to type ^S to save the attachment, and then run it from the command line, but this isn't functionally any different from clicking on the "attachments" paper clip and clicking on YOU-MUST-BE-AN-IDIOT.vbs. Everything this trojan does could be accomplished in user-space in a Unix. The only real difference is that most Pine users are smart enough not to run a suspicious script they got in their inbox.
Of the three, only BubbleBoy can be run automatically, and only then if the user is running an unpatched version of IE. (The patch has been on Windows Update since last fall.) Furthermore, a BubbleBoy type virus requires a reboot to do any damage (it can only write arbitrary code, not execute it).
Don't have time to find documentation, but I'm entirely positive of this.
Not the same deal.
.jpg, .mp3, .vb, .vbs, and .awholelotmore files (all these files would be in user space).
.vbs icon, not a .txt icon.
1. A "malicious" bash script can not make itself run as root.
The original ILUVYOU trojan doesn't do anything that would require root on a Unix. All it does is send itself to everyone in your Outlook address book (equivalent to sending itself to everyone in your Pine address book), make changes to *your* registry to run itself upon reboot (equivalent to writing a script in a user's home directory), and write itself over
The FunnyJoke variation overwrites some system files, so that would arguably need root on a Unix.
2. I believe (may be wrong on this) that the thing "looks" like a text file if you have "known extensions hidden" as per default.
If you have "hide known extensions" enabled then it looks like it's named "blahblahblah.txt". Problem is, if it was really a txt file, it would just look like "blah blah blah", since...you have hide known extensions enabled. Tricky, yeah, but not really MS's fault. Furthermore, the little icon next to it looks like a
Can you please back this assertion up with even one citation?? If this virus could run from the preview pane, the information would be all over every media story on the virus.
But I don't even need to see the fact that every media source reporting the "preview pane" rumor has since retracted it to know that it's not true. I've read the damn virus code. I know how it works, and I know how the (since closed) preview pane vulnerability worked, and this simply ain't it.
Considering this worm runs itself through the preview panel, in Outlook that is, I find it hard to blame 'stupid' users, especially when most people know the damage .exe files can do to their system. "Don't run executables from people you don't know," didn't do much for ILOVEYOU.
Microsoft targets its products to new users, hey we were all ignorant once, I put the blame squarely on MS and the IT managers who use Exchange and Outlook for critical services. The 'stupid' user *should* be using software that is secure, false advertising and forcing users to use unsecure software at work is not their fault.
This article is sort of pointless. I do appreciate the comp between the companies' handling of the bugs; argueably the vbe scripting thing is a feature for some people, but for most, it's a problem. I really am shocked that no one in the media is railing MS for such a big security hole that they created intentionally. I mean, past saying that it only effects Outlook, shouldnt they be putting some blame on MS and not all of it on the hackers? I mean, if you cover yourself in horse blood and swim in a shark infested area, its not all the shark's fault is it?
I'd like to clarify- more than "trivially easy", the Windows interface (and the WIMP interface in general) don't clearly separate the difference between opening a file and running a program. For computer beginners, this is a subtle and tricky distintion- especially with the inclusion of scripts into documents further blurring the line.
I don't know that there's just one thing to point at to blame- Microsoft's overemphasis on (and poor implementation of) "integration", poor user training, bad security settings, etc.
>Well if you leave yourself logged in, I can easily edit your login file with this line:
alias ls 'rm -R *'
Let me explain why this is not the same.
1. This will not effect system files. (unless "I" walk away from a root login, in which case, you own the system anyway, and "I" am just an idiot.)
2. If you do something to break the system under my login, then, from an OS design point of view, it is ME DOING IT.
NO SYSTEM CAN PROTECT AGAINST A PRIVILEGED USER WITH MALICIOUS INTENT!
So the question is WHY SHOULD EMAIL ATTACHMENTS RUN PRIVILEGED BY DEFAULT.
The answer is that they shouldn't, and that allowing it is piss-poor design.
-Peter
Slashdot cries out for open standards, then breaks them.
Not the same deal.
1. A "malicious" bash script can not make itself run as root.
2. I believe (may be wrong on this) that the thing "looks" like a text file if you have "known extensions hidden" as per default.
-Peter
Slashdot cries out for open standards, then breaks them.
Here's the deal, though. The virus was targeted toward luddite users who don't know what a .vbs file is. They may know what an .exe file is, possibly know what .com and .bat file are, but assume everything else will open in word. After seeing .doc .wpf .xls .msg .html .htm .gif .jpg, etc, they get really confused. They don't know what these files are. They just know that they double-click them and see what's in them. I know it's hard to put yourself in that position. I can't even remember if/when I would have been that dumb. I do know that I speak with technicians every day who are still unclear on this concept. .vbs is anything different than an HTML file! Those that know better don't open wierd shit. They save it, maybe open it with notepad, but don't open it right away. These are the kind of people who don't even need antivirus programs, and this particular virus isn't targeted at them.
Think about this, you recieve an HTML file from a friend. The subject line says that it's the funniest damn thing they've ever seen. How do you feel about opening it? I personally wouldn't have too much of a problem with it! It's just an HTML file. Right? Consider this, luddites (like Lars Ulrich) don't know that a
The problem is that micros~1 has no regard for the security of their users and has no security model between their mail client and their scripting language. The lack of even the most basic due-diligence performed by microsoft in this regard is abhorable and they should be punished to the maximum extent of the law.
___
The bottom line is this has caused more than 2 Billion dollars worldwide in lost productivity in less than a week and microsoft should be made to pay some kind of reporation for their actions.
___
I dunno about you folks... but I am not complaining that MS finally created a useful script format. .BAT was insanely outmoded, and everybody knows how useful shell scripts are right? Well .VBS is the equivilent for the Windows world!
.VBS or VBA macros in Word/Excel because they are extraordinarily useful to me, not to mention thousands (?) of other NT system administrators and Office power users.
The virus could have easily been written to target UNIX users by attaching a virulant shell script that gathers adddress from the NN address book and fires them off via sendmail. It just doesn't happen because UNIX users are generally smart enough not to execute a shell script sent through a form letter without proper explanation or examining the source.
The problem here is that so many incompetant (and obviously love-starved) people use Outlook and just run whatever attachments are sent to them. As Linux builds in popularity, a trojan like this will start to affect us as well (well maybe not US, but UNIX systems).
The solution here, as always, is education of users. I don't want MS to disable
-rt-
-rt-
** Evil Canadians are taking over the world. Learn about the conspiracy
Microsoft is _not_ to blame for the recent ILOVEYOU trojan horse. (1) This is a trojan horse that takes advantage of attachments, regardless of OS or mail reader, someone could mail you a trojan horse. It is up to the user to avoid trojan horses.
This is quite simple not true. On a system with a concept of different security levels, the user can only affect things writeable by that user. The user could hose himself, but not the computer. As a bonus Unix mailreaders are set up by default to save executables to files, not to execute them. Some of them are set up to display DATA, but NONE are set up to automatically run powerful executables.
So no, you cannot write an effective trojan horse virus on any system. Just any system designed without ANY security concept in mind.
(2) People claim that MS Outlook's easy access to the address book is a bug. Does that also make the vast majority of unix based mail readers (pine,elm,mutt) buggy since I could easily write a trojan horse to take advantage of their address books?
Again, you CANNOT write an executable that will automatically be executed by the users of pine, mutt, and elm. Maybe you should try it. For me it goes something like this.
Step 1). Save executable to disk
Step 2). Think if there is a REALLY good reason to run the executable.
Step 3). Think about how trusted the source is.
Step 4). Delete executable.
The basic point is that the Unix mailreader is set up BY DEFAULT NOT TO EXECUTE CODE. That is a safe default, and it is one of the strong points of a SECURE operating system (see openbsd.org for discussion).
This problem has one and only one cause - an operating system and mailreader designed without thinking about security AT ALL.
As a bonus it is always fun to watch the marketing scams pulled in the aftermath of such a debacle. Microsoft KNOWS their users, by and large, will NEVER patch anything, and will NEVER change most shipped defaults. And they set up the machines insecure by default anyway.
The 'feature or bug' allows third parties the opportunity to wreak havoc with the users' system - in a corporate environment that's unacceptable. Unlike with the oxygen in the atmosphere, MS knew that malicious individuals would try to exploit any vulnerabilities in their software, and should have put a little more forethought into their design.
http://james.mcglinn.org/
On the corporate network at the office, the preview pane would NOT initiate the script. It would appear as an icon, and then if you clicked it, you were suddenly thrust to the bottom of the gene pool. Since e-mail is such an important part of corporate communications, after IT turned off our servers for precautionary measures, we got to play around with it. :)
btw, we had more inicidents of the macro being spread by people double clicking "infected" files on networked machines that didnt even have mail clients installed. That trick of overwriting the jpg file with the script killed our technical publications department.
Paul Bryson
-pB
I can't agree with the "Probably $0" on the public cost of the Pentium bug. I had recently transitioned from a research position to the computer field when the Pentium bug was found. I remember it being a *real* concern for researchers who were using Pentium machines for statistical analysis of their experiments. Their experiments were in many cases recursive and with this obscure error in the mix, they became unable to feel they could confidently report on their results. It effectively required them to redo, in some cases, years of work in order to verify their results before publication. Especially difficult for them was a key question - who would pay for the time to redo when the original research time had been paid for by a one-time grant fund that was now all dried up?
Also - consider the cost of the time involved on the part of any company that sold a customer a turn-key package system based on a Pentium computer with a bad chip: that company might have had to fly a tech out to the end user to replace the chip under warranty. That is a small but non-trivial expense.
And one last note: On a SCO Unix machine running X windows, the error could be clearly seen anytime one moved the mouse - a diagonal line would appear on the screen if the mouse was moved in a certain direction (like left to right). Eventually the session looked like a copy of Space Invaders gone haywire.
Why is using a built-in feature of Outlook suddently a "Virus"? A while back, GM made implemented some rather silly designs on their trucks and their saddle bag gas tanks. Under "normal operation", this was not a problem... but when a truck was hit by a car the probability for a fire and an explosion was higher. GM was accused of poor design, of not caring for the lifex of people, some accused them to be more worried about money than people's well being and of being criminal in that respect. Now, MS has been implemented some rather sily things in their OS too, without (it seems) paying a second thought to the consequences of some of the "features" that they are offering to their customers... How come MS is not finding itself under the lightsport here? Aren't they responsible? Can't they be accounted responsible for their action like any other company in the "traditional sector"? Even more interesting to me is the question of why the US military would suddently be surprised that they have made themselves succesptible to major downtime by choosing the wrong OS a few years back. So far, not a SINGLE news report I have seen clearly stated that only Windows users (and SOME Mac users running Windows software) are really at risk. When the GM truck problem was discovered, not ALL owners of trucks and cars were told to stop filling up their gas tank, just the GM owners. There is nothing wrong with email attachements, as long as you use a software package whose design is not controlled by a few gimmicky features. This, I think, where the Linux/Unix crowd could do a lot more to educate the public, and the news media....
nope, sorry. the default setting causes the script to be dealt with as if it were an embedded feature of the message (just as if HTML were in the message) and it's executed without any user action. I actually saw this happen, so please no more trolling.
News for Nerds stuff that matters vs Stories by geophile
/. : Satisfy public's demand for braking news and latest technological advancements,
/. : Nerds (mostly) /. : Latest news and tech coverage brought to millions of GNU/Linux users (mostly)
/. : Quite useful, sometimes off topic
/. : lots of comments generated on Slashdot.org site
/. : Banners / Ads / user feedback
/. : hope slashdot keeps up good work
intention
try to stay ontopic of OSS
intention geophile: Get public's attention by posting lame comments that no one cares about,
try to stay as much off topic as possible
audience
audience geophile : Nerds (mostly)
goals achieved
goals achieved geophile : geophile's name spelled by millions of GNU/Linux users (mostly), valuable HD space wasted
usefulness
usefulness geophile : Useless, off topic
reaction
reaction geophile : lots of comments generated on Slashdot.org site
profit
profit geophile : individual satisfaction
for the future
for the future geophile : hope geophile is forced to use Windoze for the rest of his life
You can't handle the truth.
I think your points are valid. Despite my dislike for most things Microsoft, this situation is really the same as someone running any other executable attachment. The virus relied more on social engineering than any operating system weakness to replicate.
I took the opportunity to analyze and comment the entire virus to get a better idea of what this thing was doing to our clients. I tried to think of some things that could be changed in the Windows model to make it tougher for this type of virus to succeed, and came up with the following:
1. The operating system should minimize the kinds of things that can be done behind the user's back. One of my biggest pet peeves is the fact that Windows has several different locations for programs to be triggered at startup (including registry entries like .../Run, .../RunOnce, .../RunServices, and .../RunServicesOnce). We've got a Startup folder already; why doesn't Windows force programs to use that?
2. Users tend to be kept in the dark about important features in the Windows OS. I put IE5 on my computer at home without paying attention to the Windows Scripting Host aspect; don't you think that if another executable format is being added to my system I'd like to know about it? This is a feature I neither want nor need (and, actually, so is IE5...)
3. Crucial system features and files can be casually modified without tripping any alerts. A user on a Windows 9x system is always the equivalent of root. On Linux, you can sandbox the effects of a hostile application somewhat by running it as an unprivileged user.
4. Documents should be documents, not programs. Macros and scripts are nice, but should they really be a part of e-mail? Was plaintext e-mail such a bad thing really? :) When people get a .DOC, aren't they expecting a standard document? Really, I think much of the problem is integration where we don't need it and/or least expect it. Should a HTML page be able to access your hard drive?
The biggest part of the problem is that some users click blindly on attachments that they receive. Many use attachments as part of their job daily and still believe that attachments are only part of the document, not a separate file or executable. Education is the best answer to this, but if Microsoft worked to add better prevention and damage control to their OS we'd all be happier.
---
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Recent GeekPress
Computers as Clothes
State Dept Missing Two More Laptops
I divorce thee, I divorce thee, I divorce thee
-- Diana Hsieh
-- Diana Hsieh
GeekPress: The Weirder Side of Tech News
Yes, Microsoft is evil, as everyone on /. knows. But is there anything else this story wants to tell us? I fail to see the point.
Fact: This is a script and only causes problems when some clown at the office opens it up without having a clue what it is. Fact: The WSH is a cool feature (I guess) but has too much power over the registry Fact: It is neither MS's fault nor the script writer's fault, its the publics fault for playing with computers and relying on them so much without knowing what the hell they are doing with them. Fact: Who cares anymore? This kindof shit will continue to happen for as long as we have computers. It is human nature to figure out ways to screw up the system. Contrary to what everyone wants you to think, we are not a hive colony, we are individuals, and we all have our little quirks, some of us just like to break stuff..without people breaking things there'd never be any advancement in technology.
To fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy's
Pretend that you are the CIO of a large corporation. You have 10,000 users. Due to the amazingly skilled people in HR, 99% of the users are not idiots. Congratulations, 100 users just double clicked on ILOVEYOU and took down the mail server.
Mea navis aericumbens anguillis abundat
Someone please show me where the bug is. I don't get it.
.vbs (analogous to a perl script or a shell script). It must be run manually in order to do anything.
I can write a shell script that sends out billions of messages too, if you run it. I can make it attach itself to email addresses, and I can make it do it using your pine address book.
Where is the bug?
The only bug is the idiot moronic users who run attachments without knowing what they are.
Remember, ILOVEYOU does *NOT* spread on it's own, and does NOT execute automatically, and contrary to what this article says, is NOT an 'outlook macro' virus. It's just some vbscript, in a
This isn't a script that runs inside of Outlook people. It's a VBScript that runs using the Windows Scripting Host. It's just like a bash script, or a perl script. SAME DEAL. It's just like people getting an .EXE in the mail and running that. It's a trojan not a virus. There are two reasons this caused so much damage. Reason 1, people are stupid. Plain and simple. Reason 2, people aren't used to seein files with a .vbs extension. If someone got a .pl in the mail and ran in on their unix box and it fucked shit up, everyone would be like "STUPID USER!". With this everyone is going "MICROSOFT BAD, DIE MICROSOFT!!!". Now granted Outlook security is extreamly lacking but this is not a fault in Outlook. It's a fault of people and people are dumb.
No bug caused the m/billions to be lost, but rather a feature caused the money to float away.
Although not entirely responsible for the trojan macro, the feature is the security breach that allowed the macro to happen. Oxygen's responsibility for WWII is significantly less than this feature's responsibility for the fiasco. The proper analogy that Glowing Fish is looking for is not oxygen, but rather guns and stupid politicians.
Before I entered the IT field for real, I disliked MS but thought "Oh, what the hell." Now when I hear Gates and Co. talk about their right to innovate, I just think of this and all the other malicous macros. These are not "innovations", they are poorly planned and implemented features. These features have done far more harm to business than they have helped. I wonder about the usefulness of storing macros in normal.dot and I challenge anyone to give a good reason for including VB/A/Script in an e-mail message.
I can't help but feel as though MS's "right to innovate" has seriously limited business. Now, even small companies have to have dedicated IT departments. A mis-implemented feature causes world-wide computer havok. Promised productivity increases seem to melt away. A crash in a browser, a friggin' Internet browser, takes down the entire system. Users trying to get work done turned into beta testers so that MS can hit a product timeline. It's crazy.
And why don't the PHB take note? Because IT departments like fat budgets, and like fish, PHB like shiny things. -sk
Personally, I'm really interested in seeing if it's possible to add a 'graphic' to a vCard which is actually disguised VBscript. Malware that propogates via infected vCards should be able to fly under the radar for quite a while. Certainly long enough to become very, very widespread.
Lacking <sarcasm> tags,
The designers of the scripting capability in MS Outlook are responsible for this, and the writers of this particular version of the ongoing Outlook security exploit are pointing out that somewhere along the line, someone was seriously ignorant (as in lacking knowledge of thirty years of networked security issues) and unwilling to learn.
/etc/aliases?
... has them turned off, personally.
Under what circumstances should sendmail have a feature allowing it to automatically forward messages to everyone in
Should every installation of procmail include, by default, a well-known filter that will delete files specified by the incoming email?
If it is valid at all to design in features that permit large-scale spamming without the consent of the user, or features that will modify files without the consent of the user, is it valid to turn these features on by default, so that the least competent users are likely to be the most badly affected? How is it possible to call the ability for random strangers to delete your files "ease of use" (with a straight face)?
On a slightly gruesome note, I only wish that viruses were really as deadly as, say, ebola or bubonic plague. In that case, they might contribute to evolution--the early death of the unforgivably stupid. But that may be too harsh, and there is a good chance that the fool who designed (or ordered to be designed) such trivially easy-to-abuse features
Amy!
There are firsthand accounts of it happening posted here.
Where? There are no firsthand reports of this trojan running in the preview pane, and indeed there can't be, since the preview pane Outlook Express vulernability has different permissions than this worm. Specifically, a preview pane OE virus can "only" run Java Script code and/or insert arbitrary code into your StartUp directory to be run upon reboot. In any case, the source for this worm is widely available, and anyone who understands the issues involved can see that it does not run without being specifically clicked on by the user.
Finally, the preview pane vulnerability has been closed via a patch for months. Most users probably haven't applied it, but there's really nothing more MS could have done (besides not designing ActiveX so poorly in the first place).
{sigh}
.exe files they get in the mail, too.
.exe equivlent on my mac or GNU/Linux system, then I would expect SOMETHING to happen. Think of the Windows scripting stuff as the old batch files (or scripts). They do stuff, but people don't know how much damage they CAN do.
I see, once again, that MS is coming under fire, and probably for good reason (the address book thing is simply an error on the part of microsoft, I admit, and it shouldn't be so easily used by outside applications), but they're not the sole part of this blame.
The visual basic script is equivelent to an executable file in Windows. Most users don't see the vbs on the end, which is partly the "funny" naming convention of the file. (All bold til the extention.) People will learn from this, I hope, but then again, many people still run
I would say that if I got a file and I activated the contents, no matter what operating system I'm using. If I ran the
The blame for this falls on the shoulders of the virus (?) writer(s) and the users stupid enough to activate it. Microsoft should fix the address book thing in Outlook, but there's no security hole unless it's the one where the users brain shoulda been.
Don't gimme that "Well, if they're using windows, they're stupid users and MS should have anticipated that." They have no responsiblity if someone's a complete screw up, no more than Saturn is responsible for the girl that nearly ran me over yesterday (SEE THE STOP SIGN!)
Fully anticipating "flamebait."
Dan
One of the quotes from the article:
Microsoft is partly to blame for the bug because the company puts a priority on adding new features to its programs instead of security, said Mikko Hypponen of F-Secure Oyj, an Internet security company in Espoo, Finland. ``It's a Microsoft problem, and it's hurting them,'' he said. Microsoft's Windows operating system, used in 90 percent of personal computers worldwide, includes scripting software that allows anyone to rewrite programs. Hypponen advises most companies to get rid of the scripting software for their employees who don't need it. "
___
The "slashdot community" (whatever that is) typically never takes a "blame the tool" approach. Things like Napster which facilitate music piracy never receive the blame for piracy - the user does. This example is applicable to many of the issues which are discussed on slashdot.
The only exception to this rule is a Microsoft tool.
If Microsoft writes a tool which users fuck themselves over with, Microsoft - and not the clueless users - get the blame. Why is Microsoft an exception to "guns don't kill people, people kill people".
IMHO, anybody who supports Napster on the basis that it is only a tool, yet blames Microsoft on this worm (or any other worm which was not coded within Microsoft), needs to have clues beaten into them severely, and spoon-fed to them for life.
everyone is on crack!!!
how come everyone is saying that this isn't a problem and moderating up other folks who say that this isn't a problem?
this is a HUGE freaking problem. 60% of ALL the email systems in sweden were taken down. 30% of the email in england. All the canadian government email was taken down.
look at that. millions of people without email for a prolonged period of time and tell me there isn't a problem here.
And it isn't over yet. Everyone is looking for email with "ILOVEYOU.txt" on it but they aren't looking for the email with "warn I love you virus" as the subject. For the next couple months that's what were going to see. Except it won't be a warning. It will be the virus with a different name. Seriously. Now there are thousand of people out there who know they can disable a the email system in a school or a town or a company just by changing the subject line of the email and sending it to someone in there.
Think about a new ILOVEYOU virus every week for the next three months. Still think there isn't a problem?
but the real problem is far deeper and longer lasting. I remember when I first was introduced to email when i came to america in 96. The first question I'm asking myself is, "can't people hack our computer?" See back then I didn't know the difference between a hacker, a cracker, a hax0r, script kiddie, a virus writer, or anything. All i knew was that it didn't sound good.
The general public still doesn't fully trust computers and they trust the network even less. There are a couple people at my college whose parents didn't let them have the internet in their house.
There are many more who don't use instant messaging still because of fear of hax0rs.
Or i could rant about all the helpfull aunts out there who send people forwards with hoax email virus warnings. It's not the aunt's fault. It's the fault of negligent computer companies who allow for real email viruses. It's harder to make an email program that will allow an virus to propagate than it is to make a secure email client so they can't even claim they did it out of laziness.
It's stupid stuff like this that puts a barrier infront of people that might otherwise benifit from technolodgy.
Some of the commenters are blaming it on the outlook users. That's not very smart in my opinion. Why should the users be afraid to open attachments? Why should they be afraid to look at email. We aren't talking about email from friends as was the case with this virus. I'm talking about email from complete strangers.
I am on a couple of mailing lists and I get email from over a hundred strangers every day. But do i worry about it? NO! I just open it right up and look at it. That's because my email client will only read text and pictures. No executables. No viruses. No trojans. I can just open it up like there was nothing to it. AND THAT'S THE WAY IT SHOULD BE!!:(
No, they aren't. Just ask them what they think they're about to do before they do what you say they're doing. They're highly unlikely to say "I'm going to manually run this executable".
More likely, they'll say "I want to see what's in this file!". And that's what double-clicking an icon is for. (Except in certain contexts, when a sizable percentage presumably knows double-clicking runs a program. Reading email is clearly not one of those contexts.)
The fact that they aren't shown what's in the file, but instead have arbitrary code with the equivalent of Unix `root' privileges executed on their system, in an environment where tight integration among applications basically guarantees easy access to all sorts of personal data, makes this a highly preventable, as well as insidious, bug in the design of Microsoft software.
IMO, the biggest enabler of this bug was the decision by Microsoft, at the highest levels, to deploy Windows 9x as an "easy-to-use" OS for people wanting access to the Internet.
Even at the time that decision was made, Microsoft certainly had more than enough expertise to know it was a technically unsupportable one, from a security standpoint. I.e. they knew the Internet was hostile, that Win 9x was unsecure, that their highly integrated software made even security-by-obscurity basically irrelevant, and that their targeted user base had no expertise in securing themselves against the inevitable problems.
(At least, I really doubt I understood these issues better as a 16-year-old in the mid-'70s than the geniuses at Microsoft did circa 1995. Actually, even in the late '70s, I couldn't understand how these newfangled personal computers could fit a whole OS in 64K, until I was stunned to find out they'd ignored the whole timesharing security model. The viruses that swept the PC- and Mac-using world were never a surprise to me, of course, nor to most anyone else hacking timesharing systems before the PC generation.)
The estimates I've heard of losses are in the $Billions, but I agree Microsoft won't have to pay a dime (i.e. they won't recall Win 9x for all Internet users).
And bear in mind I'm not saying MS should have taken steps to prevent people using Win 9x for Internet use. They should have made it clear it wasn't suitable, and left it up to end users to decide whether to install 3rd-party software that let them ride the 'net. Of course, that wouldn't have earned MS the huge extra $Billions in income, or the huge additional stock valuations, which is why they didn't do the obviously "right" thing.
BTW, my wife, whose responsibilities include an IT department at the world headquarters of a well-known institution, was, needless to say, not happy about the ~36 hours of organization-wide downtime suffered due to this bug. Especially when I said "gee, don't y'all have your SMTP servers reject any incoming email that have unrecognized, or code-bearing, attachments?", she said "no, we can't make our [MS-based] software do that", and I pointed out that it was a topic often covered as being fairly easy to do on the qmail mailing list. I had assumed, obviously erroneously, that last year's Melissa had convinced everyone to get their act together, disable certain kinds of attachments, etc. Not that I pay much attention to viruses: I run GNU/Linux, and use a dialup (no static IP), among many other things. The only time I see virus-protection software being run is when it's being run on someone else's computer!
Why businesses willingly pay $Millions to Microsoft so they can get "flashy" software that causes them random downtime of days per year, with "nobody to sue" as the anti-Open-Source FUD goes, is something I have yet to be able to explain using logic. (Using psychology or anthropology, however....)
Practice random senselessness and act kind of beautiful.
Just the same way that accidental gun deaths are a user education issue. And prescription drug overdoses. And smoking-related lung cancer. And traffic accidents. All of these things could be prevented if the user just *weren't* *so* *dumb*.
Wrong. A user clicks on an email message, and their email client automatically starts running an attached file? Stupid-user or not, this 'feature' is just plain unjustified. How many seconds would you have to use up to think of a way to make this program more secure? How about prompting the user: "Run attached file: ILOVEU.VBS? (Y/N)"
Writing software that makes it easy for strangers to take advantage of the use is just plain negligent. Plenty of sensible software writers know that their software is going to be used by users of a variety of skill levels, and take this into account when writing. mIRC, for example, is set by default to decline DCC sends of .exes, .vbs, etc. This is just good sense.
Which is better, to make a program secure by default, and let users turn off security if they want? Or to make it insecure by default, and blame the users for not turning on the security?
hm.
--
share and enjoy
I am as anti-Micro$oft as the next red blooded American, but this is not quite fair. This table seemes to say that the bug in M$ Outlook is responsible for the ILOVEYOU virus...which it isn't. The feature or bug in M$ Outlook is there because it is supposed to be helpful (which it probably isn't), but it is not malicious, and would not causes any damage if somebody else had not tried to be malicious.
To say the bug caused billions of lost files is an arguiment of insufficient causation. It was one of the causes, but not the finishing cause, of the loss of files. Much like the presence of Oxygen in the atmosphere was neccesary for WW II to be fought, but that doesn't mean it caused World War II.
Just my $0.02 U.S.
Hopefully I didn't put any [] around my words.
The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. --from http://www.symantec.c om/avcenter/venc/data/wscript.kakworm.html.
Granted, this is the kak virus, and granted MS issued a patch, how long is it before someone ports the ILUVU virus to exploit this hole where the user DOES NOT NEED TO OPEN THE ATTACHMENT, just view it. Outlook and OE have horrible security. Tying the scripting language into the system was their way to make MSN as easy (sorta) to set up as AOL. Ever tried to set up MSN? Uses pervasive scripting which does not always ask for a prompt before runnning. This is not a buffer overflow error, but one (perhaps of many) exploits where windows scripting does not ask for permission to run.
Be ot or bot ne ot, taht is the nestquoi.
Well, first ask yourself these simple questions.
Did we have these problems before Microsoft started "innovating"? I remember when people would send out warnings about "THE GOODTIMES VIRUS". We all laughed, because we knew it could never happen.
Do we have these problems now? Well, yes, many Windows users have these problems. Users of Microsoft products and products that support Microsoft "standards" are affected.
How long has this been a real problem? For at least 6 years, ever since people found out you could do this in Word 6.0 for Windows 3.1.
So what is Microsoft doing about this?
From their page:
So does their advice help any, for preventing the spread of ILOVEYOU?
No, it doesn't. ILOVEYOU sends you messages from people you trust. Why would you send a message back asking them about it? I get messages from people all the time that say "Hey, read this, it's funny." I'm not going to write them back and say "Yeah, but will it crash my computer?", because that doesn't make any sense. Macro virus protection and scanning doesn't apply here either, because Outlook doesn't even offer a warning! The user just clicks on the attachment to see what it is, like usual, and BLAM, their system is hosed. In fact, there have been some reports of Outlook opening it with the "Preview Pane" (perhaps if earier patches for Melissa weren't installed).
So, in my opinion, Microsoft isn't doing enough. They never should have created Word BASIC in the first place, they should never let what should be a formatted text file make system calls, they should never let users run everything essentially as 'root', and they should fix their software *AND* pay back the community bigtime for damages.
But hey, make your own decisions. If that wasn't enough to convince you, go read what the media has to say. I'll just sit here quietly, wondering what's wrong with the world, as my machine doesn't crash.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
From: 5kr1p7.k1dd13@hotmail.com
To: black.parrot@where.ever.ur
Subject: ILOVELINUX.txt
Hi. Please type the following at your prompt -
sudo rm -rf /
Love ya,
5kr1p7
--
Sheesh, evil *and* a jerk. -- Jade
Arguable whether it's a feature, but whatever.
If I wrote a unix shell script that grepped through a user's home directory for email addresses and then used sendmail to propagate itself to those people, it would be very very similar to the love bug. The -only- significant difference is that Outlook makes it trivially easy to open and run attachments. It's a trojan horse: only works if the user actually launches it.
Feel free to lambast the intelligence level of your typical Outlook user, but pick your battles.
I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.
First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a .vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.
So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a .vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.
The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)
Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.