When I arrived at work last Thursday morning, I had three email messages waiting in my inbox, one of which contained the recently discovered Love Letter virus. Apparently, someone I don’t know had stored my email address in his address book. Later, when that person became infected with the Love Letter virus, the virus sent a copy of itself to me and everyone else in his address book. But because I don't open attachments that I didn't ask to receive, my systems remain unaffected.
Anyone can inadvertently receive a script-based virus, but not everyone understands the need to guard against that event. Many people don't think seriously about virus protection until after they've suffered damage.
Microsoft says viruses don't necessarily represent security issues, but instead are a social phenomenon. What Microsoft doesn't say is that virus writers routinely target Internet Explorer (IE) and Outlook clients because of their functionality. Virus writers claim that it's easy to spread a virus on Windows platforms because of powerful scripting technology installed as part of the tightly integrated desktop and Microsoft Office applications.
Many security professionals think Microsoft's approach to scripting allows too much access to OS resources. Many developers cite Java as a preferred language for secure desktop scripting because of its sandbox security technology. According to Symantec's Antivirus Research Center database, there are currently only five variations of Java-based viruses, but there are 28 VBScript-based viruses with 81 variations of those original 28. The database reveals that Love Letter is the most prolific virus to date.
According to research firm Computer Economics, more than 78 million people received a copy of the Love Letter virus in the first several days of its spread. Michael Erbschloe, vice president of research for the company, said the virus caused $6.7 billion in damage during the first 5 days. That figure is expected to reach $10 billion or more before Love Letter and all of the variants have been eradicated.
In this week's Time Magazine, Microsoft Chairman Bill Gates implied that if Microsoft were split into two companies, new versions of Microsoft products might become hard to obtain. Gates also implied that those new versions could protect against various intrusions similar to the Love Letter virus. Is Microsoft now headed into the antivirus software arena, or is Gates just admitting that the company could improve the security of its scripting technology?
In either case, we can protect against viral nuisances today, regardless of how Microsoft structures its company tomorrow. Anything from complete Windows Scripting Host removal to centrally managed file attachment filtering and virus scanning would suffice.
I've heard people complain loudly over the past few years that they think Microsoft's software is overpowered and too tightly integrated, but up until the Love Letter virus outbreak, I didn't share that opinion. I was more inclined to think that training was the answer for controlling all this powerful network-enabled software. But now I see the situation differently.
The Love Letter virus clearly points out that not everyone understands the ramifications of using Microsoft's embedded and integrated technologies. Relatively few users receive training before they are exposed to a Microsoft desktop. For most, training either comes after the fact or from the school of hard knocks, whichever happens first.
Has Microsoft's advancements with embedded and integrated out-of-the-box technology outpaced the average end users' ability to understand and control that functionality in a reasonably secure fashion? Stop by our Web site and post your opinion—you'll find this editorial and a new survey linked on the home page. Until next time, have a great week.