Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
News

Intel FDIV bug vs ILUVYOU 403

Posted by CmdrTaco from the stuff-to-read dept.
geophile sent us a really interesting comparison of the similarities and differences between Intel's notorious FDIV bug of ages past (well, at least it seems like ages) and the recent ILUVYOU macro virus. Its amusing, but at the same time it really gives an interesting perspective on the whole deal. Hit the link to read it

The following was written by Slashdot Reader geophile

Pentium FDIV Bug Outlook Macro Viruses
Nature of the bug Loss of precision in floating point division. Gaping security hole due to the combination of VBA scripting and Outlook.
How to provoke the BUG E.g. x - (x/y)*y for some x, y. Open the ILUVYOU attachment.
Damage caused by the bug Probably none in practice Millions of damaged files and registries
Bug found by Thomas Nicely, Math Prof Numerous virus writers.
Bug created by Intel. Microsoft.
First response by bug's creator. Claims the problem isn't serious. It's a feature, not a bug.
Second response by bug's creator. Free replacement of faulty CPU. It's a feature, not a bug.
Cost to public Probably $0 Probably $millions
Cost to creator of bug $billions $0

As you clean up your registry and replace your damaged files, just keep a few things in mind:

  • Microsoft just wants to be free to innovate and to bring great software to consumers.
  • We wouldn't have great software like Windows and Office if Microsoft hadn't violated anti-trust laws.
This discussion has been archived. No new comments can be posted.

Intel FDIV bug vs ILUVYOU More

Intel FDIV bug vs ILUVYOU

Comments Filter:
  • In order for ILOVEYOU to run, the user spesificaly needs to run the file themselves There isn't much MS can do about this, is there?

    Just one correction here, ISP working friend of mine tells me that you don't actually have to run this particular one... the preview pane in outlook is enough to run it, apperently.

    bash: ispell: command not found
  • I like this analogy. Cars are created as safe as possible because if they weren't, car makers would be sued into the ground and then some. Simply put, Microsoft did not make their communications program safe enough. Car makers don't include a "Wheels fall off" button even though they probably could make such a thing, because it's not safe. "The button was clearly labelled and is properly documented in the User Manual as causing death when it is pressed."

    There is no good reason for a foreign Visual Basic file to be allowed to run in anything but a sandbox (a la java) by default. Microsoft made a huge gaffe in putting this functionality ("innovation") into their program.

    I admit that it's the user's fault in most cases "Ooo, I love you too! Let's click here!" and that most users are flaming morons, but that doesn't excuse Microsoft for making this sort of problem possible.

  • Of course. And if there were any account other than root for them to run this under, I'd agree. Failing to provide access control on system-critical files is a bug. When RedHat foolishly shipped piranha in 6.2 with inappropriate access control, they acknowledged it as a bug, which it was. Microsoft should do the same. It's that simple.

    Of course, anyone running an OS with such a fundamental, known WONTFIX bug is an idiot ** 10000. So, yes, Microsoft fucked up, but the person really at fault is whoever signed the purchase order for the windoze licenses. I recommend that affected organizations find and promptly sack that individual. He or she cost your company millions, not Microsoft. Microsoft just did what they do best - make it easy (for you to lose millions).

  • FDIV bug: corrupts individual calculations/data silently
    ILUVYOU: corrupts whole files completely and obviously

    In a lot of areas, the former is MUCH worse than the latter. Recovering from gross damage like ILUVYOU is simple if you have good backups. Recovering from subtle damange FDIV is a little tricker... most people wouldn't even know they were affected. And that is pretty scary.

  • Microsoft is right. The ILOVEYOU virus isn't a software issue, it's a user education issue.

    The problem is that the educated user is told to NEVER use the 'feature'. Not only does it add no value to an educated user, it REMOVES value by making them paranoid about harmless attachments like images, text documents etc.

    Perhaps the best move would be to remove the 'feature' and let the user get on with life.

  • When we discuss the Internet Worm, for example, the blame doesn't fall totally on RTM. A sizable segment of blame goes to the authors of the finger and sendmail daemons that the Worm used to thrive and propogate. Their careless programming caused the environment, and they should have been able to recognize the danger well before RTM started to code.

    Arguably, the finger and sendmail problems were coding errors, not designed in per se. The problems with Outlook et al. are the result of poorly thought out and designed features. I think the latter deserves more culpability than the former.

  • Yes, IMHO Microsoft and dummy user base are to blame.

    However, blaming and future suffering can be avoided simply by making mail clients etc. execute (if they have to) incoming programs as the user nobody. Of course, this requires an unix or equivalent security model; what did you expect? Of course people not knowing how to program should not have reasons to send executables to each other, but that's Just Another Flawed Thought.

    Uuh, I have been talking too much about this today: distributions [slashdot.org], application-executable/x -sh [slashdot.org]. Can't help thinking it's an important subject, actually.
    .

  • Both are companies whose products cause more trouble than should be fairly acceptable.

    Both should be far more restricted IMHO.

    There should be some limits to whom you can sell inherently dangerous products.
  • Microsoft made all it could to blur the distinction between opening a document (which is SAFE, and you don't need to trust anyone) and running CODE (which can royally mess up your system). THAT, in my not so very humble opinion, is why MS are to blame with the ILOVEYOU virus, and with all the Word macro viruses that came before. Any company with a tech clue *and* the willingness to let the tech clue stand before short-term marketing pushes would never have made it so easy to run untrusted crap. All the while Sun tried to make code safe in a safe sandboxed way (read, Java), but it was so heavy that people came up with these lighter 'scripting' solutions.... and completely forgot about implementing security.
  • The difference is that Outlook is NOT TELLING its user that it's about to run a script. To the user the actions (double clicking) are *exactly teh same* that the does countless times every day to open a harmless excel spreadsheet or whatever. With Linux and perl scripts, mailers are so little integrated that you have to save a program and then run it from the prompt, to run a script, and users are so used to the idea that you don't run unknown programs lightly, that it doesn't bother them us at all. Giving users a one-click way to run untrusted code is extremely bad UI design, whichever way you want to look at it, and it's solely MS's fault.

  • That trick of overwriting the jpg file with the script killed our technical publications department.

    Hopefully, this time, somebody will be fired for buying from Microsoft...


    --
    Here's my mirror [respublica.fr]

  • I like this analogy. Cars are created as safe as possible because if they weren't, car makers would be sued into the ground and then some.

    Puuuuhleeeze, kids, can you read " Unsafe at any speed ", by Ralph Nader? You'll seem much less ignorant.


    --
    Here's my mirror [respublica.fr]

  • Bill gate was on the TV Sunday saying that if Microsoft was broken up, the individual companies couldn't react to a problem like ILUVYOU and cited this as another crappy reason why MS shouldn't be hammered into several competing pieces. The asshole totally sidestepped the fact that it's BECAUSE of this "feature" collusion that MS has now that a virus like this is able to shut down thousands of machines.

  • I've lived in neighborhoods where most people would consider you at least partially at fault, and stupid, for not having bars over the windows. People adapt to the threats in their environment. Maybe Microsoft should do the same thing.
  • The point of the comparison was to show that Intel admitted its mistake and offered to replace the faulty part FOR FREE whether or not you actually had problems with the bug. Intel took one in the chin to make people happy with their products, M$ won't even admit their software has bugs most of the time.
  • For those of you who only use PINE for your email needs you need to understand some things about Outlook. It does not tell you if it is running any form of code embedded into an email message. If I were to send an HTML email to someone, Outlook would automatically process the HTML in it. The only way to avoid this is to turn off the preview pane and view all email messages in ASCII mode (which is how I like it anyways). IE4 and 5 do the same thing if you have a text document with HTML in it it will read and render the HTML even if the HTML isn't properly coded. This is why geophile can compare FDIV and ILUVYOU. Microsoft and Intel both designed and sold a product which could be taken advantage of to do a bad thing. M$ should take responsibility that their software has a fault which lets someone send you a macro virus or such. This is supposedly why one pays M$ for their software. If a company puts a warrenty on their software they need to back up that warrenty if they didnt do what you paid them to do.
    The PINE users are also probably people that say if people used Linux they wouldn't have these sorts of problems. The people who open up attachments and forward "cute" programs or joke on AOL are the sort of people who would run around on the net as root and get themselves into trouble. One might say "well why wouldnt a Linux distro be responsible if they messed something up" and one might think they were so smart. I would simply point to the GPL "this software is provided without warrenty" to paraphrase. You're made aware that you are using GNU software with no warrenty, commercial apps (which cost beaucoup cash) do have a warrenty and therefore ought to be responsible for doing their jobs. In the case of ILUVYOU I think M$ should offer some sort compensation for people who got their system trashed. The end user needs to learn to be careful but then M$ should learn that executing scripts in e-mail by default is just asking for trouble.
  • to answer the question you've asked a million times -- it has nothing to do with the preview pane. Outlook has a setting to automatically open attatchments (which is off by default) that would (and did for many people) run the VBS file automatically.

    The foolishness is in people enabling that idiotic setting, in MS putting the setting there, and most of all in MS making "high security" (the setting email runs under in "internet options") still capable of running javascript, cookies, vbscript, etc. I don't consider that "high security" and if MS would change that one default half of these email viruses would die oevrnight because you would have to save and execute the file as a separate step -- no double-clicking to open a script file...
  • (just read the "ammunition" link in pb's post)

    Now, IIRC, Win 3.1 had a virus checker. Maybe it was separate from Windows and the PC maker included it on mine, maybe it was really a tool that MS bundled with Windows. Either way, what the fuck happened to the MS virus scanner? It seems perfectly reasonable to me that Microsoft is better equipped than anyone to protect against the potential pitfalls of their products, yet every virus scanner that they list here [microsoft.com] is a third party.

    One of two things (that I can think of in the few moments that I am spending with this comment) caused MS to drop MS Anitvirus. Make that three.

    1. Bone-headed managers at MS care about things other than security in their products and forced MS engineers/programmers/drones to work on Features (Not Bugs) (tm).

    2. Bone-headed managers at MS couldn't justify the expense of maintaining the tool when so few customers used it.

    3. Bone-headed managers at MS are convinced that MS engineers/programmers/drones actually do have a handle on the full import and far-reaching affects of every last line of code, and therefore each bug (in their mind) is The Last Bug.

    4. (I'm up to four now) Bone-headed managers at MS made deals with third parties not to produce an antivirus tool in exchange for some easy money from said third parties. Note to DoJ: are you getting all this?

    5. (five) Bone-headed managers at MS really do think these things are Features (Not Bugs)(tm), and therefore do not believe the phrase, "It's a feature, not a bug." is an excuse, but a real explanation.

    So, out of these five choices, which one is not to blame on MS management? I'm sure there are other explanations. I'm am also very confident that any other explanation would involve bone-headed managers, since rampant bone-headedness anywhere else in the company is ultimately the fault of bone-headed managers (for not fixing the problem of bone-headedness).

    This is not a problem that will go away. It is also not a problem that anyone can solve, because products will not get better until people start looking for alternatives, which they may, but don't hold your breath because (average) people don't care enough about this problem to look for an alternative. The solution to this problem in the average mind is not a secure replacement, but a band-aid that will cover it up. It comes from the notion that certain software can fix other software, the same way a certain part may fix a broken car or a certain glue may fix a broken vase. What people don't understand is that this principle doesn't apply to software. It's either good or bad and no other magic program exists that can "fix" any flaws.

    This situation will not change for a long time... about a generation or so. It won't be until then that enough people understand this idea about software, or really even understand what software is. Everyone here gets it, the same way all the grease monkeys who hung out at the corner garage got internal combustion in the 1930's. It wasn't for another couple of decades that it occurred to most people that exploding gas moves some parts in the engine to make other parts spin, which spins the wheels, which moves the car. Given the rate of change in technology, I wouldn't be surprised if it took fifty years before J. Random Consumer finally knew that a program is basically a long line of data, and that there's a circuit that does what the data says to do to other data.

    Is MS to blame for the security problems in its products? Yes, absolutely.

    Are average people to blame for choosing that software? No. Or at least not to the extent you and I who understand the issues would be to blame for it.

  • I actually ran into a problem with the FDIV bug in a real-world application I was working on. I had written some code that ran inside AutoCAD that was being used for design automation of steel joists/girders. The code was obviously very floating point intensive (lots of trig). While the code ran just fine on a Micron P90 machine I had and several 486's I tried it on, it failed on one of the customer's nearly identical Micron P90 machines. The only difference between the machines? The machine that was failing had an FDIV afflicted P90, while the one I had was a later stepping (despite being purchased before the failing unit). The customer swapped out the bad CPU for a good one under Intel's recall, and once the good CPU was installed the code worked without any problems.

    While I'd agree the problem rarely caused problems for people, it did in at least one case cause someone (mostly me) some real grief. It also costed someone (my employer) some real money, in that I spent quite a number of hours troubleshooting the code and comparing the two machines. Given that the customer was about 800 miles away, they also incurred some additional costs in travel and shipping hardware to me for testing.

  • Somehow, I feel we're missing one of those VISA priceless moments...
  • Microsoft added the feature of e-mail file attachment handoff as a way of ferther imbeding Windows.
    It means that you MUST have Microsoft products to read your e-mail (when someone sends you an MsWord document).
    Back before Mallisa I often told people to only send me RFC text e-mail. Some were sending Netscape HTML e-mail and some were senting MsWord file attachments.

    Then came the virus... now even stanch "Windows is Great" people reject file attachments and I only get RFC text. All is happy again...

    The problem with Microsofts plan was multifold. The e-mail virus rummor was allready out hense the idea was allready out there.
    The programs the attached files would be handed off to were NOT made with a secure environent in mind.
    The Ms Word dev team expected that any given Ms Word document originated from within the office or from the same computer. Who shares wordprocessing files in the processors own specal format? No one.
    The dev teams of other office applications had simmiler ideas. Files are shared inner office not nation wide. Anyone who has access to the files are by default allready inside the security loop theres no need for an additional layer.
    So fire all all kinds of cool features. Gotta make a better product right?

    Then comes the monster.. the feature/bug... now files are comming from OUTSIDE a security loop. Oops..

    It's to late to secure the Office apps and make the network secure.
    So what should Microsoft do?
    Remove the stupid feature...
    It isn't doing what Microsoft wanted... It will NOT lock anyone into any specal formats...

    Oops!! To late.. Now Microsoft can not even to THAT.. Why?
    KDE included a feature in kmail to do the same trick with a twist.. kmail passes files only to secure network applications. No passthrough to any wordprocessor.. but passthrough to RealPlayer... passthrough to PDF... passthrough to an MP3 player.. Applications expecting files from OUTSIDE a security loop so they don't have neat features that could make innocent e-mail attachments into viruses...

    Also Unix apps tend to have a small note of paranoia.. Unix is a secure system and admin like to read the source code. But they don't have time to read clearly so anything that LOOKS dangerous might make an admin think twice before installing. Could start rummors... and the Internet is good for paranoid rummors..

    Microsoft apps tend to have a more "feature frenzy" addatude. Don't worry about side effects just add the feature. Flood it with features. New features to the left new features to the right. Features features features. Oh and yeah and we added FEATURES...

    As such most Unix apps are network secure while most Windows apps are not.
    There are the few.. the proud.. the odd man out...
    But it's rare...

    And if there is a way to expolit a feature it is usually not known (In the case of e-mail viruses it was SOO known it's insain...) so it'll take a feald expert to find the bug and report it back.
    With closed source this isn't an option. The bug will become known by a cracker and exploted...
    With open source... the bug is known and fixed...

    problem solved...

    With e-mail viruses...
    First the rummors....
    Then BBS e-mail ANSI Bombs.. and the bug fixes
    (In terminal programs, BBSes and in alternitive ANSI.SYS drivers...)
    It was a known issue...
    The first chance Microsoft gets to imbed every Windows application into e-mail they go for it.

    Now every KDE application will be imbeded in e-mail... Microsoft screwed themselfs roally this time...
  • > It's a VBScript that runs using the Windows Scripting Host.

    .vbs = Virus Bearing Script ?

    --
  • There is a big difference here. Whether it ran automatically, I don't know.. but the ILOVEYOU virus only affected OUTLOOK, *NOT* outlook express. It made mapi calls to outlook.....
    ONLY outlook, not outlook express.

    And remember, outlook and outlook express are completely different beasts. You can't assume things about one from the behavior of the other.
  • Seriously.
    vbscript in windows is NO DIFFERENT than perl script.
    We aren't talking about something embedded in HTML here. We aren't talking about something that needs a good security model. We are talking about something that is NO DIFFERNT than perl, or bash, or anything else.
    IT WAS A RAW SCRIPT, NO DIFFERENT THAN IF I MAIL YOU A PERL SCRIPT AND TELL YOU TO RUN IT.

    The only difference is the users. If I mail you a perl script, and tell you to run it, you will chekc it out first. Windows users do not have this instinct.

    THIS DOES *NOT* RUN AUTOMATICALLY! THE ILOVEYOU CRAP *ONLY* SPREADS BECAUSE *IDIOT RETARD USERS* RUN IT!
  • Bad analogy.

    <<It's easy to argue that this isn't Microsofts fault, until you compare it to GM shipping products that failed so badly in crash tests.>>

    In the case of things like the Melissa virus, this makes sense. But this is not such a case.

    This has nothing to do with Outlook, or how it was designed.

    The way ILUVYOU works is to send an e-mail with an attachment: A standalone script written in VBScript.

    <<Windows can't be locked down enough to stop this stuff, ergo, it's intrinsically faulty.>>

    What can you do on Linux, or Solaris to stop a malicious shell script, or Perl script attached to an e-mail?

    If the recipient chooses to execute the script, then he or she will be subjected to whatever any other program can do.

    The ILUVYOU script is smart enough to read Outlook's address book, but it could as easily read any other e-mail program's address book. ILUVYOU also interacts with mIRC to spread itself that way. Is mIRC at fault? Of course not.

    The only "solution" would be to run every single program in the OS under a sandbox. That's not a realistic option, even if you could write a provably secure sandbox.

    This worm could as easily have been a Windows EXE file. There is no functional difference here.

    NT, like *nix has file ownership constraints that limit the extent of the damage that can be done. That's all that can realistically be done.

    I'm not exactly a fan of Microsoft, but given that *nix is susceptible to the exact same sort of attack, I can't blame them here.

    -JF
  • Melissa and other such virii work by infecting Office documents with malicious code. You can attribute this then to Microsoft for at minimum, not taking proper precautions with what an Office document can do.

    ILUVYOU on the other hand, is a standalone VBS script. It is not part of an Office document. Being such, it really is no different than any other executable.

    The ILUVYOU worm would work on any Windows based e-mail program that followed the association of .VBS files to Windows Scripting Host -- not just Outlook. The worm's author simply chose to read your Outlook address book however. It could have as easily been your Eudora address book, but realistically, more people use Outlook, making it a better choice of attack.

    Sorry, but this one aint Microsoft's fault...

    -JF
  • (standard disclaimer - IANAL)

    "If a company puts a warrenty on their software they need to back up that warrenty if they didnt do what you paid them to do."

    I agree fully, however...

    "commercial apps (which cost beaucoup cash) do have a warrenty (sic) and therefore ought to be responsible for doing their jobs."

    Oh, would that it were true...

    Even if commercial apps come with a warranty, they also come with End User License Agreements (EULA) which turn right around and disclaim any liability.

    And with the DMCA and UCITA, the companies are trying to codify this lack of liability (read: responsibility).

    Seriously, when have we seen a case where someone who was harmed by a computer product has successfully forced the company to take responsibility? You might find a couple of such events, but I consider it unlikely.

    Microsoft has built poor quality, buggy software for years that, by it's very design has security holes, is full of bugs and pretty much does whatever it (they) damn well please(s). It doesn't even do what you tell it to do, let alone what it says it will do.

    I seem to remember installing Win95 and telling the installer not to install MSN... and whattya know, install is finished and there is a big shiny icon right on the desktop for MSN. And try to avoid installing IE on any of the newer products without going through the gyrations of having to download 98lite, get an old CD of 95, etc., etc.

    In any other industry, lawsuits would instantly drive the company into bankruptcy. But not Microsoft (and other software manufacturers), because a shrinkwrap license and EULA says that they are not responsible.

    My Win95 example is not an example of just negligence where there might be a gray area, it's out right fraud. They want you to have something on your desktop whether you want it or not. If we are a country based in law, how come someone has the ability to contract away their liability for fraud? And why aren't more people jumping up and down about it?

    For example: If Ford were to manufacture a car with air bags and an explicit warning that they will go off in a front impact at 35 mph, yet they designed the system to go off at 25 mph (for the drivers safety) and they had a disclaimer (EULA) in the owner's manual that said they were not responsible if the air bag goes off at 25, would they not be guilty of fraud? Could you not sue the hell out of them?

    I guess Ford hasn't given enough money to legislators to have law passed specifically exempting cars from having to perform as advertised.

    Yes, some people pay for MS software thinking that they have some recourse if it fails to perform as advertised. (Others pay for it because they don't have a choice.) But of those companies which have attempted to recover damages when (note: not if, when) it fails to perform, have any actually been successful? I can't even get a refund from an OEM hardware manufacturer when I don't want to use the preloaded MS products... and can't buy their hardware without the MS product in question preinstalled.
    (I know that this is changing somewhat in that I can get Linux preloaded from some OEM's but the problem is still widespread.)

    In short, companies warrant software and then remove their liability in the EULA. This is the same as having no warranty at all.

    At least the GPL is up front about it. :)

    Actually, wouldn't it be at least misrepresentation if not outright fraud to state that you have rights under warranty when the EULA says that you do not?

    What a sad state of affairs this is.

    Russ
  • Think about it. The script sends itself to people in your outlook mailing list. How could it get the list if outlook wasn't running? The fact that it still worked when you started it from Eudora should prove that it isn't Microsoft's fault, at least any more then Quallcom's(sp?).

    VBS is a scripting language, just like anything else. Java, C/C++, Perl, anything. Perhaps the outlook shouldn't run program/script files when you click on them, but it's no different then any other mail program for windows/Mac
  • Wrong. A user clicks on an email message, and their email client automatically starts running an attached file

    NO NO NO and I'm using my +2 for this.
    the ILOVEYOU virus requires direct user interaction. They see an icon and some text telling them to click it, it dosn't start running untill they do.
  • Point being, if you make software that enables a fscking email to access/erase files on your disks, and automaticly send itself onward to everyone in your address book isnt the prime cause of this? Come ON.

    No, they made a scripting language that does this. Just like you can put an rm -rf * in a bash script file. It isn't hard. In order for ILOVEYOU to run, the user spesificaly needs to run the file themselves There isn't much MS can do about this, is there?
  • Is someone else responsible for their piss-poor OS design?

    This has absolutly nothing to do with the OS design, but rather with there applications. If Outlook exspress ran on linux, the exact same thing would happen.

    Ask yourself this, what constructive purpose can there be for an email client that can change system files? Why should an email client be caused to generate messages by another message?

    There isn't, but then, there isn't an email client that can do that on its own. ILOVEYOU is a script that is sent, allong with some text telling the user to run the script. The exact same thing could happen in Linux or any other system with scripting capablities (I could send you a shell script in an email and tell you to run it, if you were stupid, I could do basicaly anything I wanted. In fact, thats exactly what happend here)

  • no (Score:2)

    by delmoi ( 26744 )
    I know how outlook works, and I know a little about how this trojen works. It is not run when you look at the email, but rather when you run the program that was attached with the file.

    you need to explicitly run the program by for it to do anything. Just looking at the email does not run the code!
  • Being able to send bad code isn't the issue. The problem is the receiver having no choice as to whether or not the code is run on their system, hence providing (potentially malicious) third parties the opportunity to do as they wish.

    The code in the ILOVEYOU virus is not run by default.
  • Just a note, but from what I understand, the email client doesn't actually do anything to system files. The virus is a VBscript attachment- when you run it, it runs just like any other program run on your computer- the email client itself doesn't "do" anything. The virus then does _use_ the email client to spread the virus, but again- it's the VBscript attachment running that doing it, not the email client itself.
  • Hi. Please bother to READ the comments you are responding to- they didn't have Outlook, but they did have Win9x. VBS scripts will run regardless of whether or not you have outlook.
  • Don't be silly. Running the virus still could have wreaked havoc on the machine- it just wouldn't have been able to replicate itself.
  • Fact: Who cares anymore? This kindof shit will continue to happen for as long as we have computers. It is human nature to figure out ways to screw up the system.

    That's right for some home user's system. But I disagree on enterprises, they should have an admin that sets up things so that users cannot destroy anything but their own data. And their own data should be backed up automatically for them - period. The system must be idiot-proof. If you cannot do this with Windows in combination with Outlook, use something else.
  • There is a significant difference, though. A Colt firearm functions exactly as expected by the user. No sane man expects to shoot something and have ive cream and strawberries rain down on his target; he expects the target to get a hole through it. Unfortunately a lot of users expect a Microsoft OS to help them get work down. They're terribly wrong, of course; a Microsoft OS gets in the way of work.

    MS Windows: less elegant than X/Motif, less stable than Mac OS. MS Windows: The choice of a foolish generation. MS Windows: You'll pity the dead. MS Windows: You can't be this bad by accident. MS Windows: Designed to lose.

  • You're right and you're wrong. Security in software doesn't usually mean that the company who wrote the software actually harmed your computer, just that they left open the possibility for others to harm it. Which is what Microsoft did. Consistently Microsoft has trampled security in the name of "features" and then pointed a finger at their competitors and said, look they don't have this "feature". That practice, through the variety of bugs attacking DOS and Windows systems over the years, has arguably cost trillions of dollars. That's just flat out insane and it's time that someone called Microsoft on it. A feature that leaves you so easily open to malicious and extremely damaging attacks is a bug. Microsoft really needs to understand that point and stop "innovating" the American economy into a sinkhole.

    -Mike
  • >I blame people who write e-mail programs that don't just send text, or try to run applications. Elm never does this to me.

    What terminal emulator are you using? Can I send you some email? There have been abuses of elm in the past and it can run code since the trojan writer has all the unix tools to play with.

    How is this done?

    Use escape sequence that reprograms a key (like enter?) and then send a sequence to send the message to the shell '|/bin/sh' works nice and then see what happens.

    Now most terminal emulators don't have these sorts of "reprogram enter" feature but since they are in the VT100++ specs then do find their way into programs.
  • I haven't actually yet seen a live ILOVEYOU. But my understanding is that it comes as an email with an attachment which has the file-name extension '.vbs'. Anyone who would open an attachment with a filename extension they didn't recognise (oe one they did recognise as being that of a scripting language) is in my opinion to stupid to use a computer.

    This is not really a Microsoft issue, frankly, in my opinion. It would not be difficult to write a Perl script which when run mailed itself to everyone in /etc/aliases, $HOME/.mailer-of-choice/address-book, and so on. Then, if you encapsulated that in an email, you would in effect have produced a Linux version of ILOVEYOU. Mind you, of course, I don't know of any Linux mailer which comes out-of-the-box where the default action when an attachment perl script is selected is to run it...

  • The blame for this falls on the shoulders of the virus(?) writer(s) and the users stupid enough to activate it. [...] There's no security hole unless it's the one where the users brain shoulda been.

    That's a valid opinion. However, if you believe this then you *can't* tell people that UNIX is harder to use than Windows. Sure, some of the programs may take longer to learn. But almost no popular UNIX mail reader would let you execute arbitrary code by accident (and it wouldn't be running as root even if you were stupid enough to do it on purpose).


    IF you think UNIX is too complicated for someone, then being happy to have them sitting one inviting click away from disaster is a big mistake.

  • If someone can write such a simple virus in visual basic, there is *something* wrong! (Both with M$ Windows and Outlook)

    Wrong. The power behind the technology that made the script so trivial is a good thing. The problem is the security model behind the technology that makes the damage possible. Remember, technology is positive when the creators put the interests of their users before their bottom line.

    The real problem is Microsoft has so many apologists covering for them, they have no real incentive to put out great technology...good enough to get out the door is fine for them.
  • If this article were posted as a comment, I'd be inclined to moderate it down as Troll material. Slashdot is really starting to annoy me: I'm as virulently anti-Microsoft as can be (slice & dice & baste & broil the fsckers, if you ask me), but this is just ridiculous.

    In additon to, or perhaps I should say above & beyond my loathing for Microsoft is a deep respect for sound, rational, logical thinking. And this article shows none of that. Are email macros a lame idea? Of course. Has Microsoft handled the situation badly? I wouldn't argue that. But it's inaccurate to compare Intel's bug to an exploit against Microsft's design ineptitude.

    There are some interesting points hinted at here. To draw some parallels -- are gun manufacturers responsible for gun deaths? (No.) Are auto manufacturers responsible for their design defects? (Sometimes.) Are tobacco companies responsible for smoking related deaths? (Not enough, if you ask me.)

    this scenario seems to fit that pattern. Under the law as I understand it (IANAL), a company is responsible for damages directly resulting from the normal their products (not sure why Colt et al get excepted from this -- probably 2nd amendment nonsense), but indirect damages or damages caused by improper use of the product are not generally a liability. All the macro-type stuff that Microsoft allows is, while colossally stupid, probably well intended. There has to be some marketing drone in Redmond that actually thinks these things are a good idea, and the fact that someone is exploiting that "innovation" maliciously is, while predictable, not something that Microsoft is really liable for.

    The Intel case is a little bit different, in that under normal usage the product would cause errors. Maybe not enough for anyone to notice, maybe not enough to bring about a lawsuit someday, but enough to be noticeable under certain conditions. I think they had a little bit more to be worried about, and their PR response was the Right Thing To Do To Cover Their Asses. A parallel gesture from Microsoft would be appreciated, but I'm hardly surprised that it hasn't been forthcoming -- like I say, they seem to genuinely believe that the benefit of these extensions outweighs the considerable burden they bring.

    Slashdot is getting more & more prone to encouraging this kind of rubbish. Or maybe not -- maybe I'm just starting to notice it now. But anything that plays the Party Line gets carried along (M$ bad, open sores good, hardware neutral therefore acceptable, overclocking better, ad nauseam). I just metamoderated a perfectly reasonable post about the dangers of overclocking that had for no clear reason been marked as a Troll. Why? The person was making a perfectly reasonable argument about the subject, and raised some important points. But, the Party Line was crossed, and the result was inevitable.

    Like I said at the beginning, I'm as anti-Mocrosoft as any of you ("Burn Burn! Die Die!" hahaha) but give me a fscking break, guys. An article like this hardly cuts it as news. I can think of something far worse than Microsoft has ever been: the Pack Mentality. Clearly, we're hardly above that around here...



  • Do you have a source for this statement? The fact is that there ARE reports of this happening, which is better than what I've seen to back up your claim (i.e. nothing).
    --
    No more e-mail address game - see my user info. Time for revenge.
  • You seem to be in a very vocal minority with that point of view.

    Yes, you have said it way too many times. And you have nothing to back it up. There are firsthand accounts of it happening posted here. Are you saying those people are all liars?

    --
    No more e-mail address game - see my user info. Time for revenge.
  • Examples: Melissa, BubbleBoy, ILOVEYOU. Enough said.

    Yes, I know you think these can't be run automatically under any circumstances. I'll eat my words if you show me some facts to prove that.

    --
    No more e-mail address game - see my user info. Time for revenge.
  • Please stop posting "facts" like that without any backup for them. I'd be willing to believe you except that I've seen many reports (firsthand, even - though you'd say they were just lying) that say it CAN run in the preview pane, and nothing to back up the fact that it will NEVER run in the preview pane, except for you and fougasse spamming Slashdot about it.

    You've honestly tried this in every single version of Outlook? Or heard from a reliable source who has?

    --
    No more e-mail address game - see my user info. Time for revenge.
  • Just one correction here, ISP working friend of mine tells me that you don't actually have to run this particular one... the preview pane in outlook is enough to run it, apperently.

    This is false.

    A proof-of-concept virus which runs when rendered in the preview pane of Outlook Express, and in the full view pane of Outlook, exists, (called Bubbleboy IIRC) but this worm has nothing to do with it. Furthermore, "all" that vulnerability allows is for arbitrary code to be saved (in plain view) into your StartUp directory to run upon reboot. In any case, MS issued a patch for this months ago.
  • Arguably, the finger and sendmail problems were coding errors, not designed in per se. The problems with Outlook et al. are the result of poorly thought out and designed features. I
    think the latter deserves more culpability than the former.

    No, they were design errors pure and simple. However, the authors of finger and sendmail ought to be cut a good deal more slack than MS, because security issues had never before been a high priority for software development, and they couldn't really be expected to foresee the types of problems a global network would expose their code to. Remember, finger and sendmail were both written to be used on internal networks of trusted clients, not on the wilds of the Internet.

    In the case of Outlook, we'd had years of experience with network security for the designers to draw upon. Unfortunately, they seem to have taken the same trusting mindset which characterized the pre-worm versions of finger, sendmail, et al--which is truly inexcusable.

    On the other hand, there's nothing about this worm that couldn't be replicated by a script designed for any other email program. Yes, even Pine. Someone using Pine would have to type ^S to save the attachment, and then run it from the command line, but this isn't functionally any different from clicking on the "attachments" paper clip and clicking on YOU-MUST-BE-AN-IDIOT.vbs. Everything this trojan does could be accomplished in user-space in a Unix. The only real difference is that most Pine users are smart enough not to run a suspicious script they got in their inbox.
  • Of the three, only BubbleBoy can be run automatically, and only then if the user is running an unpatched version of IE. (The patch has been on Windows Update since last fall.) Furthermore, a BubbleBoy type virus requires a reboot to do any damage (it can only write arbitrary code, not execute it).

    Don't have time to find documentation, but I'm entirely positive of this.
  • Not the same deal.

    1. A "malicious" bash script can not make itself run as root.

    The original ILUVYOU trojan doesn't do anything that would require root on a Unix. All it does is send itself to everyone in your Outlook address book (equivalent to sending itself to everyone in your Pine address book), make changes to *your* registry to run itself upon reboot (equivalent to writing a script in a user's home directory), and write itself over .jpg, .mp3, .vb, .vbs, and .awholelotmore files (all these files would be in user space).

    The FunnyJoke variation overwrites some system files, so that would arguably need root on a Unix.

    2. I believe (may be wrong on this) that the thing "looks" like a text file if you have "known extensions hidden" as per default.

    If you have "hide known extensions" enabled then it looks like it's named "blahblahblah.txt". Problem is, if it was really a txt file, it would just look like "blah blah blah", since...you have hide known extensions enabled. Tricky, yeah, but not really MS's fault. Furthermore, the little icon next to it looks like a .vbs icon, not a .txt icon.
  • Can you please back this assertion up with even one citation?? If this virus could run from the preview pane, the information would be all over every media story on the virus.

    But I don't even need to see the fact that every media source reporting the "preview pane" rumor has since retracted it to know that it's not true. I've read the damn virus code. I know how it works, and I know how the (since closed) preview pane vulnerability worked, and this simply ain't it.
  • Considering this worm runs itself through the preview panel, in Outlook that is, I find it hard to blame 'stupid' users, especially when most people know the damage .exe files can do to their system. "Don't run executables from people you don't know," didn't do much for ILOVEYOU.

    Microsoft targets its products to new users, hey we were all ignorant once, I put the blame squarely on MS and the IT managers who use Exchange and Outlook for critical services. The 'stupid' user *should* be using software that is secure, false advertising and forcing users to use unsecure software at work is not their fault.
  • This article is sort of pointless. I do appreciate the comp between the companies' handling of the bugs; argueably the vbe scripting thing is a feature for some people, but for most, it's a problem. I really am shocked that no one in the media is railing MS for such a big security hole that they created intentionally. I mean, past saying that it only effects Outlook, shouldnt they be putting some blame on MS and not all of it on the hackers? I mean, if you cover yourself in horse blood and swim in a shark infested area, its not all the shark's fault is it?
  • The -only- significant difference is that Outlook makes it trivially easy to open and run attachments.

    I'd like to clarify- more than "trivially easy", the Windows interface (and the WIMP interface in general) don't clearly separate the difference between opening a file and running a program. For computer beginners, this is a subtle and tricky distintion- especially with the inclusion of scripts into documents further blurring the line.

    I don't know that there's just one thing to point at to blame- Microsoft's overemphasis on (and poor implementation of) "integration", poor user training, bad security settings, etc.

  • >Well if you leave yourself logged in, I can easily edit your login file with this line:
    alias ls 'rm -R *'

    Let me explain why this is not the same.

    1. This will not effect system files. (unless "I" walk away from a root login, in which case, you own the system anyway, and "I" am just an idiot.)

    2. If you do something to break the system under my login, then, from an OS design point of view, it is ME DOING IT.

    NO SYSTEM CAN PROTECT AGAINST A PRIVILEGED USER WITH MALICIOUS INTENT!

    So the question is WHY SHOULD EMAIL ATTACHMENTS RUN PRIVILEGED BY DEFAULT.

    The answer is that they shouldn't, and that allowing it is piss-poor design.

    -Peter



    Slashdot cries out for open standards, then breaks them [w3.org].
  • Not the same deal.

    1. A "malicious" bash script can not make itself run as root.

    2. I believe (may be wrong on this) that the thing "looks" like a text file if you have "known extensions hidden" as per default.

    -Peter



    Slashdot cries out for open standards, then breaks them [w3.org].
  • Here's the deal, though. The virus was targeted toward luddite users who don't know what a .vbs file is. They may know what an .exe file is, possibly know what .com and .bat file are, but assume everything else will open in word. After seeing .doc .wpf .xls .msg .html .htm .gif .jpg, etc, they get really confused. They don't know what these files are. They just know that they double-click them and see what's in them. I know it's hard to put yourself in that position. I can't even remember if/when I would have been that dumb. I do know that I speak with technicians every day who are still unclear on this concept.
    Think about this, you recieve an HTML file from a friend. The subject line says that it's the funniest damn thing they've ever seen. How do you feel about opening it? I personally wouldn't have too much of a problem with it! It's just an HTML file. Right? Consider this, luddites (like Lars Ulrich) don't know that a .vbs is anything different than an HTML file! Those that know better don't open wierd shit. They save it, maybe open it with notepad, but don't open it right away. These are the kind of people who don't even need antivirus programs, and this particular virus isn't targeted at them.
  • To use a car anology, if micros~1 made cars with "Active Gas 7.0" and had a gas tank with no gas cap, the contents of the gas tank would only "become unstable"(boom!) when a "mailicious hacker" tossed in a match or the owner of the car was given a match from an "untrusted source" and the "Active Gas 7.0" Atomagicly exploded the gas tank before the owner of the car could say or do anything.

    The problem is that micros~1 has no regard for the security of their users and has no security model between their mail client and their scripting language. The lack of even the most basic due-diligence performed by microsoft in this regard is abhorable and they should be punished to the maximum extent of the law.
    ___

  • I've read a lot of post here on /. arguing for one side or the other in this LUVYOU matter. Some say it's a bug, some say it's a feature.

    The bottom line is this has caused more than 2 Billion dollars worldwide in lost productivity in less than a week and microsoft should be made to pay some kind of reporation for their actions.
    ___

  • Re: " In this case, it's impossible for a "malicious hacker" to simply toss in a match: users have to receive the matchbox, open the matchbox, be warned by their gas tank that the matchbox may contain a virus, and then finally choose to ignore the warning and light the match themselves."

    As other users have pointed out [slashdot.org] this is simply false. With default settings, none of these things happen. What's more is micros~1 has gone out of their way to hide the ILOVEYOU.TXT.VBS extention from the user.

    Making a mail client that automaticly runs a script when the message is previewed is not a feature. The decision to implement this bug is anolgous to leaving your gas cap off the tank. Parts of the operating system are volitile when fucked with and should be treated that way.

    The fact is, micros~1 used their monopoly position in operating systems to bundle explosive tools (Lookout+VBscript+windows-security) that, in the wrong hands, caused billions of dollars in lost productivity and they should be held acountable.
    ___

  • I dunno about you folks... but I am not complaining that MS finally created a useful script format. .BAT was insanely outmoded, and everybody knows how useful shell scripts are right? Well .VBS is the equivilent for the Windows world!

    The virus could have easily been written to target UNIX users by attaching a virulant shell script that gathers adddress from the NN address book and fires them off via sendmail. It just doesn't happen because UNIX users are generally smart enough not to execute a shell script sent through a form letter without proper explanation or examining the source.

    The problem here is that so many incompetant (and obviously love-starved) people use Outlook and just run whatever attachments are sent to them. As Linux builds in popularity, a trojan like this will start to affect us as well (well maybe not US, but UNIX systems).

    The solution here, as always, is education of users. I don't want MS to disable .VBS or VBA macros in Word/Excel because they are extraordinarily useful to me, not to mention thousands (?) of other NT system administrators and Office power users.

    -rt-
  • Microsoft is _not_ to blame for the recent ILOVEYOU trojan horse. (1) This is a trojan horse that takes advantage of attachments, regardless of OS or mail reader, someone could mail you a trojan horse. It is up to the user to avoid trojan horses.

    This is quite simple not true. On a system with a concept of different security levels, the user can only affect things writeable by that user. The user could hose himself, but not the computer. As a bonus Unix mailreaders are set up by default to save executables to files, not to execute them. Some of them are set up to display DATA, but NONE are set up to automatically run powerful executables.

    So no, you cannot write an effective trojan horse virus on any system. Just any system designed without ANY security concept in mind.

    (2) People claim that MS Outlook's easy access to the address book is a bug. Does that also make the vast majority of unix based mail readers (pine,elm,mutt) buggy since I could easily write a trojan horse to take advantage of their address books?

    Again, you CANNOT write an executable that will automatically be executed by the users of pine, mutt, and elm. Maybe you should try it. For me it goes something like this.

    Step 1). Save executable to disk
    Step 2). Think if there is a REALLY good reason to run the executable.
    Step 3). Think about how trusted the source is.
    Step 4). Delete executable.

    The basic point is that the Unix mailreader is set up BY DEFAULT NOT TO EXECUTE CODE. That is a safe default, and it is one of the strong points of a SECURE operating system (see openbsd.org for discussion).

    This problem has one and only one cause - an operating system and mailreader designed without thinking about security AT ALL.

    As a bonus it is always fun to watch the marketing scams pulled in the aftermath of such a debacle. Microsoft KNOWS their users, by and large, will NEVER patch anything, and will NEVER change most shipped defaults. And they set up the machines insecure by default anyway.
  • The 'feature or bug' allows third parties the opportunity to wreak havoc with the users' system - in a corporate environment that's unacceptable. Unlike with the oxygen in the atmosphere, MS knew that malicious individuals would try to exploit any vulnerabilities in their software, and should have put a little more forethought into their design.
  • The mac crowd for both going neener neener neener, ours is immune to those(sound of mac crashing anyways)

    hmm... good point. from now on i'm gonna have to write my virii in java

    ---

  • Poor fougasse. Nice to see someone trying to defend against the FUD being passed around on Slashdot--it really is a shame when the educated Slashdot users take hearsay as fact.
    Not that I think that MS couldn't have some sort of prevention for this kind of bug--instead of warning you about _every_ e-mail attachment equally, it could have the decency to not warn you that the .txt file you're opening could contain a virus, while warning you extensively when you're opening a danger filled .exe, .vbs, or the like.
    That aside, like I said--it's good to see someone sticking up for MS against made-up security holes.

    ~=Keelor

  • I have looked through the virus source code several times myself and, while I know an arbitrary almost-nameless Slashdotter has little more credebility than a barnacle, I want to state that I cannot find any suggestion of infectability through the preview pane in the version of the virus I received. My understanding is that the only way to run code in the preview pane is to have html content with client script. The code that puts content into the e-mail that spreads the virus simply reads:
    male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
    male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-Y OU.TXT.vbs")
    The only HTML being written in the virus code, as far as I can see, is to a file called "LOVE-LETTER-FOR-YOU.htm" which is only spread through IRC.
  • Sorry, wrong. I was curious as to how much damage it could do. I opened it up in Notepad, saw what it did, and protected those files. I then opened the email IN EUDORA, NOT OUTLOOK. I clicked the attachment, and Outlook opened up. I got a message asking to make Outlook my default mail program, I cancelled, Outlook closed, and the script still ran and infected my computer. It didn't even show up in the Windows 98 task list to shut it down.

    Personally, I think it is shoddy programming on Microsoft's part. At least Sun had the decency to forbid Java applets from messing around with resources local to the machine they run on, such as memory and disk files. Automatically run VBScript? Fine, no problem there. Let VBScript erase files without prompting *from Outlook*? Hell no. You want to write a VB executable, let it do anything you want. But once you open up the hordes of ignorant Outlook users to this "feature," you are asking for trouble.
  • On the corporate network at the office, the preview pane would NOT initiate the script. It would appear as an icon, and then if you clicked it, you were suddenly thrust to the bottom of the gene pool. Since e-mail is such an important part of corporate communications, after IT turned off our servers for precautionary measures, we got to play around with it. :)

    btw, we had more inicidents of the macro being spread by people double clicking "infected" files on networked machines that didnt even have mail clients installed. That trick of overwriting the jpg file with the script killed our technical publications department.


    Paul Bryson
  • I can't agree with the "Probably $0" on the public cost of the Pentium bug. I had recently transitioned from a research position to the computer field when the Pentium bug was found. I remember it being a *real* concern for researchers who were using Pentium machines for statistical analysis of their experiments. Their experiments were in many cases recursive and with this obscure error in the mix, they became unable to feel they could confidently report on their results. It effectively required them to redo, in some cases, years of work in order to verify their results before publication. Especially difficult for them was a key question - who would pay for the time to redo when the original research time had been paid for by a one-time grant fund that was now all dried up?
    Also - consider the cost of the time involved on the part of any company that sold a customer a turn-key package system based on a Pentium computer with a bad chip: that company might have had to fly a tech out to the end user to replace the chip under warranty. That is a small but non-trivial expense.

    And one last note: On a SCO Unix machine running X windows, the error could be clearly seen anytime one moved the mouse - a diagonal line would appear on the screen if the mouse was moved in a certain direction (like left to right). Eventually the session looked like a copy of Space Invaders gone haywire.
  • Why is using a built-in feature of Outlook suddently a "Virus"? A while back, GM made implemented some rather silly designs on their trucks and their saddle bag gas tanks. Under "normal operation", this was not a problem... but when a truck was hit by a car the probability for a fire and an explosion was higher. GM was accused of poor design, of not caring for the lifex of people, some accused them to be more worried about money than people's well being and of being criminal in that respect. Now, MS has been implemented some rather sily things in their OS too, without (it seems) paying a second thought to the consequences of some of the "features" that they are offering to their customers... How come MS is not finding itself under the lightsport here? Aren't they responsible? Can't they be accounted responsible for their action like any other company in the "traditional sector"? Even more interesting to me is the question of why the US military would suddently be surprised that they have made themselves succesptible to major downtime by choosing the wrong OS a few years back. So far, not a SINGLE news report I have seen clearly stated that only Windows users (and SOME Mac users running Windows software) are really at risk. When the GM truck problem was discovered, not ALL owners of trucks and cars were told to stop filling up their gas tank, just the GM owners. There is nothing wrong with email attachements, as long as you use a software package whose design is not controlled by a few gimmicky features. This, I think, where the Linux/Unix crowd could do a lot more to educate the public, and the news media....
  • nope, sorry. the default setting causes the script to be dealt with as if it were an embedded feature of the message (just as if HTML were in the message) and it's executed without any user action. I actually saw this happen, so please no more trolling.
  • News for Nerds stuff that matters vs Stories by geophile

    intention /. : Satisfy public's demand for braking news and latest technological advancements,
    try to stay ontopic of OSS
    intention geophile: Get public's attention by posting lame comments that no one cares about,
    try to stay as much off topic as possible

    audience /. : Nerds (mostly)
    audience geophile : Nerds (mostly)
    goals achieved /. : Latest news and tech coverage brought to millions of GNU/Linux users (mostly)
    goals achieved geophile : geophile's name spelled by millions of GNU/Linux users (mostly), valuable HD space wasted

    usefulness /. : Quite useful, sometimes off topic
    usefulness geophile : Useless, off topic

    reaction /. : lots of comments generated on Slashdot.org site
    reaction geophile : lots of comments generated on Slashdot.org site

    profit /. : Banners / Ads / user feedback
    profit geophile : individual satisfaction

    for the future /. : hope slashdot keeps up good work
    for the future geophile : hope geophile is forced to use Windoze for the rest of his life


  • I think your points are valid. Despite my dislike for most things Microsoft, this situation is really the same as someone running any other executable attachment. The virus relied more on social engineering than any operating system weakness to replicate.

    I took the opportunity to analyze and comment the entire virus to get a better idea of what this thing was doing to our clients. I tried to think of some things that could be changed in the Windows model to make it tougher for this type of virus to succeed, and came up with the following:

    1. The operating system should minimize the kinds of things that can be done behind the user's back. One of my biggest pet peeves is the fact that Windows has several different locations for programs to be triggered at startup (including registry entries like .../Run, .../RunOnce, .../RunServices, and .../RunServicesOnce). We've got a Startup folder already; why doesn't Windows force programs to use that?

    2. Users tend to be kept in the dark about important features in the Windows OS. I put IE5 on my computer at home without paying attention to the Windows Scripting Host aspect; don't you think that if another executable format is being added to my system I'd like to know about it? This is a feature I neither want nor need (and, actually, so is IE5...)

    3. Crucial system features and files can be casually modified without tripping any alerts. A user on a Windows 9x system is always the equivalent of root. On Linux, you can sandbox the effects of a hostile application somewhat by running it as an unprivileged user.

    4. Documents should be documents, not programs. Macros and scripts are nice, but should they really be a part of e-mail? Was plaintext e-mail such a bad thing really? :) When people get a .DOC, aren't they expecting a standard document? Really, I think much of the problem is integration where we don't need it and/or least expect it. Should a HTML page be able to access your hard drive?

    The biggest part of the problem is that some users click blindly on attachments that they receive. Many use attachments as part of their job daily and still believe that attachments are only part of the document, not a separate file or executable. Education is the best answer to this, but if Microsoft worked to add better prevention and damage control to their OS we'd all be happier.

    ---

  • Yes on both counts...and as for the first one, the Post is already reporting the first one [washingtonpost.com] as damage being in the $5 billion range, estimated to head up to the $10 billions.

  • Re:Stupid users, not stupid microsoft (Score:3)

    by Detritus ( 11846 ) on Saturday May 06, 2000 @11:28AM (#1087960) Homepage
    Pretend that you are the CIO of a large corporation. You have 10,000 users. Due to the amazingly skilled people in HR, 99% of the users are not idiots. Congratulations, 100 users just double clicked on ILOVEYOU and took down the mail server.

  • A bug? Give me a break! (Score:3)

    by mindstrm ( 20013 ) on Saturday May 06, 2000 @03:33PM (#1087961)
    Someone please show me where the bug is. I don't get it.

    I can write a shell script that sends out billions of messages too, if you run it. I can make it attach itself to email addresses, and I can make it do it using your pine address book.
    Where is the bug?

    The only bug is the idiot moronic users who run attachments without knowing what they are.

    Remember, ILOVEYOU does *NOT* spread on it's own, and does NOT execute automatically, and contrary to what this article says, is NOT an 'outlook macro' virus. It's just some vbscript, in a .vbs (analogous to a perl script or a shell script). It must be run manually in order to do anything.

  • This isn't Outlook's fault (Score:3)

    by Q-bert][ ( 21619 ) on Saturday May 06, 2000 @09:19AM (#1087962)
    This isn't a script that runs inside of Outlook people. It's a VBScript that runs using the Windows Scripting Host. It's just like a bash script, or a perl script. SAME DEAL. It's just like people getting an .EXE in the mail and running that. It's a trojan not a virus. There are two reasons this caused so much damage. Reason 1, people are stupid. Plain and simple. Reason 2, people aren't used to seein files with a .vbs extension. If someone got a .pl in the mail and ran in on their unix box and it fucked shit up, everyone would be like "STUPID USER!". With this everyone is going "MICROSOFT BAD, DIE MICROSOFT!!!". Now granted Outlook security is extreamly lacking but this is not a fault in Outlook. It's a fault of people and people are dumb.

  • Before we let MS off the hook... (Score:3)

    by Squirrel Killer ( 23450 ) on Saturday May 06, 2000 @07:21PM (#1087963)
    Let's get one thing straight.

    No bug caused the m/billions to be lost, but rather a feature caused the money to float away.

    Although not entirely responsible for the trojan macro, the feature is the security breach that allowed the macro to happen. Oxygen's responsibility for WWII is significantly less than this feature's responsibility for the fiasco. The proper analogy that Glowing Fish is looking for is not oxygen, but rather guns and stupid politicians.

    Before I entered the IT field for real, I disliked MS but thought "Oh, what the hell." Now when I hear Gates and Co. talk about their right to innovate, I just think of this and all the other malicous macros. These are not "innovations", they are poorly planned and implemented features. These features have done far more harm to business than they have helped. I wonder about the usefulness of storing macros in normal.dot and I challenge anyone to give a good reason for including VB/A/Script in an e-mail message.

    I can't help but feel as though MS's "right to innovate" has seriously limited business. Now, even small companies have to have dedicated IT departments. A mis-implemented feature causes world-wide computer havok. Promised productivity increases seem to melt away. A crash in a browser, a friggin' Internet browser, takes down the entire system. Users trying to get work done turned into beta testers so that MS can hit a product timeline. It's crazy.

    And why don't the PHB take note? Because IT departments like fat budgets, and like fish, PHB like shiny things. -sk

  • False sense of security (Score:3)

    by overshoot ( 39700 ) on Saturday May 06, 2000 @01:07PM (#1087964)
    For all of those pointing out that ILOVEYOU requires the luser to actively open the attachment, keep some things in mind:
    • Outlook's file extension hiding means that the attachment showed as .TXT, not .vbs
    • It's a truly bizarre world where viewing a document executes that document.
    • That was just this time. Bubbleboy proved that you can make the code launch as soon as the message comes up.
    • It doesn't take rocket science. HTML formatted messages render IMG= objects quite promiscuously; VBS is one of the options.

    Personally, I'm really interested in seeing if it's possible to add a 'graphic' to a vCard [imc.org] which is actually disguised VBscript. Malware that propogates via infected vCards should be able to fly under the radar for quite a while. Certainly long enough to become very, very widespread.

  • Re:Not quite fair (Score:3)

    by amyzing ( 45302 ) on Saturday May 06, 2000 @09:47AM (#1087965)
    The designers of the scripting capability in MS Outlook are responsible for this, and the writers of this particular version of the ongoing Outlook security exploit are pointing out that somewhere along the line, someone was seriously ignorant (as in lacking knowledge of thirty years of networked security issues) and unwilling to learn.

    Under what circumstances should sendmail have a feature allowing it to automatically forward messages to everyone in /etc/aliases?

    Should every installation of procmail include, by default, a well-known filter that will delete files specified by the incoming email?

    If it is valid at all to design in features that permit large-scale spamming without the consent of the user, or features that will modify files without the consent of the user, is it valid to turn these features on by default, so that the least competent users are likely to be the most badly affected? How is it possible to call the ability for random strangers to delete your files "ease of use" (with a straight face)?

    On a slightly gruesome note, I only wish that viruses were really as deadly as, say, ebola or bubonic plague. In that case, they might contribute to evolution--the early death of the unforgivably stupid. But that may be too harsh, and there is a good chance that the fool who designed (or ordered to be designed) such trivially easy-to-abuse features ... has them turned off, personally.

    Amy!

  • Re:Not quite fair (Score:3)

    by ToLu the Happy Furby ( 63586 ) on Saturday May 06, 2000 @07:40PM (#1087966)
    There are firsthand accounts of it happening posted here.

    Where? There are no firsthand reports of this trojan running in the preview pane, and indeed there can't be, since the preview pane Outlook Express vulernability has different permissions than this worm. Specifically, a preview pane OE virus can "only" run Java Script code and/or insert arbitrary code into your StartUp directory to be run upon reboot. In any case, the source for this worm is widely available, and anyone who understands the issues involved can see that it does not run without being specifically clicked on by the user.

    Finally, the preview pane vulnerability has been closed via a patch for months. Most users probably haven't applied it, but there's really nothing more MS could have done (besides not designing ActiveX so poorly in the first place).
  • {sigh}

    I see, once again, that MS is coming under fire, and probably for good reason (the address book thing is simply an error on the part of microsoft, I admit, and it shouldn't be so easily used by outside applications), but they're not the sole part of this blame.

    The visual basic script is equivelent to an executable file in Windows. Most users don't see the vbs on the end, which is partly the "funny" naming convention of the file. (All bold til the extention.) People will learn from this, I hope, but then again, many people still run .exe files they get in the mail, too.

    I would say that if I got a file and I activated the contents, no matter what operating system I'm using. If I ran the .exe equivlent on my mac or GNU/Linux system, then I would expect SOMETHING to happen. Think of the Windows scripting stuff as the old batch files (or scripts). They do stuff, but people don't know how much damage they CAN do.

    The blame for this falls on the shoulders of the virus (?) writer(s) and the users stupid enough to activate it. Microsoft should fix the address book thing in Outlook, but there's no security hole unless it's the one where the users brain shoulda been.

    Don't gimme that "Well, if they're using windows, they're stupid users and MS should have anticipated that." They have no responsiblity if someone's a complete screw up, no more than Saturn is responsible for the girl that nearly ran me over yesterday (SEE THE STOP SIGN!)

    Fully anticipating "flamebait."

  • Re:quite fair (Score:3)

    by fwr ( 69372 ) on Saturday May 06, 2000 @11:18AM (#1087968)
    If someone can write such a simple virus in visual basic, there is *something* wrong! (Both with M$ Windows and Outlook)

    Wrong. The power behind the technology that made the script so trivial is a good thing. The problem is the security model behind the technology that makes the damage possible. Remember, technology is positive when the creators put the interests of their users before their bottom line.

    Wrong. If you don't realize it, this is Microsoft's biggest mistake. That mistake is to make writing complex programs and wielding administrative power over computers "trivial." The ability to design complex programs with system administrative capabilities should be difficult to master. Only with experience comes responsible behavior. By tying their web browser (IE), application programming languages (VB), office automation tools (Outlook), and other sundry "features" to their monopoly operating system they make it easier for inexperienced people to write destructive programs (virus, worm, other).

    I'm not strictly advocating making computer programming more difficult on purpose, but I think Microsoft went just a little too far in trusting the "average Joe" users of their software. It's like they totally ignored human nature in that there will always be a subset of society that is destructive. It's almost like putting guns in the hands of kids and saying, "You're not being fair! It's not their (those that distribute guns to kids) fault that there are some bad apples out there!"

    Note that this is quite different that the current litigation blaming responsible gun manufacturers for the use of their product. We have laws that restrict the access to guns and other potentially destructive technology to responsible adults. Why don't we have the same type of rules for computer technology? What type of rules should they be? Certainly we can't limit access to computer technology to minors. That would be just plain stupid. But, how about making it illegal to have the default install state of email programs to even be able to "run" applications, at least? What about requiring manufacturers with over 20% market share in their field of endevor responsible for not fixing problems with the fundamental architecture they have designed if it shows repeated occurances of actively promoting loss of business and productivity? Especially if the loss is not limited to the individual using the product irresponsibly?

    Hey. Read that over again. Sounds like that could apply to a lot of technologies and not just computers. Take car manufacturers for example. If some car maker designs a part, say a gas tank for a car, in such a way that it explodes or catches fire unreasonably often if "used" in the wrong way (such as getting in an accident, which you certainly don't try to do), wouldn't they be forced to redesign their product so that it wasn't so defective? Especially if it caused harm to those innocent people (the people in the car with the defective gas tank who got rammed from behind by no fault of their own)?

    Or, take gun manufacturers, again. They certainly couldn't be sued if someone sticks a gun in their mouth and pulls the trigger. But, if a gun model routinely misfired and caused harm to the person who pulled the trigger or those nearby (but not aimed for!) there certainly would be cause for the ATF to push for a redesign (or pulling that particular model all-together).

    I don't know. Sometimes I just don't understand Microsoft supporters. It's like they just don't have a clue. And this from someone who used to be an avid Microsoft supporter (in the mid-late 80's) and personally purchased many-a Microsoft C, Basic, MASM compiler/assembler.

  • 2.61 Billion (Score:3)

    by Money__ ( 87045 ) on Saturday May 06, 2000 @03:48PM (#1087969)
    2.61 billion to be exact. Acording to this article at Bloomberg.com [bloomberg.com]

    One of the quotes from the article:

    Microsoft is partly to blame for the bug because the company puts a priority on adding new features to its programs instead of security, said Mikko Hypponen of F-Secure Oyj, an Internet security company in Espoo, Finland. ``It's a Microsoft problem, and it's hurting them,'' he said. Microsoft's Windows operating system, used in 90 percent of personal computers worldwide, includes scripting software that allows anyone to rewrite programs. Hypponen advises most companies to get rid of the scripting software for their employees who don't need it. "
    ___

  • Blame the users, not the tool, except Microsoft (Score:3)

    by VAXman ( 96870 ) on Saturday May 06, 2000 @11:56AM (#1087970)
    The "slashdot community" (whatever that is) typically never takes a "blame the tool" approach. Things like Napster which facilitate music piracy never receive the blame for piracy - the user does. This example is applicable to many of the issues which are discussed on slashdot.

    The only exception to this rule is a Microsoft tool.

    If Microsoft writes a tool which users fuck themselves over with, Microsoft - and not the clueless users - get the blame. Why is Microsoft an exception to "guns don't kill people, people kill people".

    IMHO, anybody who supports Napster on the basis that it is only a tool, yet blames Microsoft on this worm (or any other worm which was not coded within Microsoft), needs to have clues beaten into them severely, and spoon-fed to them for life.
  • everyone is on crack!!!

    how come everyone is saying that this isn't a problem and moderating up other folks who say that this isn't a problem?

    this is a HUGE freaking problem. 60% of ALL the email systems in sweden were taken down. 30% of the email in england. All the canadian government email was taken down.

    look at that. millions of people without email for a prolonged period of time and tell me there isn't a problem here.

    And it isn't over yet. Everyone is looking for email with "ILOVEYOU.txt" on it but they aren't looking for the email with "warn I love you virus" as the subject. For the next couple months that's what were going to see. Except it won't be a warning. It will be the virus with a different name. Seriously. Now there are thousand of people out there who know they can disable a the email system in a school or a town or a company just by changing the subject line of the email and sending it to someone in there.

    Think about a new ILOVEYOU virus every week for the next three months. Still think there isn't a problem?

    but the real problem is far deeper and longer lasting. I remember when I first was introduced to email when i came to america in 96. The first question I'm asking myself is, "can't people hack our computer?" See back then I didn't know the difference between a hacker, a cracker, a hax0r, script kiddie, a virus writer, or anything. All i knew was that it didn't sound good.

    The general public still doesn't fully trust computers and they trust the network even less. There are a couple people at my college whose parents didn't let them have the internet in their house.

    There are many more who don't use instant messaging still because of fear of hax0rs.

    Or i could rant about all the helpfull aunts out there who send people forwards with hoax email virus warnings. It's not the aunt's fault. It's the fault of negligent computer companies who allow for real email viruses. It's harder to make an email program that will allow an virus to propagate than it is to make a secure email client so they can't even claim they did it out of laziness.

    It's stupid stuff like this that puts a barrier infront of people that might otherwise benifit from technolodgy.

    Some of the commenters are blaming it on the outlook users. That's not very smart in my opinion. Why should the users be afraid to open attachments? Why should they be afraid to look at email. We aren't talking about email from friends as was the case with this virus. I'm talking about email from complete strangers.

    I am on a couple of mailing lists and I get email from over a hundred strangers every day. But do i worry about it? NO! I just open it right up and look at it. That's because my email client will only read text and pictures. No executables. No viruses. No trojans. I can just open it up like there was nothing to it. AND THAT'S THE WAY IT SHOULD BE!!:(

  • Re:Not quite fair (Score:3)

    by cburley ( 105664 ) on Sunday May 07, 2000 @12:21AM (#1087972) Homepage Journal
    This is what's happening with ILOVEYOU: users are manually running an executable

    No, they aren't. Just ask them what they think they're about to do before they do what you say they're doing. They're highly unlikely to say "I'm going to manually run this executable".

    More likely, they'll say "I want to see what's in this file!". And that's what double-clicking an icon is for. (Except in certain contexts, when a sizable percentage presumably knows double-clicking runs a program. Reading email is clearly not one of those contexts.)

    The fact that they aren't shown what's in the file, but instead have arbitrary code with the equivalent of Unix `root' privileges executed on their system, in an environment where tight integration among applications basically guarantees easy access to all sorts of personal data, makes this a highly preventable, as well as insidious, bug in the design of Microsoft software.

    IMO, the biggest enabler of this bug was the decision by Microsoft, at the highest levels, to deploy Windows 9x as an "easy-to-use" OS for people wanting access to the Internet.

    Even at the time that decision was made, Microsoft certainly had more than enough expertise to know it was a technically unsupportable one, from a security standpoint. I.e. they knew the Internet was hostile, that Win 9x was unsecure, that their highly integrated software made even security-by-obscurity basically irrelevant, and that their targeted user base had no expertise in securing themselves against the inevitable problems.

    (At least, I really doubt I understood these issues better as a 16-year-old in the mid-'70s than the geniuses at Microsoft did circa 1995. Actually, even in the late '70s, I couldn't understand how these newfangled personal computers could fit a whole OS in 64K, until I was stunned to find out they'd ignored the whole timesharing security model. The viruses that swept the PC- and Mac-using world were never a surprise to me, of course, nor to most anyone else hacking timesharing systems before the PC generation.)

    The estimates I've heard of losses are in the $Billions, but I agree Microsoft won't have to pay a dime (i.e. they won't recall Win 9x for all Internet users).

    And bear in mind I'm not saying MS should have taken steps to prevent people using Win 9x for Internet use. They should have made it clear it wasn't suitable, and left it up to end users to decide whether to install 3rd-party software that let them ride the 'net. Of course, that wouldn't have earned MS the huge extra $Billions in income, or the huge additional stock valuations, which is why they didn't do the obviously "right" thing.

    BTW, my wife, whose responsibilities include an IT department at the world headquarters of a well-known institution, was, needless to say, not happy about the ~36 hours of organization-wide downtime suffered due to this bug. Especially when I said "gee, don't y'all have your SMTP servers reject any incoming email that have unrecognized, or code-bearing, attachments?", she said "no, we can't make our [MS-based] software do that", and I pointed out that it was a topic often covered as being fairly easy to do on the qmail [qmail.org] mailing list. I had assumed, obviously erroneously, that last year's Melissa had convinced everyone to get their act together, disable certain kinds of attachments, etc. Not that I pay much attention to viruses: I run GNU/Linux, and use a dialup (no static IP), among many other things. The only time I see virus-protection software being run is when it's being run on someone else's computer!

    Why businesses willingly pay $Millions to Microsoft so they can get "flashy" software that causes them random downtime of days per year, with "nobody to sue" as the anti-Open-Source FUD goes, is something I have yet to be able to explain using logic. (Using psychology or anthropology, however....)

  • Re:Not quite fair (Score:3)

    by ruin ( 141833 ) on Saturday May 06, 2000 @09:37AM (#1087973) Homepage
    Microsoft is right. The ILOVEYOU virus isn't a software issue, it's a user education issue.

    Just the same way that accidental gun deaths are a user education issue. And prescription drug overdoses. And smoking-related lung cancer. And traffic accidents. All of these things could be prevented if the user just *weren't* *so* *dumb*.

    Wrong. A user clicks on an email message, and their email client automatically starts running an attached file? Stupid-user or not, this 'feature' is just plain unjustified. How many seconds would you have to use up to think of a way to make this program more secure? How about prompting the user: "Run attached file: ILOVEU.VBS? (Y/N)"

    Writing software that makes it easy for strangers to take advantage of the use is just plain negligent. Plenty of sensible software writers know that their software is going to be used by users of a variety of skill levels, and take this into account when writing. mIRC, for example, is set by default to decline DCC sends of .exes, .vbs, etc. This is just good sense.

    Which is better, to make a program secure by default, and let users turn off security if they want? Or to make it insecure by default, and blame the users for not turning on the security?

    hm.

    --

  • Not quite fair (Score:3)

    by Glowing Fish ( 155236 ) on Saturday May 06, 2000 @09:05AM (#1087974) Homepage

    I am as anti-Micro$oft as the next red blooded American, but this is not quite fair. This table seemes to say that the bug in M$ Outlook is responsible for the ILOVEYOU virus...which it isn't. The feature or bug in M$ Outlook is there because it is supposed to be helpful (which it probably isn't), but it is not malicious, and would not causes any damage if somebody else had not tried to be malicious.

    To say the bug caused billions of lost files is an arguiment of insufficient causation. It was one of the causes, but not the finishing cause, of the loss of files. Much like the presence of Oxygen in the atmosphere was neccesary for WW II to be fought, but that doesn't mean it caused World War II.

    Just my $0.02 U.S.

  • Re:Not quite fair (Score:3)

    by Anal Surprise ( 178723 ) on Saturday May 06, 2000 @10:14AM (#1087975)
    This is the same as putting an icon on the desktop that reformats your hard drive. Of course an educated user wouldn't slip and accidentally click on that little icon you can't delete, would they? You never know when you'll spaz and at that moment, you're as "dumb" as the rest of "them". That's the first fruit of Microsoft's freedom to innovate: the icon on the desktop that reformats your drive, or the link in Outlook that trashes your machine.

  • very fair (Score:4)

    by sethgecko ( 167305 ) on Saturday May 06, 2000 @12:18PM (#1087976)
    Two words: The Kak Virus

    The worm utilizes a known Microsoft Outlook Express security hole, Scriptlet.Typelib, so that a viral file is created on the system without having to run any attachment. Simply reading the received email message will cause the virus to be placed on the system. --from http://www.symantec.c om/avcenter/venc/data/wscript.kakworm.html [symantec.com].

    Granted, this is the kak virus, and granted MS issued a patch, how long is it before someone ports the ILUVU virus to exploit this hole where the user DOES NOT NEED TO OPEN THE ATTACHMENT, just view it. Outlook and OE have horrible security. Tying the scripting language into the system was their way to make MSN as easy (sorta) to set up as AOL. Ever tried to set up MSN? Uses pervasive scripting which does not always ask for a prompt before runnning. This is not a buffer overflow error, but one (perhaps of many) exploits where windows scripting does not ask for permission to run.

  • Microsoft to blame? (Score:5)

    by pb ( 1020 ) on Saturday May 06, 2000 @10:02AM (#1087977)
    I'm sure everyone here has an opinion of whether or not Microsoft is to blame.

    Well, first ask yourself these simple questions.

    Did we have these problems before Microsoft started "innovating"? I remember when people would send out warnings about "THE GOODTIMES VIRUS". We all laughed, because we knew it could never happen.

    Do we have these problems now? Well, yes, many Windows users have these problems. Users of Microsoft products and products that support Microsoft "standards" are affected.

    How long has this been a real problem? For at least 6 years, ever since people found out you could do this in Word 6.0 for Windows 3.1.

    So what is Microsoft doing about this?

    From their page [microsoft.com]:

    How Do You Prevent the Spread of Viruses?

    You can prevent the spread of a macro virus. Here are some tips to help you from being attacked.

    Know where you get a document If someone sends you a document or file, be sure you know you can trust them. Is this person someone you work with? Would this person send around files that have been sent from untrustworthy sources?

    Talk to the person who created the document If you are unsure whether or not the document is safe, contact the person who created the document.

    Use Office 97 macro virus protection In Office 97, the applications will tell you if a document you open contains macros. This feature allows you to either enable or disable the macros as you open the document. For more information, read Turn On Macro Virus Protection.

    Use virus scanning software to detect and remove macro viruses Virus scanning software can detect and often remove macro viruses from documents. Microsoft recommends using anti-virus software that is certified by the International Computer Security Association (ICSA). You can view a current list of ICSA-certified anti-virus products at the ICSA Web Site.


    So does their advice help any, for preventing the spread of ILOVEYOU?

    No, it doesn't. ILOVEYOU sends you messages from people you trust. Why would you send a message back asking them about it? I get messages from people all the time that say "Hey, read this, it's funny." I'm not going to write them back and say "Yeah, but will it crash my computer?", because that doesn't make any sense. Macro virus protection and scanning doesn't apply here either, because Outlook doesn't even offer a warning! The user just clicks on the attachment to see what it is, like usual, and BLAM, their system is hosed. In fact, there have been some reports of Outlook opening it with the "Preview Pane" (perhaps if earier patches for Melissa weren't installed).

    So, in my opinion, Microsoft isn't doing enough. They never should have created Word BASIC in the first place, they should never let what should be a formatted text file make system calls, they should never let users run everything essentially as 'root', and they should fix their software *AND* pay back the community bigtime for damages.

    But hey, make your own decisions. If that wasn't enough to convince you, go read what the media has to say. I'll just sit here quietly, wondering what's wrong with the world, as my machine doesn't crash.
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].

  • Re:Not quite fair (Score:5)

    by portnoy ( 16520 ) on Saturday May 06, 2000 @10:54AM (#1087978) Homepage
    Well, maybe. Viruses need an environment in which to thrive as well as the organism itself. The question is whether MS should have recognized the danger in the environment that they created.

    When we discuss the Internet Worm, for example, the blame doesn't fall totally on RTM. A sizable segment of blame goes to the authors of the finger and sendmail daemons that the Worm used to thrive and propogate. Their careless programming caused the environment, and they should have been able to recognize the danger well before RTM started to code.

    So yes, I think MS does have a certain amount of responsibility. Complete responsibility? No; of course not. But let's not overlook MS for creating the environment and ignoring the danger.

    This is actually why I like the comparison in this story -- both companies have responsibilities for the mistakes they made, but the intriguing bit really is the difference in handling and accepting responsibilities.

  • Just received ILOVELINUX.txt (Score:5)

    by Black Parrot ( 19622 ) on Saturday May 06, 2000 @09:21AM (#1087979)
    From: 5kr1p7.k1dd13@hotmail.com
    To: black.parrot@where.ever.ur
    Subject: ILOVELINUX.txt

    Hi. Please type the following at your prompt -

    sudo rm -rf /

    Love ya,
    5kr1p7

    --

  • It's not a bug. (Score:5)

    by afkmn ( 25722 ) on Saturday May 06, 2000 @09:19AM (#1087980)

    Arguable whether it's a feature, but whatever.

    If I wrote a unix shell script that grepped through a user's home directory for email addresses and then used sendmail to propagate itself to those people, it would be very very similar to the love bug. The -only- significant difference is that Outlook makes it trivially easy to open and run attachments. It's a trojan horse: only works if the user actually launches it.

    Feel free to lambast the intelligence level of your typical Outlook user, but pick your battles.

  • Re:Not quite fair (Score:5)

    by fougasse ( 79656 ) on Saturday May 06, 2000 @02:05PM (#1087981)
    I don't know what you saw happen, but it wasn't that.

    Outlook (when I say Outlook, I'm referring to Outlook Express 5.0, the most commonly used version and the one I have experience with) does not run this virus automatically. It cannot be made to run this virus automatically.

    It DOES run embedded scripts by default, but so does any modern graphical web browser. Outlook runs embedded scripts in a secure sandbox -- they are NOT allowed to read/write files, send e-mail, etc. The ILOVEYOU virus is not an embedded script, it's an external script, analogous to a .pl Perl script.

    So, to repeat again: it is NOT RUN AUTOMATICALLY. As someone said above, the only common e-mail client that can be configured to auto-execute system scripts is GNU Emacs.

    This is not trolling -- this is the complete truth. And, by the way, how did a short message with no facts that was completely incorrect get moderated to +5? People really do hear what they want to hear.

  • Clueless MS Bashing (Score:5)

    by fougasse ( 79656 ) on Saturday May 06, 2000 @02:23PM (#1087982)
    Wow. This has become Bash Microsoft Time.

    I am no great Microsoft fan. I don't despise them either. I do, however, know most of the facts in this case, and 99% of the Microsoft-bashing here is unwarranted.

    First, some facts about what Outlook does. It does not claim that the file is a text file; it is displayed with the VBScript icon, and depending on system configuration, a .vbs extension. It does not run the file automatically -- users have to manually run the attachment. Even after clicking on the attachment, by default Outlook warns users that it may be a virus and the default option is to save the file, not to run it.

    So, in order to be infected, users have to read the e-mail message, click on the paperclip icon to open attachments, click on the file which has a VBScript icon and usually a .vbs extension, then click "Open this" on a dialog box that warns them that the file may contain a virus. This hardly sounds like a security hole to me; it sounds like stupid users. It is basically impossible to run the virus accidentally.

    The other criticism that's heard often is that users having full, root-like control is the problem. (This isn't the case in Windows 2000, by the way.) Yes, Win98 sucks, and yes, this may be a security problem, but it is completely irrelevant in this case. The virus reads your address book, sends several e-mails, then deletes certain files in the user's document directory. None of these actions would require root privileges on a system that implements them. (The virus also attempts to obtain system passwords, but this is not the part of the virus that is causing damage -- nobody has been affected by the virus obtaining passwords.)

    Most of the MS bashing here is grounded in imaginary security holes. I'm not a great MS fan, and I hate Win98 as much as anyone, but if you want to criticize them, don't lie. What's being said here is worse than the stuff that Microsoft says about Linux -- at least that stuff is based at some point on facts or semi-facts.

  • Re:Not quite fair (Score:5)

    by Stary ( 151493 ) <stary@novasphere.net> on Saturday May 06, 2000 @09:16AM (#1087983) Homepage Journal
    The feature or bug in M$ Outlook is there because it is supposed to be helpful (which it probably isn't), but it is not malicious, and would not causes any damage if somebody else had not tried to be malicious.

    Yes, and I guess this means we should all save passwords plaintext and in world-readable files shouldnt we? I mean, hey nothing bad will happen unless someone else has some malicious intent!

    Point being, if you make software that enables a fscking email to access/erase files on your disks, and automaticly send itself onward to everyone in your address book isnt the prime cause of this? Come ON.

    If you wanna compare air to something around computers, compare it to power. This wouldnt have happened without power. It's more like leaving your window open when you go to a vacation and then with a surprised look saying "hey I did nothing wrong" when you get back and nothing of value remains in your house.

Slashdot Top Deals

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Close