X

Microsoft criticized for lack of software security

Security experts say the "I Love You" worm's spread is a perfect demonstration of the software maker's technologies working exactly as they were designed to operate.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
5 min read
Look at it this way: The "Love" bug isn't a bug after all. It's a feature.

That's the wry analysis of security experts in the wake of the destructive global spread of the "I Love You" virus and its variants. They say the worm's lightning-fast spread is a perfect demonstration of Microsoft's powerful technologies working exactly as they were designed to operate.

The fundamental problem, these experts say, is a market-driven impulse to include as much functionality as possible in applications at the expense of security. While all companies face the same pressures from customers, none is as famous as Microsoft for yielding to it.

"At Microsoft, they always go for more functionality over security," said Gary McGraw, vice president of corporate technology at Reliable Software Technologies. "That's what the marketplace wants, because the marketplace isn't very educated about security. It's easy to sell products that aren't perfect to people who are ignorant. The customers' No. 1 job isn't security, it's getting their job done."

For its part, Microsoft insists it provides adequate security features but lets customers choose how much they need. "There's always a trade off between ease of use and security," said Scott Culp, a program manager with the software maker's security response center. "As a general rule, if you want to have higher security, you're going to take a bit of a cost in not being quite as easy to use. We provide features in all our products to let you decide where that balance is for you."

The origin of the current security quagmire lies in the development of computing applications that predate the widespread use of the Internet.

In designing desktop applications such as Word and Excel, Microsoft created individual scripts, or macros, for automating tasks within them. The software maker decided to create a common scripting language that all the disparate applications could understand, and it took the form of the Visual Basic programming language and its scripting language, VBScript.

These languages were a boon for Windows developers. They also wound up being the languages of choice for the author of the I Love You virus.

"What we've seen here is the result of adding a powerful language to applications that interface with the Internet, which is the source of dangerous data. It's a very dangerous combination," said Security Focus analyst Elias Levy, moderator of the Bugtraq security mailing list. "The scripting language makes a lot of sense with a lot of tasks on the desktop, but you have to be very careful when you interface them with something as dangerous as the Internet.

But Culp said blaming programming languages is an oversimplification of the real problem. "The issue here isn't scripting," he said. "It's the social phenomenon of virus writing.

"That virus could have been written as an executable or on any platform or in a nonscripting language. Just because this virus was written in a scripting language, and we happen to support scripting in our operating system, doesn't make it a security issue."

The problem also goes back to Microsoft's corporate philosophy and how it designs products. The software maker's success stems partly from its ability to tightly tie applications to each other and to its flagship Windows operating system. Word and Excel, for example, use not only common scripting languages but also common components that make them easier to use and customize.

But as Microsoft has increased the ties between applications and the operating system, particularly bundling Outlook with Office and hooking it to Internet Explorer, the company has created new security vulnerabilities, analysts say.

"Microsoft has built in the ideal virus transmission mechanism into the operating system," said Gartner Group analyst John Pescatore.

One problem is Outlook's extensive dependence on Visual Basic and the ways hackers can exploit it. Another is the ease with which scripts can manipulate Outlook's address book and also affect the operating system regardless of other security measures, such as password protection.

Viruses are a long-standing problem. In the past, system administrators contended with small windows of time during which infected files could get into their networks ahead of antivirus updates and be distributed by a few people, either inside or outside the organization.

"Now, with mechanisms built into Windows and Office, Microsoft is doing it for (virus writers)," Pescatore said. "Here is your address book, so send out the virus to everybody there at the speed of your CPU instead of relying on the person dumb enough to send infected email."

"If that were off by default, it would be a whole lot more secure," said Reliable's McGraw. "Having it on by default is typical of Microsoft's approach...In the case of the Love bug, it isn't even a bug. It's just insecurely designed. It's not badly designed; Microsoft intended for it to be that way."

Analysts say these recent outbreaks are similar to the Morris worm that a dozen years ago crippled Unix systems and brought down the young Internet. That virus exploited ties between Unix sendmail and the operating system to redistribute itself via people's address books, similar to what is happening with Outlook and Windows today.

Microsoft's critics frequently point to the Java programming language, developed by Sun Microsystems, as a security paragon--at least compared with Microsoft security methods.

"The Java approach is completely different," said McGraw, who is also co-author of a book on Java security. "It was designed to protect ignorant people from their own ignorance. And that may be a better model for the future economy, with everything computerized and software truly ubiquitous."

Java's security model works by establishing a so-called sandbox that limits the areas of the computer the code can manipulate. Microsoft's technologies, including Visual Basic and ActiveX--another frequent target of analysts' security gripes--rely on the "trust" model, leaving PC users to decide whether to grant incoming scripts and ActiveX components power over their computers.

"The people who designed Java wrote it so that you can run whatever you get as long as the model is perfect," said McGraw. "That leaves room for error. But Microsoft lets you decide whether to give over complete control. The I Love You thing is a perfect example of what happens when you give that control with two clicks of the mouse. It's incredible. That's all it takes to give away the keys to your computer."

Other analysts agreed that Microsoft has a lot to learn from Java.

"Visual Basic...and Active X are nowhere near the security posture of Java," Gartner's Pescatore said. "Java was designed with security in mind. Visual Basic was designed to allow novice users to build anything. C++ is not much better. (In) all programming languages until Java came along, most of the common ones were pretty insecure from a security perspective."

McGraw warned that as more things become computerized, the "trust" model will increasingly fail to protect people.

Although market forces will continue to pressure Microsoft and others to give security short shrift in favor of functionality, McGraw said he has some hope that the new exigencies of online commerce will exert pressures in the opposite direction.

"If you look at particular verticals, like the financial guys, they're getting much more particular about security," he said. "That's a harbinger for the future. As e-business really starts to happen, people are going to be paying much more attention and actually designing their stuff to be secure."