Microsoft slammed for email security holes

Some analysts said the "I Love You" attack points to serious flaws in Microsoft code. They noted that the virus takes advantage of well-known exploits involving Visual Basic script files, which end in the extension ".vbs." Visual Basic is a high-level programming language developed by Microsoft that is graphically oriented.

Michael Zboray, chief technology officer for market researcher Gartner Group, harshly criticized Microsoft for releasing a programming language with the "wrong security posture" to businesses and the public.

"Visual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets and the browser.

"You can say a lot of things (about) how Java's not good, and you can say JavaScript has a lot of flaws," Zboray said. "But the security posture from which they were designed was the right posture. The security posture from which ActiveX and VBScript were designed is the wrong posture."

For its part, Microsoft attributes the ongoing security issues not so much to inherent problems with Visual Basic script and its macro language, but to bad people misusing good software.

"We include scripting technologies because our customers ask us to put them there, and they allow the development of business-critical productivity applications that millions of our customers use," a Microsoft representative said. "Obviously, the technology can be misused by human motivation, and that's why we provide the security features for the customers to judge when the programs should be run or not."

The Microsoft representative said that since last night, the software maker had been working with major virus makers to combat the problem, and that by this morning, most companies had updated their virus definitions to detect the bug.

Microsoft is recommending as a first line of defense deleting email messages with the "I Love You" subject line. Long term, the Redmond, Wash.-based software maker also recommends that corporations reevaluate their email practices and always keep antivirus signature files up to date.

Companies also must educate employees "not to run a program from an origin you don't trust," the Microsoft representative said.

If there is a lesson to be learned from the outbreak and the speed at which the virus spread, it is how unprepared companies are--even those that added extra measures after the Melissa attacks, analysts said.

"The only thing that works is to have centralized management of the virus systems on people's desktops," Zboray said. "We have an established record now; this is the only feasible recovery plan. You count on the virus vendor to update the signature fast...but only centralized management ensures you can update quickly and effectively."

Mike Wittig, chief technology officer of firewall maker CyberGuard, said many companies can minimize attacks by using tools they already have.

"Many companies don't enable the email scanning features that are available in a lot of today's firewalls, either because of awareness, complexity or performance reasons," he said. "Adding virus scanning has a performance impact on your network."

Security consultant Richard Smith said most Web administrators should know better than to run ".vbs" attachments from unknown sources. But through shared drives on a network, a misstep by one person could infect an entire organization and fuel the spread exponentially.

"If you're in an organization you can also mount drives that are on your servers," Smith explained. "In my old organization, we used to mount two or three server drives on an individual computer; Drive 'F,' for instance, on everyone's computer would be a particular drive attached to a server. So if someone in the organization runs the virus, it could infect files on Drive F. If someone else tries to run those files, it could further spread the virus."