Windows OS: Pheromone for the Love Bug

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Windows OS: Pheromone for the Love Bug

We can blame the Windows Scripting Host for the recent virus attacks

By Hiawatha Bray Special to digitalMASS

If Microsoft Corp.'s behavior in its antitrust trial hasn't convinced you that the company's leaders are in a persistent state of denial, more evidence arrived from Manila this week.

Did you miss last week's Software column? Check the archive to stay up-to-date. I refer, of course, to that malignant electronic love letter that swept across the world's computer networks, forcing corporations and government agencies to shut down their e-mail networks and spend millions cleaning up the mess.

The Love Bug was worse than the typical nuisance virus, because it destroyed several popular types of computer files. If you're one of the many college students with hundreds of MP3 music files on a hard drive, this virus could be especially cruel.

But right now I'm mainly concerned about the cruelty of the Microsofties, who persist in denying any responsibility for this fiasco.

Notice that the Love Bug ailment only affected Microsoft-reliant PCs. One reason virus writers love to target Microsoft is that their stuff runs on roughly 90 percent of the world's desktop machines. Apple Macintoshes rarely get viruses, because even after Apple's resurgence, Macs are still run by maybe 5 percent of all users. Most computer vandals prefer to go after bigger game.

But there's another reason Microsoft-based PCs are a favorite target -- Microsoft's willful inclusion of features that make a machine easy prey for the saboteur. The Love Bug, for instance, isn't really a bug -- it's a feature, added to the Windows operating system for the benefit of some corporate computer users.

The Windows Scripting Host was developed in 1997 as a way to make it easy for programmers and serious computer users to automate various functions on their machines. The host will enable a Windows machine to automatically run simple program scripts written in a variety of languages, such as Javascript and Microsoft's own Visual Basic Scripting language. Anybody with Windows 95 can download Windows Scripting Host from Microsoft's Web site; it comes built right into Windows 98 and Windows 2000.

Thanks to the Windows Scripting Host, corporate network administrators can use scripts to automate much of the work they do. They can write scripts to add new accounts to the e-mail network or check performance logs on a particular machine. In short, this isn't just a useless gimmick, but a helpful and practical tool for many computer users.

But of course, virus writers like it too. The presence of the scripting host is what makes the Love Bug possible. It's a little script that is activated instantly when you click on it, if your computer has the scripting host on board.

It's not as if this hadn't happened to Microsoft before. Back in 1997, I interviewed a student at Worcester Polytechnic Institute who'd discovered that Microsoft's Web browser had a security flaw that could wreck a user's computer. It turned out that a vandal could create a Web page with links that would activate programs on a visitor's computer. The Worcester student showed me how I could create a link that would start up a computer's Format program, and delete every file on the computer's hard drive. If a visitor with the Microsoft Web browser clicked on the link, his computer would commit suicide.

When I asked Microsoft about this appalling security flaw, one of their engineers assured me that it wasn't a flaw at all. The company had deliberately designed the browser with this capability, because some corporate users would find it handy. A firm could put links on its internal Web site that would automatically run, say, a diagnostic program on the remote user's machine. Nifty, yes?

Well ... no. In the end, Microsoft saw reason and modified the browser to prevent this feature from working. But the underlying attitude that convenience matters more than security has never changed.

Consider last year's Melissa virus. It too relied on a built-in scripting capability that allows Microsoft's office software suite to run simple programs. And it too swept the world, using Microsoft's Outlook e-mail program to send out millions of copies of itself.

As the Love Bug incident shows, the Melissa virus wasn't enough to change Microsoft's mind. And so far, there's no evidence that even this latest attack is having much effect on their thinking.

When I raised the issue with Microsoft spokesman Adam Sohn last week, he described his idea of how companies could improve the security of Outlook. "They should commence by beating their employees," Sohn declared.

He chuckled to signify that he was kidding -- but only about the floggings. Sohn was dead serious about Microsoft's utter lack of responsibility for the Love Bug fiasco. Instead, he blamed the silly computer users who go opening e-mail attachments. "People shouldn't open them," said Sohn. "That's the problem."

But both the Melissa and Love Bug viruses often arrived in e-mail messages that come from people to whom we've given our e-mail addresses. The old advice about only opening attachments from people you know is worthless this time around. Of course, you can also get updated antivirus software. But that's no help to the thousands who get infected before the update is prepared.

The solution is obvious enough. Microsoft should either eliminate all features that allow alien programs to run on people's machines, or they should do a far better job preventing the hostile ones from getting through.

Why on earth do Windows 98 machines come with the Windows Scripting Host built in and switched on? A good 90 percent of users neither want nor need the feature; it serves only as an invitation to trouble. It would be easy for Microsoft to deactivate the host, so that users would have to make a conscious choice to turn it on. Only those who really benefit from the feature would do so, and the rest of us would be safe. In addition, it should be fairly straightforward to block any scripts from running if they originate from a source outside the corporate firewall. That would have prevented the rapid spread of the Love Bug.

Understand that Microsoft isn't unique in this habit of making its software too powerful. Try installing Linux sometime, and you'll see the same thing. Many standard versions of this operating system will switch on services like the "sendmail" messaging system. According to security experts, crackers love sendmail -- it's one of the easier networking programs to subvert.

So all of the makers of operating systems have plenty to learn. But none are more in need of re-education than the people of Microsoft, who are determined to give us ever more convenient and powerful software, even if it kills us.

Oh, by the way, if you're running Windows 98, you can uninstall Windows Scripting Host. Click the Start button, then choose Settings, then Control Panel, then Add-Remove Programs. You'll have a box with several tabs on the top. Click the one marked Windows Setup. You'll see a list of Windows features. Click the one marked Accessories. There you'll find the Windows Scripting Host. If there's a check mark next to it, then it's installed. To uninstall it, uncheck the box and click OK.

I've gone wandering around on a Windows 2000-equipped computer, but can't find a similar uninstaller. At least, not yet.

Hiawatha Bray's digitalMASS software column runs every Monday. He is also a technology reporter for The Boston Globe, and writes his Upgrade column every Thursday. His e-mail address is bray@globe.com.

http://www.digitalmass.com/columns/software/

-- Martin Thompson (mthom1927@aol.com), May 08, 2000

Answers

Great tip. Every one should remove the
scripting host on their Windows.

Here it is in a more succinct form.



-- spider (spider0@usa.net), May 08, 2000.

Netscape users were also affected by the virus, but Netscape didn't let the virus propagate by sending out email copies of itself. HOwever, if the Windows Scripting Host is installed and Netscape recognizes it as an application, then when the user opened the attachment Netscape passed the file on to Windows Scripting Host to process it. On those machines, the virus still messed up the WIndows registry, copied itself into graphics and music files, etc. wiping out files.

TO protect yourself from this type of thing in the future, in Netscape do: Click Edit Click Preferences Click the + in front of Navigator Click Applications Scroll through the list looking for Vbscript If you find it, Click on VBSCRIPT to highlight it Click Remove Next scroll through the list looking for Jscript or javascript If you find it, Click on it (Jscript or javascript) to highlight it CLick Remove Click OK

This makes vbscript and jscript unrecognizable to Netscape and it will not automatically pass it on to Windows Scripting Host. In the future if you click on an attachment with a .vbs or .js file extension, Netscape will prompt you that it doesn't recognize the file type and can't automatically process it. If you really want to run one of these scripting files, save the attachment in a file and then explicitly run WIndows Scripting Host (wscript.exe) on the file. But know where the file really came from and whether it's safe before running it in Windows Scripting Host.

slza

-- slza (slzattas@erols.com), May 08, 2000.


Moderation questions? read the FAQ