Post #23,647
1/9/02 1:51:12 PM
|
A brief summary of why Outlook has so many viruses.
1. Microsoft included VBScript and VBA in Outlook, as with any other MS-Office application. This in itselt is not a problem, unless you see that they did not create a "Sandbox" to prevent people from writing virus-like code that other languages such as Java have.
2. Being the most popular platform Windows, and the most popular email client Outlook, makes them very popular with virus writers.
3. There is a big Anti-Microsoft movement out there in the hacker/cracker community. Many write viruses for the fun of it, or to try and do something. So they plan on hitting Microsoft because they don't like MS that much.
4. Many people have not applied the security patches that Microsoft has put out, or turn off their scripting so that the virus won't effect them. Due to this, there are more infections of the virus than should be.
5. Microsoft refuses to address the issues from my point #1, and only offers "Band-Aid" fixes that the hacker/cracker community can easily find a way around.
I hope this helps you. For my background I have done Visual BASIC programming for over 10 years, and I have developed a lot of VBScript and VBA code as well.
I wish that someone or some company can write an alternative to Outlook. Problem is that Microsoft apparently doesn't document how to connect to Exchange to write a client for Exchange. At least I haven't found out how to write one, and I've searched their MSDN and Technet archives. If there is a way, could someone please post it? Thanks.
"In order to completely solve a problem, you must make sure that the root of the problem is completely removed! If you leave the root, the problem will come back later to get you." - Norman King
|
Post #23,649
1/9/02 2:10:55 PM
|
Re: A brief summary of why Outlook has so many viruses.
I'm more interested in the how's and why's of #1.
|
Post #23,661
1/9/02 4:25:19 PM
1/9/02 4:28:48 PM
|
How and why?
I think it probably dates to pre-Web pre-Internet time, all the way back to a concept Microsoft once had of "near real time" updates, where (as an example) sales people in the field would Email information and forms to a central location, the central location could massage the data, update databases, etc., and their sales people would get stuff back in return Email messages. (This was demonstrated in one of the few Developer Days I ever went to. Nowdays, for that scenario, you'd be updating things more directly via a Web page.)
That's probably where the idea came from, but it's obviously far from a description of where it went from there. I would guess that because they had done something like this before, they built the same type of thing with COM objects - and all the while, thinking about the benefits of being able to execute code out of mail, and not even thinking about the security problems inherent in getting untrusted mail.
By the time they realized the severity of the problems, it was really too late for them to do a lot about it. The code for executing stuff from Email (and, by then, other office components) was probably so tightly "integrated" with every component that it was probably logistically impossible to tear it out.
At least how I remember it from the 90's. If someone has a different explanation of how the entire mess evolved, I'd be interested in seeing it.
"Beware of bugs in the above code; I have only proved it correct, not tried it."
-- Donald Knuth
Edited by wharris2
Jan. 9, 2002, 04:28:48 PM EST
|
Post #23,786
1/10/02 2:41:23 PM
|
Re: How and why?
That's about it: how does Java (or Unix or Linux or whatever) actually go about making a "sandbox" that the executables can't muck things up outside of it? I have kind of a vague idea, but nothing really technical.
|
Post #23,796
1/10/02 4:19:44 PM
|
Re: How and why?
[link|http://java.sun.com/marketing/collateral/security.html|Here] is Sun white paper thingie. The business end of the Java security model is conveniently described by using the metaphor of the Sandbox. The sandbox comprises a number of cooperating system components, ranging from security managers that execute as part of the application, to security measures designed into the Java Virtual Machine* (JVM) and the language itself. The sandbox ensures that an untrusted-and possibly malicious-application cannot gain access to system resources. Alex
Men never do evil so completely and cheerfully as when they do it from religious conviction. -- Blaise Pascal (1623-1662)
|
Post #23,800
1/10/02 4:38:44 PM
|
Re: How and why?
In ActiveX, in order to draw a fish on your desktop, the object must have all permissions that you have. In Java, in order to draw same fish, the applet only has enough permissions to draw on desktop. ActiveX has all or nothing security model. Java could always do "some or all", and now it can do multilevel permission, depending on where the code comes from and who signed it.
|
Post #23,731
1/10/02 5:43:57 AM
|
VBA in Outlook.
Time has shown that scripting in a major application is always popular. Lotus 123 had it's macros, for instance, and with them you could make your spreadsheet do magic things. Microsoft took up this baton with aveangence in Word with WordBASIC and Excel macro language. Then Visual BASIC appeared and took off, and MS decided it would be good if they could "unify" all their macro languages behind this Visual BASIC.
The implementation has proved ... troublesome. Along the road to this unification, WordBASIC got so powerful that someone eventually wrote a virus in it (the famous "Concept" virus). At the time I was working with anti-virus software and it was very clear that Microsoft deliberately under-rated the threat of macro virii in favour of end-users being able to program their documents.
This attitude persists. Outlook was merely unlucky enough to be in the sights for VBA "unification" and thus email trojans came about. Microsoft persist with a perverse attitude towards security in their products, preferring to believe that all this automation makes for better applications. There are several stories about those championing security inside Microsoft finding it quite an uphill battle, and my impression of their response to security issues is of a grudging one.
Wade.
"All around me are nothing but fakes
Come with me on the biggest fake of all!"
|
Post #23,761
1/10/02 11:51:04 AM
|
Their responses?
and my impression of their response to security issues is of a grudging one. Ho, ho, ho. Perhaps you formed this impression by the number of times they've gotten reports of a security problem, and then sat on it for an inordinate length of time until someone got tired of waiting for them to get off their duffs and publicized it? :-) Strange how quickly they seem to be able to develop, test, and deploy fixes after someone turns up the heat. "Beware of bugs in the above code; I have only proved it correct, not tried it."
-- Donald Knuth
|
Post #23,870
1/11/02 6:05:17 AM
|
Something like that.
Also how much prodding they need to even consider addressing security. Even now, they still refuse to properly fix the Macro virus problem, even after many experts have told them and the world at large what they need to do. Of course, the problem Microsoft (think they) face is that such measures would make Windows (slightly) harder to use for both J Random User and J Corporate User. Which, to Microsoft, is simply unacceptable.
Wade.
"All around me are nothing but fakes
Come with me on the biggest fake of all!"
|
