See below for Microsoft's response.
It's important to note that the virus payload cannot run by itself. In order for it to run, the recipient must open the mail, launch the payload by double-clicking on it, and answer "yes" to a dialogue that warns of the dangers of running untrusted programs.
Sure enough, the warning is explicit and prophetic. To activate the virus, at least some people had to ignore it. And sure enough, people ignored it all over the world. They ignored it inside Microsoft headquarters—we know this because the company mail servers were shut down intermittently over a two-day period and because some copies of the virus were inadvertently dispatched onward to the outside world.
How could people be so stupid? Simple. We've seen these fine-print warnings thousands of times. We've had to learn to click on past them. We've seen them whenever we display e-mailed pictures from our friends. The warning says to "be certain that this file is from a trustworthy source"—none too helpful when our trustworthy sources are being tricked into mailing us the virus. But the wording hardly matters; we no more read these warnings than we read the click-through agreements crafted by company legal departments.
The trouble is, Microsoft applies the same warning to the passive display of content and to active scripts allowed to delete files, alter the Windows registry, and send mass e-mail.
The ILOVEYOU vandal showed a sophisticated understanding of vertical integration, a fact of life in the Microsoft universe that the Department of Justice, too, has been zeroing in on. Many different pieces of the Microsoft jigsaw puzzle are now platforms for executing programs: the browser, the word processor, the spreadsheet, the e-mail client. They all work together, and they each perform the functions of an operating system. That can be really useful. It's also dangerous. So it's time for Microsoft to make some crucial distinctions. It's one thing to display data passively: present text, play music, show pictures. It's another to grant active access to the file system: delete data, alter program settings. A good, modern e-mail program needs to be able to display all kinds of stuff. But there must be limits.
As a matter of cultural style, it's odd that Microsoft has earned notoriety for laxness about computer security. The company is such a control freak, after all, in other domains. It may be in part because Microsoft itself likes to be able to do things to our computers from a distance. If you spend any time at MSN or Microsoft.com—even at Slate—you've noticed that you are often given a chance to "install and run" some ActiveX control or other, and you are invited to check a box that says, "Always trust content from Microsoft Corporation." These ActiveX controls can do anything, where Java, by contrast, was designed not to have unbridled access to the file system. Last year Microsoft got caught placing secret unique identifiers in Office documents and collecting associated hardware indentifiers from across the Internet. Soon all Office users will be required to register their software, in the name of copy protection, and allow Microsoft to check remotely on where the software has been installed. The company has just patented a technique for installing software upgrades over the Internet, after consulting settings in the registry. All this middleware, all this powerful scripting, helps Microsoft check up on its users. Maybe that's why the company doesn't feel any great urgency about having us batten down the hatches.
I got my own copy of ILOVEYOU from a trusted friend, an Episcopal priest who often e-mails me pictures of his kids. By then I'd heard the news, so I carefully opened it for viewing. I'd like to say I was smart enough not to run the thing first, but the truth is just that I was lucky enough.