Love, Microsoft

May 9 2000 9:00 PM

Love, Microsoft

Who's to blame for the "ILOVEYOU" virus? Who else??

See below for Microsoft's response.

Here's some instant mythology surrounding the "ILOVEYOU" virus:


It attacked computers.

Any technology can be used for good or for evil.

It was spread by careless, ill-educated (and love-starved!) consumers, who clicked where they shouldn't have.

In reality, of course, the virus attacked and exploited software, not the computers themselves. That may seem like a pedantic distinction, and it's true that these days the line between hardware and software can be fuzzy. But computers themselves can have bugs, and they can have security holes, and that wasn't the case with the "love bug." In fact, the virus targeted the Microsoft Windows Scripting Host, Microsoft's Outlook mail program, Microsoft Internet Explorer, the Microsoft Windows Address Book, and the Microsoft Windows registry. It propagated by means of security flaws created by Microsoft software engineers. No one running MacOS or Unix could have spread this virus or any virus like it.

Microsoft's public comment has run: "There's always the potential for misuse. More important than the technical side of this is the human side. It's not something technology is ever going to be able to solve." It's a cliché that technology is value-neutral—a cliché employed in the service of a variety of causes. There's always some truth to the idea. Nuclear fission is just what it is, a piece of physics. Guns don't kill people, people kill people. But we're allowed to notice when particular technologies are especially dangerous. Some technologies actively invite misuse.

So here's what the ILOVEYOU virus did, and here's why it shouldn't have been able to:

  • It looked up some settings in the registry, Windows' core database of system settings, and then it changed those settings. For example, by default, scripts are given only 10 seconds to do whatever they do. So this script began by looking up this "timeout" feature and turning it off. Oops! Scripts shouldn't be allowed to override settings that control those same scripts.
  • Then it changed some more registry settings, with statements like regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs," which instructs the system to run a new script every time it starts up. Scripts shouldn't be allowed to alter anything in the registry—not without direct approval from a system administrator and especially not from inside an e-mail message. Microsoft knows this, in principle: Look here, for example. But it chose to leave the door open.
  • Then the script changed the start page of the (Microsoft) Web browser. In fact, it pointed the browser not at a Web site but at an executable file: regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"," MTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe." No! Don't go there. (Sure enough, the function of this program was to sniff for passwords.) It would be safer to require user intervention before changing the browser's start page. But Microsoft wanted to make it easy for companies like, oh, Microsoft, to change your start page for you.
  • In a subroutine cunningly titled "sub infectfiles," the virus copied itself—a nice, compact little script, after all—to files all over the user's hard disk, deleting some files and sneakily renaming others. Now, this is suspicious and dangerous behavior. An operating system has to support the deletion and renaming and alteration of files, but it doesn't have to give this capability to scripts—little programs run from inside e-mail messages or through the Web browser. These powerful abilities came with the Windows Scripting Host, not a part of Windows 95, but added to later systems, including any that got Internet Explorer Version 5. (Maybe the ILOVEYOU author read Microsoft TechNet's article on "Leveraging the Power of the Windows Scripting Host." "The script we've demonstrated may be the foundation for a greater task," it concludes cheerfully. "Once you've located a file, you may wish to perform a file copy or an FTP process.")
  • Finally, as we all now know, the virus performed a mass mailing of itself to everyone in the user's Outlook address book. Cute, and sometimes Microsoft customers do need to send mass mailings, but they don't need to be able to do it with scripts running from inside e-mail messages. Not ever. Close that door.

In recent years, Microsoft's designers have deliberately blurred the distinction between opening some data and running a program. To run Word, you no longer have to find the program and execute it. You can run Word indirectly, just by clicking on any Word document, identified by its filename, ending with the three-letter extension .doc. In the same way, if you click on a music file in the .mp3 format, you will execute a music player—by default, of course, Microsoft's own Media Player. The virus executed the Windows Scripting Host because it ended with the extension .vbs.

Which leads to one more lovely detail. Most of us rarely see those file extensions because the operating system hides them by default. That's another user-friendly feature: Instead of "Letter to Bill.doc," we see just "Letter to Bill." Speaking personally, I like this feature. I know that some security experts advise users to turn the feature off, but so far I've been willing to accept Microsoft's default setting and leave the extensions hidden. The ILOVEYOU virus exploited this by adding an extra fake extension to its name: "LOVE-LETTER-FOR-YOU.TXT.vbs." We users saw only the innocent-looking "LOVE-LETTER-FOR-YOU.TXT." The final, hidden, .vbs was the trigger.

Thus Windows gave us the worst of both worlds: It was smart enough to display and yet disregard the ".TXT" that would have started a harmless text editor. It was smart enough to conceal and yet execute the ".vbs." Microsoft should have been smart enough to take an obvious precaution in the first place: Prevent the creation of file names with double extensions. That kind of file name is a sure tip-off that someone is up to no good.

 Even after the fact, Microsoft continues to take a "Close the Barn Door" approach to security. It recommends with a straight face that users now delete all e-mail messages with the subject "ILOVEYOU." And the Microsoft Web site stresses (here):



Driving in Circles

The autonomous Google car may never actually happen.

Where Ebola Lives Between Outbreaks

Gunman Killed Inside Canadian Parliament; Soldier Shot at National Monument Dies

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

The Simpsons World App Is Here, and Nearly Perfect


“I’m Not a Scientist” Is No Excuse

Politicians brag about their ignorance while making ignorant decisions.


The Right to Run

If you can vote, you should be able to run for public office—any office.

In Praise of 13th Grade: Why a Fifth Year of High School Is a Great Idea 

Renée Zellweger’s New Face Is Too Real

  News & Politics
The World
Oct. 22 2014 2:05 PM Paul Farmer Says Up to Ninety Percent of Those Infected Should Survive Ebola. Is He Right?
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
Gentleman Scholar
Oct. 22 2014 5:54 PM May I Offer to Sharpen My Friends’ Knives? Or would that be rude?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
Brow Beat
Oct. 22 2014 4:10 PM Skinny Mark Wahlberg Goes for an Oscar: The First Trailer for The Gambler
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.