ISSUE 557: The high tech office- June
Virus vulnerabilities made easy by
potato, native to the Americas, arrived in Europe, farmers quickly
became more productive growing the new crop. Many started to rely on it
as their main foodstuff, replacing a wide range of former crops.
The new and improved diet made it
possible to support more people, until the spread of potato blight
wiped out the crop and led to famine.
History is repeating itself with the
widespread success of Microsoft's Office, its Word word
processor, Outlook e-mail software and other programs. Microsoft's
overwhelming market share has benefits for users, who can pretty much
take file compatibility for granted. And it's created an entire
industry making products to work with or enhance MS Office.
But, as with the Irish reliance on
potatoes in the 1840s, business reliance on a single product can lead
to disaster. Today's security problems are the result of
a series of well-intentioned but misguided design decisions made by
To understand the problem, we again
have to look back into history, to computer software in the mid-1980s.
Standard business applications included word processors such as
WordStar and Word Perfect and spreadsheets such as Lotus 1-2-3.
Power users made use of "macros,"
customized routines to automate repetitive tasks. But macros for Lotus
1-2-3 wouldn't work for Word Perfect and vice versa. This was initially
true for Microsoft's products as well, even after the company started
bundling Word and Excel together as its Office suite. But the company
promised to provide a universal macro language. It did, with Visual
Basic for Applications (VBA) offering a standardized format based on
Microsoft's popular and (relatively) easy to use Visual Basic
programming language. In fact, VBA offered most of the power of a
full-fledged programming language, disguised as a humble macro-editor.
Most users ignored this, along with
most of the other high-end features of word processors, spreadsheets
and the like. But, once again, the Internet changed everything. Now,
e-mail can spread documents worldwide. And with Microsoft Office and
Outlook as near-universal standards, almost everyone could run
documents containing Office-style VBA macros.
That changed the face of computer
viruses. Virus-writers discovered that Visual Basic macros embedded in
Word or Excel documents could spread themselves as soon as a user
opened the document. Typical Word macro viruses infect all the Word
documents on a user's system and can quickly spread across a company's
network. Just as individuals and organizations pretty much got a handle
on Word macro viruses, though, infections such as last year's Melissa
virus and the recent Love Bug started spreading, taking advantage of
similar vulnerabilities in Microsoft Outlook. And while Word macro
viruses had to wait for a user to unintentionally send an in-
fected document to someone else, these Outlook viruses take over the
user's e-mail address book and send themselves. The Love Bug reached up
to 26 per cent of worldwide Internet users, according to a survey
conducted by the Angus Reid Group and Symantec Corp.
Microsoft has recently posted
a security update for Outlook 98
and 2000 users at www.officeupdate.
The company notes: "This update limits
certain functionality in Outlook to provide a higher level of security."
In other words, it turns off the Visual
Basic Scripting functions that most users never asked for in the first
place. While this update was released in a reasonably timely fashion
following the Love Bug panic, it's been a year since the similar
Melissa virus attack. I can't help but wonder why it took this long for
Microsoft to take Outlook's vulnerability seriously.
The minority of users of non-Microsoft
systems, Apple and Linux users (and even Windows users
running other e-mail clients) find themselves in the position of an
1845 Irish farmer growing wheat. They can watch from a position of
relative safety while the Office and Outlook users around them suffer
from the blight. *