Since 1971, when Ray Tomlinson sent the first true e-mail message between two ARPANET mainframes, electronic mail has gradually become as indispensable as the telephone for conducting business, communicating with friends and family, and reinforcing relationships. Unfortunately, this easy way for people to exchange information is also an easy way for computers to exchange data — data with the potential for wreaking havoc on your life. When you open your computer to the viral payloads and destructive worms that can be carried by e-mail messages, you risk losing your productivity, your personal data, your financial well being, and possibly even your job. Knowing what the stakes are, who wouldn’t want to protect himself from the next virus, worm, or Trojan horse that spreads like a disease over the Internet?
In a perfect world, there would be no nasty code to worry about. But these things do exist, and their effects can be devastating. Just as it was hard for people in the early 20th century to fathom the abstract concept of “germs,” it can be equally difficult for us to wrap our minds around the fact that a relatively small bundle of computer instructions can cause a great deal of damage. First, it’s important to understand that viruses[1], worms, and Trojan horses are three very different things.
Sometimes all three kinds of beasties are called viruses, but this ignores the different ways they behave and are spread from computer to computer.
Obviously, the term virus is borrowed from the biological world. The metaphor is apt because both the living and digital versions behave in remarkably similar ways. When we think about malicious code, we can actually use several different metaphors to help us come to grips with the notion:
Biology: Once it is written and “set free,” malicious code
becomes a living entity, doing what it was “bred” to do. We need to learn to
recognize the genetic structure of each of these digital organisms, develop
“cures” and inoculate our networks so we can prevent these dangerous bugs
from turning our computers into their habitat.
The criminology perspective is a flight of fancy. In spite of some recent
high-profile arrests, expecting the government to protect you from viruses
is about as reasonable as expecting your local police department to guard
your house round the clock. Just look at how well the government protects
you from spam. It’s hard to sympathize with the person who says, “Bad code
is wrong — I shouldn’t have to protect myself.” That’s like saying that car
theft is wrong, and you should be able to leave your keys in the ignition of
your unlocked SUV while you’re in buying Ringdings at the 7-Eleven. The
reality is that it’s just too easy to spread bad code via e-mail, and too
easy not to get caught. Yes — it’s a crime, yes — it’s gonna happen. But
there are things you can do to stop it.
The biological perspective is more productive. It recognizes the autonomy of bad code that has been released into the wild. Though computer viruses arise from “genetic engineering,” they can often take on a life of their own. Like any disease, there is always a period of time between the point of first discovery and the development of an effective treatment. Even if you’re using antiviral countermeasures, there’s always a chance that you’ll be one of the first 100,000 victims of the next digital ebola. To use an alternate biological metaphor, high-risk sex with a prophylactic is still high-risk sex.
The climatology perspective seems to be the most useful way of
looking at malicious code. We can’t control the people who are creating the
viruses and the worms. We can’t put our full faith in most antivirus
software, because it can’t defend itself against emergent threats. We know
the bad code is out there, like a developing weather system or an overgrown
Arizona forest at the height of a summer drought. What we don’t know is when
the funnel will touch down or the lightning will strike.
When the nasty brown stuff hits the fan, you’ll be a lot better off if you take whatever steps you can to protect yourself. As with just about any topic, a little bit of history can go a long way toward helping you understand the current state of affairs.
In a nutshell, initially there was no e-mail; then, eventually, there was e-mail. Beyond this, a few details are worth exploring.
E-mail as we know it now really began in 1966 when ARPA researcher Bob Taylor talked his supervisor out of a million dollars to develop “network mail,” a way to send communications back and forth from ARPA installations. Most sources indicate that the first true e-mail was sent in 1972, which means that e-mail has been around about as long as Pong and HBO.Like today’s e-mail, network mail was a simple file transfer protocol that allowed small text messages to be sent to a particular person at (“@”) a particular host computer. Eventually the protocol was expanded to allow file attachments and basic message formatting. This model became the basis of probably the most important communication medium since the invention of the telephone.
In 1990, there were already 12 million e-mail accounts on the fledgling Internet. At the same time, proprietary e-mail systems such as CompuServe, AppleLink, and MCI Mail were growing in popularity. Eventually, private systems linked up through Internet conduits as the public Internet became more and more important and widespread. By the end of the decade, it was estimated the Internet was home to nearly 400 million people sending and receiving e-mail.
In 1992, Microsoft released Windows for Workgroups, the company’s first OS intended for networked computers. In addition to file and printer sharing, Windows for Workgroups also included a program called Microsoft Mail. This precursor to Outlook allowed users on the same local network to communicate with each other using a proprietary mail format.
Because all Microsoft Mail clients were peers, Microsoft made the assumption that all data moving around through its network could be trusted. This mindset continued as Microsoft added protocols like SMTP, POP, and IMAP. With the rise of Internet e-mail, virus coders discovered that Microsoft e-mail clients were particularly susceptible to attacks. Outlook clients were easy targets. This, along with the snowballing integration between desktop applications and the Windows OS, resulted in Windows becoming a sitting duck for viral potshots.
Two of today’s most popular e-mail programs are both descendents of Microsoft Mail: Outlook and Outlook Express. As you ponder this fact, we’d like to propose what we’ll call Rule Number One:
There will be other rules, but this is the whopper, the big kahuna.
As we’ve seen, Outlook and Outlook Express began with the assumption that all messages could be trusted. The software is also gullible to a fault. Fundamental design flaws cause it to trust just about any content by default, as well as perform actions as directed by others, without very much in the way of inhibitions.
More specifically, Outlook and Outlook Express are packed with “features” that were meant to provide “functionality” that Microsoft believed its users wanted. Many of these “features” allow messages and piggybacked attachments to execute code and interact with other programs. In a perfect world this would be fine, since all code would be benign and this interactivity would all be for the purpose of added efficiency and increased productivity. In the real world, it means one thing: malicious code.
Because of the embedded nature of Internet Explorer, Microsoft thought it would be a good idea to use the Explorer engine to allow Outlook and Outlook Express to display HTML-encoded e-mail messages. On the surface, this seems like a good idea. It allows images to be embedded directly into messages, allowing an e-mail to be as pretty as a web page. Unfortunately, it also means that e-mails can be peppered with code that can do some pretty destructive things.
One of the most common types of interactivity in web pages is Javascript. Javascript can do lots of very helpful things, such as download files, read and write cookies, spawn new windows, and so on. Unfortunately, all of these things can also be used to attack a computer. Cookies can be mined for information such as credit card numbers and other personal data. Javascript-enabled downloads can auto-execute and wreak havoc on a PC. Even if Javascipt is turned off (as it is by default in Outlook), code can be embedded in certain HTML tags that will execute in spite of system settings.
Visual Basic is one of the more useful inventions for Windows developers. Unfortunately, it’s also very useful to virus writers. The majority of e-mail viruses are written in VB. Often, the file type of the Visual Basic script will be masked, so an attached file appears to be an image or movie file, but turns out to be a malicious script.
VB scripts, because they can take control of the operating system, have the greatest potential for damage on a Windows-based computer. They can delete files from a host’s hard disk, potentially hosing an entire system. In addition, VB scripting is easy to pick up, with a relatively low learning curve, meaning that it’s pretty accessible to “script kiddies” and younger, less responsible coders.
The “feature” that allows Outlook to display HTML formatting also means that special tags can be exploited to cause harm. One example is the IFRAME tag, which can be used to run an attached program. Naturally, if the attached program is a virus, or some other type of malicious attachment, this can wreak havoc on a user’s computer.
This is by no means a comprehensive list of the problems associated with Microsoft Outlook and Outlook Express. New weaknesses are being discovered on a weekly or even daily basis. Microsoft, to its partial credit, always tries to hurry out a patch to block each new threat. As one of our colleagues recently wrote:
Trust us. Today’s newly discovered vulnerability won’t be the last. Trust us.
On the face of it, this discussion so far may seem like just another anti-Microsoft rant, the bitter ramblings of yet another pseudo-techno-weenie [2] with an axe to grind. While this is undoubtedly true, we’re not alone in our belief that Outlook and Outlook Express are best avoided. Don’t take our word for it — look at what others have said:
“Microsoft’s own fundamental operating system principles of enabling data and programs to interoperate at a low level does provide unparalleled ability for programs to interoperate with each other, but it also offers crackers unparalleled access to break into your systems. ...Microsoft’s inter-application communication (IAC) leads to Outlook Transmitted Diseases (OTDs) such as Melissa and makes it possible to build Trojans such as QAZ.”
— Steven J. Vaughan-Nichols, October 2000, “Microsoft Security Holes”
“Microsoft Corp. released a security alert yesterday acknowledging a serious security hole in its Outlook Express e-mail client. ...Ironically, the security hole was found in code that is used by Outlook Express to generate a message warning users that problems occurred when trying to verify the authenticity of an incoming e-mail.”
— Paul Roberts, October 2002, “Microsoft warns of ‘critical’ flaw in Outlook Express”
“There’s a very good reason why Outlook has come to be nicknamed LookOut by seasoned users. Microsoft Outlook has a notorious security history with many a virus owing its ability to spread to Outlook’s ‘features’ Help slow the spread of email viruses and support software diversity by using another email program.”
—Timothy W. Macinta, “What Alternatives Are There to Microsoft?”
“We have to confront the reality: either email is broken, Microsoft’s email software is broken, or those two statements are the same. If it’s the middle statement, Microsoft and other vendors can close holes and improve filtering in their products. Email itself isn’t going to change. It’s too widely deployed. I still think a combination of steps will tame the spam epidemic, but we’re not there yet.”
—Kevin Werbach, August 2003, “Werblog Technology Analysis”
Much more could be said (and has been said) about Microsoft’s track record regarding e-mail security. The excerpts above are just a smattering of the criticism out there. We included them to emphasize the grave importance of the problems we’re describing.
In February 2002, Microsoft announced that, in response to global worries about security and privacy, it was “launching a company-wide effort called ‘Trustworthy Computing.’ Craig Mundie, Microsoft’s chief technical officer, emphasized that Microsoft had “completely refocused the company in a profound way to make Trustworthy Computing our number one priority, bar none.” (Read the full article.)
The industry’s response to Microsoft’s announcement was mixed. Microsoft’s usual proponents voiced the usual “me toos.” On the other side of the fence were the scoffers who pooh-poohed the announcement as just so much media hype. One of the most insightful responses came from PBS commentator and Microsoft critic Robert X. Cringely, who had the following to say:
“After years of watching their customers suffering billions of dollars in losses caused by security problems, why is Microsoft suddenly changing? Why now? ... I’d say that rather than marking a real change, this announcement is more a matter of executing a strategy that has been coming for a long time. It is neither a response to the insecure nature of Microsoft products or a PR move. Rather, this is Microsoft’s new way to get us all to buy more stuff.”
—Robert X. Cringley, January 2002, “Trust me, I’m From Microsoft”
The truth of the matter is, the majority consensus in the security industry is that Microsoft’s products are insecure by design, and never will be otherwise. In spite of the company’s hype about Trustworthy Computing, its software is riddled with holes that can be exploited to steal personal data, harm individual machines, or attack other people’s networks.
Since the Trustworthy Computing initiative, we have seen some of the worst e-mail worms and viruses to date, many of which (if not most of which) only affected people using Outlook and Outlook Express. Some examples include the Klez and SoBig worms.
In October 2003, more than a year and a half after the birth of Trustworthy Computing, Microsoft’s Steve Ballmer admitted to the company’s Worldwide Partner Conference attendees that “there is ‘much, much, much’ left to do to protect computer users from viruses, worms and other malicious software.” The same Washington Post article quoted the president of a local Bethesda Internet service provider as saying he is constantly “frightened of what’s around the next corner with Microsoft.... You wake up the next day and suddenly something isn’t working.”
Rule Number One has already been written on the wall:
Following this rule will protect you from about 90% of the threats out there. (At least the digital ones.) While we’re still wearing our bitter pseudo-techno-weenie hat, we might add Suggestion Number 1A:
This may seem a bit extreme, but using both a non-Microsoft e-mail client and a non-Microsoft operating system will protect you from almost all of the malignant code floating around the networks of the world. The two best alternatives to Windows are Linux and Mac OS X. The latter is pricey but very user-friendly; the former is free (or almost free) but has a steeper learning curve.
Here’s the reality: some of us are regularly forced by misguided bosses or underinformed IT administrators to use a Microsoft e-mail client. Many more of us have no choice but to use one version of Windows or another as our primary operating system. For those of us in either or both of these unfortunate predicaments, there are still measures that can be taken to further protect ourselves from jerks around the world who want to steal our data, mess up our computers, and make our lives a living hell. A few risk-abatement measures include the following:
(2) Install and use virus protection software on your PC. Make sure your system administrator is also running virus protection software on your company’s mail server. Set your virus software to update its virus definitions on a daily basis.
(3) Never open or run e-mail attachments that you are not expecting, especially from people that you don’t know. This is the computer equivalent of having anonymous, unprotected sex. Don’t do it.
(4) Even if an e-mail attachment is from somebody you know well, treat it with extreme caution if the attachment seems fishy, or if it’s obviously been forwarded a lot.
(5) Never, under any circumstances, open files of the type VBA or EXE unless you are absolutely sure of their origin.
(6) Turn off your preview panes. Many e-mail programs allow you to view the content of a message in a small pane of your main in-box window. The problem with this is that selecting a message causes it to be displayed in this preview pane. If you select the message, even to delete it, it could conceivably execute malicious code embedded in the headers or body of the e-mail.
(7) Disable any “bells and whistles” in your e-mail client that you don’t actually need or use. These include HTML rendering, Javascript execution, Java execution, and ActiveX capabilities. It’s a good idea to turn these off anyway, and enable them only for a message that requires them — and then only when you’re sure of the message’s origin.
The final recommendations involve a fundamental change in the way we approach e-mail. In addition to paying attention to the e-mail messages we receive, we also need to pay better attention to the messages we send out. It comes down to good Internet citizenship (or “netizenship”) and it can help make using e-mail a better experience for all of us. Here they are:
(8) Don’t send unsolicited attachments, and don’t forward indiscriminately. Establish a corporate file server and put files there, rather than e-mailing the same Word document to everyone in the company. Get out of the habit of forwarding every funny picture, scare story or joke to everyone on your mailing list. This incredibly bad habit can be really annoying to others, and is a really good way to spread viruses that may be lurking in the messages.
(9) If you suspect that your computer has been infected by a network- or Internet-borne bug, be considerate. First, “quarantine” your computer by unplugging every network and phone line to which it is connected. Second, shut down your computer and unplug it from the wall. Wait until a qualified person has checked it thoroughly before re-integrating yourself with any network, public or private.
Benjamin Franklin was being glib when he said, “In this world nothing can be said to be certain, except death and taxes.” But at least for the foreseeable future, there will always be crime, there will always be disease, and there will always be weather. We can add to those calamities the triple-threat of computer viruses, worms, and Trojan horses.
Creating and intentionally spreading malicious code is a crime, but if anything, it’s on the rise. Like biological bugs, computer bugs tend to run in seasons. Like the weather, they tend to come in waves. For example, you can expect a healthy cluster of e-mail worms with each discovery of YAWH (Yet Another Windows Hole).
It’s not a crime yet to unintentionally spread viral data. Yet. Though we haven’t criminalized ignorance, we can certainly prevent it. Taking a few important steps can help protect you and everyone in your address book from coming down with the latest digital flu. Changing e-mail clients is a critical first step. Becoming a good netizen is another.
David Baker is a former composition instructor and professional tuba player, he holds an MA in Linguistics and a BA in English. Baker has also spent 8 years in the field of interface design and multimedia development.