The computer world is rife with grudges and conspiracy theories, and most of them trot out the usual suspect: Bill Gates, plotting “evil schemes” through his all-powerful software empire.
That same scenario now holds true in the fierce debate over the future of virus fighting after last May’s infamous “love bug” e-mail worm. That virus took only hours to span the globe, infecting millions of computers and wreaking as much as $10 billion in damage to businesses worldwide.
Although the panic in the news media quickly died down, computer security experts are still blaming the widespread attacks on the failings of Microsoft’s products, originally designed with an eye toward simplicity but at the expense, it turns out, of computer security.
Even though Microsoft sped the release of a patch on its Web site to close up the vulnerabilities in its Outlook and Outlook Express e-mail programs exploited by the love bug, critics blast the effort as too little and too half-hearted to prevent a much more damaging virus from striking corporate networks in the future.
And worse yet, they accuse Microsoft of having no interest in fixing the problem at all.
“Viruses will never be wiped out entirely, but they could be contained if only the computer industry, principally Microsoft, would set up some reasonable security precautions,” said George Smith, a computer security consultant and editor of the Crypt Newsletter, a popular online virus journal. “Unfortunately, it’s just not in their interest to make those necessary changes.
“Consumers still prefer easy-to-use programs and fancy settings over virus protection. And whenever a virus does slip through the gaping cracks in a program, the softwaremakers don’t get punished for the damage caused.”
One reason Microsoft focuses too little on virus protection, analysts say, is that it is not held liable when a virus exploits its programs to destroy a company’s computer files.
“When you read the licensing agreement before you break the wrapper or click on the `I accept’ button when you download software, you’re basically signing away any responsibility on the part of the softwaremaker,” said James Love, director of the Consumer Technology Project, a consumer watchdog group affiliated with Ralph Nader, presidential candidate of the Green Party.
In today’s competitive world, each new software product must be rushed onto the market, and it must include new and amazing features with each subsequent version to remain commercially successful, Smith added.
“They don’t have the time or incentive to protect against viruses,” he said. “And if they’re not held legally liable in any way, why should they bother?”
Furthermore, interest groups for the software industry are busy trying to strengthen those licensing agreements in court, pushing for passage of the Uniform Computer Information Transactions Act, a law that has been passed so far in Maryland and Virginia and is winding its way through legislatures in seven other states, including Illinois.
“If a cup of McDonald’s coffee scalds your skin, people immediately think of suing, but no one ever seems to think that way when it comes to their software,” said Richard Raysman, the senior partner of Brown Raysman Millstein Felder and Steiner LLP, an e-commerce law firm in New York. “And then companies use anti-virus programs as well, which are supposed to stop the viruses. It’s hard in court to determine who is to blame when something goes wrong. So bringing Microsoft to court for something like this is not really done.”
Smith insists the love bug worm could have been easily prevented and that softwaremakers had plenty of warning.
The Microsoft patch, if downloaded, prevents malicious programs from automatically sending its own e-mail messages on a computer. Thus future programs created by virus writers would not be able to access a user’s e-mail address book as the love bug did. The patch also prevents users from opening any attachments written in Visual Basic Script, a popular computer language for the latest wave of virus writers.
“But the Melissa virus took advantage of the same weaknesses 15 months ago, and Microsoft never released a patch until now, when it took another virus scare to do it,” said Sushil Jajodia, a professor specializing in computer security at George Mason University in Fairfax, Va.
The patch also leaves many vulnerabilities still in place, according to Eric Allman, chief technology officer of Sendmail Inc., the makers of the program that routes much of the world’s e-mail through the Internet.
“It’s like taking a building with 50 open windows, closing up three of them and saying everything is secure. It’s absolute nonsense,” Allman said.
And there is no telling how many will log onto the Web site to take advantage of the patch. Microsoft currently has no plans to include the added security features in future versions of Outlook, said Steve Lipner, manager of the company’s security response team. But he contended it was unfair for critics to pin blame solely on Microsoft, that it next to impossible for any softwaremaker to deflect viruses completely.
Lipner also insisted that many of the Microsoft’s customers still did not want to disable the automated functions they have grown to love, such as being able to open Word documents from their email accounts.
“We are providing the patch to them only as an option because they still want ease of use,” he said. “The reason is that these actually are useful things. It is certainly a delicate trade-off between security and functionality, but this is the best approach.”
The love bug was the fastest and most damaging virus to date, three times more destructive than last year’s Melissa. But most anti-virus experts agree the technology of virus writing has hardly advanced at all since the days when they first began to infect personal computers in the late 1980s.
What has changed, though, is the seamless Information Age that has grown up around them and the super-fast information networks they can now take advantage of. In a world that places ever more economic dependence on computers, experts argue that software companies cannot afford to continue building a network high on cosmetics and low on security.
At first, it took years for a virus to infect a large number of computers, because it could travel only as fast as the people who unwittingly carried them on infected diskettes, said John Magnuson, a Chicago computer security consultant.
But now that most computer users exchange information with a button click, a virus can travel the world in seconds and become pandemic in hours on the backs of e-mail documents, spreadsheets and databases.
And because Microsoft products dominate the personal computer market, they have become the prime targets.
“We have only ourselves to blame for the situation we’re in. Everyone uses a computer, they all run on Microsoft, and most of them use the exact same programs,” said Fred Cohen, a virus researcher who originally penned the name “computer virus” in 1983 and was among the first to write about their potential threat.
“If you think in terms of biological viruses, we’ve given them a perfect environment in which to spread violently,” he said. “A potent virus can take down everything because we have no diversity in our systems. Microsoft had better live up to this responsibility and begin to take their customers’ safety into account.”
The lucrative anti-virus industry, which has grown into a billion-dollar business this past decade because of the virus scares that have touched down like clockwork each year, is also accused of doing little to help the situation.
“The anti-virus makers thrive off these mass panics, like the love bug and Melissa,” Magnuson said. “They make money whenever a new virus splashes onto the front pages. They have a stake in keeping viruses around and people scared.”
And Cohen, now a computer security researcher for Sandia National Laboratories in California, said the danger of viruses should only grow because anti-virus companies still employ traditional cures that are too slow.
Most anti-virus companies mainly sell scanning software that screens corporate networks for viruses that have already been discovered. But it can take as long as 24 hours for anti-virus writers to respond to new viruses. They also have shied away from “heuristic” software methods that try to predict which files are potential viruses and turn them back before they hit.
“It still takes way too long,” Cohen said. “If we continue to use these after-epidemic detection and cure methods, it is highly likely that very serious damage will result from a more malicious virus in the near future. Clearly, we need a better system than the one we use now.”
For years there has been talk of creating a “digital immune system” that would mimic the human body’s highly successful defense mechanisms and provide an impenetrable shield against viruses, said Graham Cluley, a spokesman for Sophos PLC, a British anti-virus vendor. But it still shows no signs of moving closer to reality.
“For some time to come, it seems we’ll just have to live with the status quo,” Cohen lamented.
So for now, the only sure preventive medicine against computer viruses for companies remains employee education.
“If lax software lets you gain access to computer viruses and your anti-virus software can’t provide an adequate barrier against new ones,” said Allman of Sendmail, “then you will have to teach your employees to watch out for themselves. They have to serve as their own security.”
