Security of Microsoft’s Products Is Questioned


The Melissa virus that has been tying up computer systems around the world is just the latest in a string of attacks on Microsoft software and has raised questions among security experts about Microsoft’s ability to protect its customers.

The security holes in Microsoft’s Windows NT, Office and e-mail software are especially troublesome given those products’ rapid spread throughout the corporate world, in many cases pushing aside more mature and secure but expensive systems based on Unix.

Microsoft is a popular target for such attacks because the company is disdained by many hackers and its products are widely used, but experts say the company has also made its software vulnerable by introducing new functions before they are properly debugged and not educating consumers about the potential hazards.


Melissa should be particularly worrisome to computer users and corporate administrators, experts said, because it represents a new trend in penetrating corporate systems. It attacks the more vulnerable individual users’ desktops rather than taking the more traditional approach of breaking into central computers that control the networks.

“People are getting at a corporation’s information through the client [desktop],” said a hacker who identified himself as Weld Pond. “Windows 95 doesn’t even have a security model.”

Pond, a member of L0pht, a group that has had great success cracking Microsoft software, said Microsoft’s approach to creating mini-programs called macros is an example of the kind of code that has not been well thought out.

A macro is essentially code that puts the computer through a series of routines--forwarding an expense report through the proper channels, for example. The Melissa virus uses that capability to order a computer to send a list of pornographic Web sites to those listed in a computer’s e-mail address book.

Pond said the problem with Microsoft’s approach to security is that users who receive an e-mail containing a macro are only given the choice of activating the macro or not activating it. “You can’t tell the system to open the program but don’t give it access to my system,” Pond said.

By contrast, Pond pointed out that in designing the Java language, Sun Microsystems used a “sandbox” approach that largely prevents a Java program downloaded from the Net from interfering with the rest of the computer’s operations. That has all but shut hackers out of using Java to infect computers.

Joe Wells of Thousand Oaks maintains Wild List, a catalog of active viruses. Wells said that close to half of all new viruses are hidden inside macros. “It is by far the fastest-growing group,” he said.

Microsoft said it will continue to use macros because they are popular among corporate users. “Our customers have told us that the macro language is important to them,” said George Meng, group product manager for Microsoft Office.

Meng said consumers can avoid problems by clicking “disable” when presented with an unfamiliar macro. Meng said future versions of its Office suite of programs would be designed so network administrators could screen out macros that don’t come from specified sources.

But not all Windows security attacks rely on macros. A hacker group known as Cult of the Dead Cow released a program last summer called “Back Orifice” that can be sent to a desktop computer over the Internet, then used by a hacker to remotely control that computer.

In its effort to promote the use of macros, experts say, Microsoft hasn’t done a sufficient job of warning consumers of security dangers.

Since most consumers never use macros, for example, Microsoft could easily ship Office with the default setting on “off” for macros, but it doesn’t.

“If Microsoft shipped its products with the macros off, we’d probably all be fine,” said Alan Paller, director of research at SANS Institute, a Bethesda, Md.-based nonprofit group that provides security training. Microsoft “wants the product to be as powerful as possible,” Paller said. “But sometimes fixing it [for security reasons] hobbles it a little bit.”

“I don’t know what Microsoft could do other than say “no” to macros, and that is a big issue in marketing Word,” said Matt Bishop, an associate professor of computer science at UC Davis.

Yaro Charnot, chairman of Institute of Reverse Engineering, a Pasadena-based security consulting company, said there is a broader problem regarding Microsoft’s attitude toward security. Its e-mail program Outlook, for example, which was used by Melissa to spread the virus, contains lots of bugs that bring down the system frequently, making it particularly susceptible to viruses, Charnot said.

“Every time the computer crashes, that is an opportunity for a hacker to take over the computer,” he said.

Charnot said Microsoft’s system for reporting bugs is unfriendly to users, and the firm seldom acknowledges such reports. Frequently the bug is never fixed, Charnot said. “It seems as if it is Microsoft policy not to care about security.”

Security experts and hackers have repeatedly come up with serious security holes in Microsoft’s Windows NT software. One glitch, for example, allows a hacker to get into a corporation’s computer network, take on the role of network administrator and get access to users’ passwords and files.

Experts say Microsoft’s next version of NT could include even more serious problems because it includes many new lines of code.

“It’s a no-win situation from a security perspective,” Pond said.

Although Windows’ competitors such as the Linux operating system also have security problems, experts say those problems are easier to find because Linux’s underlying code is open for anybody to look at, unlike Microsoft Windows, which is proprietary.