Christmas in March?

Network World, 04/05/99

A dozen years ago, IBM's corporate data
network was hit with a computer virus that
might have been the direct ancestor of the
Melissa micro virus that is now providing
managers of corporate data networks with a
bit of diversion. It does not seem like there has been much learning in
the intervening years.

In mid-December 1987, a German student wrote a little program to
draw a picture of a Christmas tree on an IBM terminal and sent it to
some friends in an e-mail message. But this program had a hidden
feature in that it could look for a file of e-mail aliases on the user's
disk. If the program found such a file, it sent copies of itself to
everyone listed in the file.

If some of the entries in the alias file were mailing lists, then everyone
on the lists would get a copy. The exponential explosion in the
number of copies of the message quickly overwhelmed e-mail servers
wherever the message propagated. One of those places was the IBM
corporate data network, which had to be shut down for a number of
hours to clear the problem.

If this sounds familiar, it is because the Melissa virus that showed up
a few weeks ago does basically the same thing. Melissa has one
additional feature - it infects the user's own files. So if the user
subsequently sends one of the infected files to a friend, the problem
starts up all over again. The end effect has been the same as it was
with the Christmas tree program - many corporate mail servers have
been swamped and several large companies have had to disable all
their e-mail systems for a time.

The two viruses exploit the same two system features. First, one user
can e-mail an executable file to another user, written in an IBM
scripting language in the first case and Microsoft Word macros in the
second case. Second, users in IBM and Microsoft environments tend
to keep large e-mail alias files.

It's hard to determine how to confine the ability of Word macros to
modify their environment. For example, I find it difficult to
understand why macros are permitted to modify the security
protections against macros.

Melissa seems to be benign, with the clogging of servers its major
effect. But what if Melissa twiddled every millionth bit on your disk,
causing programs to randomly fail and data to be corrupted?

Word and other program macros have been the vehicles for a number
of recent PC viruses. When is Microsoft going to learn from history
and get serious about analyzing the vulnerabilities that the macro
feature adds to the system? When is Microsoft going to eliminate the
vulnerabilities once and for all?

Disclaimer: History is one thing that Harvard has a lot of and
sometimes learns from, but the above is my history lesson.