The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Christmas in March?

by Scott Bradner

A dozen years ago IBM's corporate data network was hit with a computer virus which might have been the direct ancestor of the Melissa micro virus now providing managers of corporate data networks a bit of diversion. It does not seem like there has been much learning in the intervening years.

In mid December 1987 a German student wrote a little program to draw a picture of a Christmas tree on an IBM terminal and sent it to some friends in an email message. But this little program had a hidden feature. It looked for a file of email aliases on the user's disk. If it found such a file it sent copies of itself to everyone listed in the file. If some of the entries in the alias file were mailing lists, then everyone on the mailing list would get a copy. The exponential explosion in the number of copies of the resulting email message quickly overwhelmed email servers wherever the message propagated. One of those places was the IBM corporate data network, which had to be shut down for a number of hours to clear the problem.

If this sounds familiar it is because the Melissa virus that showed up a few weeks ago does basically the same thing. Melissa has one additional feature, it infects the user's own files so that if the user subsequently sends one of these infected files to a friend the problem starts up all over again. The effect was also the same with many corporate mail servers swamped and several large companies disabling all email for a time.

The same two system features are exploited in both of these cases. First, one user can email an executable file to another user, written in an IBM scripting language in the first case and Microsoft Word macros in the second case. Second, users in both of these types of systems tend to keep large email alias files.

Considerably more thought has to be given to how to confine the ability of Word macros to modify their environment. I find it hard to understand why macros are permitted to modify the security protections against macros for example. This is something that Melissa does.

Melissa seems to be benign, with the clogging of servers its major effect. But what if Melissa twiddled every millionth bit on your disk, causing programs to randomly fail and data to be corrupted?

Word and other program macros have been the vehicles for a number of recent PC viruses. When is Microsoft going learn from history and get really serious about analyzing the vulnerabilities that the macro feature adds to the system and go about eliminating the vulnerabilities once and for all?

disclaimer: History is one thing that Harvard has lots of and sometimes leans from but the above is my history lesson.