.

Navigation  
Research  
Marketing  
Communities  
Net Tools  
Security  
Seminars  
Our Services  
Search  
.
Bookstore  

Check out our bookstore, operated with our associate, Amazon.com:
 
Update, October 2002: Since the article below was written, there have been two significant developments:
 
  1. Viruses using the weaknesses explained below, and similar Microsoft vulnerabilities, including Bugbear, have proliferated, causing enormous financial damage to tens of millions of computer users, and
     
  2.  Bill Gates has publicly admitted that Microsoft's approach to security has been seriously flawed, and has pledged to turn his company around. We hope that Mr. Gates follows through with his pledge, but his company's track record so far does not inspire excessive confidence.

Bubbleboy Virus Changes The Rules

A lot of misinformation is routinely spread about computer viruses (see the Computer Virus Myths page), but one thing used to be take-it-to-the-bank advice that you could always rely on:

The only way you could catch a virus sent by e-mail was through "opening" an attached file.

One public-spirited computer consultant even dedicated a whole web page to reassuring the public this. See The Truth About Computer E-Mail Viruses (the "truth," correct at the time, was that e-mail viruses could not spread except by opening attachments). 

This is not true any more, at least not if you use Microsoft's e-mail and browser programs. The new "Bubbleboy" virus is extremely infectious if you use MS IE 5.0 and Outlook or Outlook Express. Bubbleboy is yet another example of viruses that exploit poor programming in Microsoft products. 

It was bad enough already, as Microsoft Word users have already suffered for years through attacks from Microsoft Word viruses that can't infect any other type of word processor. See our section on MS Word viruses.

Now, however, it gets even worse. Microsoft's poor attention to security has opened the way to yet another new type of computer viruses, ones spread by e-mail that can do reproduce and do damage even without the user opening an attachment:

ZD-Net Story on Bubbleboy Virus

If you use Microsoft's Outlook Express program, it's still worse. Merely having a message appear in the "preview" window is enough.

The particular virus discussed in the news story above ("Bubbleboy") was relatively harmless. It was merely a "proof of concept" virus, like the first Word macro virus. We can expect much more harmful "payloads" to be included in future versions, just as we saw with the first Word viruses.

Remember the first Word virus? Microsoft insisted that it was not a virus, but just a "prank." This propaganda slowed the development and deployment of effective countermeasures. To this day, to my knowledge, Microsoft has never apologized for misleading people about the extent of the danger, nor expressly retracted its false statements that contributed to damage for so many Word users.

We can only hope that Microsoft will be more effective this time in preventing their consistently poor attention to security from again facilitating damage to millions of users of their products.

A lot of people focus on Microsoft's hardball business tactics, and understandably so. In my view, however, these recurring security lapses are the real Microsoft scandal.

More information:

bulletNetwork Associates -- (McAffee Antivirus)
bulletVBS.BubbleBoy -- Symantec (Norton Antivirus)
 

homeresearch | marketing | communities |  net tools |  securitybookstore
Internet Tools for Lawyers
http://www.netlawtools.com


Webmaster
© 1996-2005 by Netlawtools, Inc. All rights reserved.