May 5, 2000 7:00 PM PDT
Virus hoax illustrates Microsoft email security issues
"Had this been a real virus, you would not be happy," it reads. The relieved user clicks "OK," and another box pops up.
"Deleting hard drive now...Just kidding," it says.
This message circulating around the Internet is the work of one Leigh Stivers, chief code architect for software firm DP Technology. He's trying to draw attention to a security hole in Microsoft's Outlook and Outlook Express programs that is potentially far more dangerous than the now ubiquitous "I Love You" virus.
The hole allows any email to be loaded invisibly with a destructive program that could go as far as wiping a person's hard drive. Unlike viruses like the Love virus or Melissa, programs that take advantage of this would have no attachment and would give no indication that they were anything other than ordinary email.
In addition, under Outlook's default settings, which allow people to see email with graphics and small embedded programs, the box can pop up in a "preview" pane even before a person knows the email is there.
"The (Visual Basic) script can do almost anything, from erasing a hard disk to the same kind of thing 'I Love You' is doing," said Stivers, who wrote the code today to test his company's security. "We were amazed to see how open everything was in house here, and we take security pretty seriously."
Microsoft has defended its decision to leave default settings open in the interests of convenience, noting that concerned people can change the security settings to provide greater protection.
Computer experts say that Microsoft has simply made a choice that looks good to consumers, but which has dangerous ramifications. Programs such as Outlook, Outlook Express and Internet Explorer work closely together to create an email experience that is more rewarding than simple text.
But all of this has come at the expense of security.
"It's kind of a double-edged sword," said Elias Levy, chief technology officer of Web site SecurityFocus.com and moderator of the Bugtraq mailing list. "They're giving people a lot of room to hang themselves. And they do."
No widespread virus attack has taken advantage of this hole, which was identified some time ago, Levy said. But that could be a matter of time.
Computer users can turn off the settings in Outlook that allow this kind of attack, but only at the expense of losing advanced features.
Problems like this are likely to be around as long as computer software developers compete to bring the newest and flashiest features to market, Levy said. Microsoft's software receives the most attention by virtue of its popularity, but it's a much wider problem, he added.
"Who wants to tell customers you can't have that new feature?" Levy said.