, SecurityFocus 2000-06-08
Redmond issues an anti-virus patch that could have hobbled LoveLetter. Experts say, better late then never.
“
Typically, hackers and virus writers find a way around these things.
”
Since the Melissa virus raged across the net in March 1999 by plundering Microsoft Outlook address books for email targets, some security experts have criticized the company for not infusing their nearly ubiquitous program with more security. When last month's LoveLetter worm spread worldwide using the same technique, Microsoft initially defended the security of their software, but soon announced that they were developing a patch to hinder the spread of malicious code at the cost of some functionality.
The
The patch also raises the default security level in which messages are viewed and prevents any program from accessing the Outlook address book, or sending email through Outlook, without a user first clicking 'yes' in a dialog box.
"This prevents the worm programs that automatically resend themselves by using email through Outlook," said Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "And depending on how the final patch was written, it may prevent other bits of malware from automatically and transparently sending out email." But Spafford points out that slower-spreading macro viruses hidden in Word and Excel documents are not affected by the patch. "It isn't going to stop the whole class of problems."
Not everyone is optimistic that users will embrace the new patch. "If there's a way to turn it off, then they will," said Shane Coursen, a board member of the WildList Organization International, a seven-year-old volunteer group that tracks computer viruses worldwide. "And if that's being pessimist, I've just been in the industry so long that I know that if there were a magic bullet that it would already have been invented."
"I think it's a great first step. It will help minimize the spread of a lot of these fast spreading viruses," says Sal Viveros, director of NAI's McAfee anti-virus company. But based on his experiences with other security patches, Viveros believes that most individuals and many small to midsize companies may never get around to downloading and installing the update. "Until people actually implement this, we'll still have an issue."
Even if the patch were to be widely implemented, Viveros has faith that other malicious coders will keep his company busy. "Typically, hackers and virus writers find a way around these things," Viveros said.
Spafford wonders aloud why it took two Outlook-oriented viruses for Microsoft to react. "The fact that it took two incidents, first Melissa and then something like 35 variants of the Love Bug, strikes me as waiting a really long time to realize that this is a problem."
A Microsoft spokesman referred inquiries to the company
Editor's note: This story was updated June 8th, 9:51 PT to correct an erroneous description of the patch.
