Fog Creek Software
g
Discussion Board

Stopping viruses

Just reading some stuff about MyDoom, and it occured to me that Microsoft could slow the spread of viruses a lot if they just did one thing that would take about 20 minutes --

You should never be able to run any attached executable (.exe.,.pif, whatever) by double-clicking.  It should be a requirement to have the computer knowledge to save it to a folder on your hard drive, find the folder again, and open it from there.  For any other type of file it is safe to double click.

Of course that wouldn't get rid of all problems, because some exploit vulnerabilities in the mail clients themselves, but I think 99% of the people who are spreading these attachment viruses are the type of people who don't know what a directory is.

Roose
Wednesday, February 4, 2004

http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=outlook+attachment+security+site%3Amicrosoft.com&btnG=Google+Search&meta=

Dennis Forbes
Wednesday, February 4, 2004

I run Eudora and it installs a shell extension so that even if I got into explorer and navigate to my attachments directory, I can't execute a file from there without a warning.

Almost Anonymous
Thursday, February 5, 2004

Excellent idea Roose.  Outlook has done that for about two years now.

Unfortunately, obviously that idea doesn't work.  Send enough people a zip file, and a significant fraction will unpack it, save the executable to their disks and run it, even if the file is named "test.exe" and they have no idea who it came from or what it does.

It's kind of like the famous Linux virus:  "Hello, this is the linux virus.  Please make some harmful changes to your kernel source code, rebuild your machine, and then send this email to all your friends.  Thanks!  Signed, J Random Hacker" 

The thing is, we really can't blame the users who do that.  Users expect that in the normal operation of their machines, that stuff should just work and be secure.  And people consider clicking on random attachments in email to be "normal operation", so that's what we have to secure.

Outlook patches are not enough.  We need to (among other things) implement a policy-based code access security system deeply integrated into the core operating system, so that users can establish policies ONCE and have them enforced rigorously, rather than continually having to re-evaluate the hostility of a piece of code.  Users are very bad at making that evaluation.

Eric Lippert
Thursday, February 5, 2004

I think it just gives you a warning though, no?  It just says some crap about it being potentially harmful, but that is overused.  You can still open it anyway if you ignore the warning.

The point is that pretty much NOBODY except a programmer EVER has to send an executable over e-mail, and programmers usually find another way (ftp, etc).  The problem is that opening an executable is similar to opening a PDF or Word doc in Windows.  The average person doesn't understand the difference.  The warning makes no difference to users.

I've been surfing the net for 10 years pretty much EVERY DAY and I've NEVER gotten a virus from e-mail or the web, and I use Outlook Express AND Outlook both at home AND at work.  I don't get how all these people are spreading viruses.

People always blame the mail client but I don't think that's really the case.  It is pretty much the reckless opening of attachments.

Even if some people will unzip it and run it, I think that making it impossible to open executables directly from e-mail would cut down on this A LOT.  If this feature is already there, I haven't seen it on many people's machines that I've observed.  Maybe it is configuration option that is not set up most of the time.

Roose
Thursday, February 5, 2004

> I don't get how all these people are spreading viruses.

You probably live and work in an environment where you have all the latest patches and updates applied as soon as they come out.

All those people are spreading "social engineering" viruses either by (a) not having installed any of the outlook security patches released in the last four years, or (b) deliberately defeating the security system as I described earlier. 

There are _millions_ of people like that.  More than enough to continue the spread of viruses indefinately. This is a _huge_ problem.

So, unfortunately, your conclusion is incorrect.  We released the first outlook patch to make outlook behave as you describe in what, 2000? I think that's right.  And I think every version we've shipped since the Office 2000 service pack has had this on by default.  It's slowed the spread down somewhat, yes, but certainly hasn't stopped it.

What will stop the spread of viruses?  It's going to take a concerted effort on many interrelated fronts:

* deterrence: catch virus writers and punish them.  There are many technical and legal hurdles to overcome here.

* prevention: code-based security integrated into the operating system.  Heuristics to detect hostile code.  Increased adoption of signed code.  Better virus checkers.  Fewer users running as admin.  Lots and lots of work to do here!

* detection/analysis: better intrusion/tampering detection, better logging, better analysis tools.

* recovery: system restore, file systems with deep rollback logs, etc.

Stopping hostile code is not as easy as flipping a switch in outlook.  It is going to take years and cost billions to build a digital infrastructure as trustworthy and reliable as, say, the phone system.  When I pick up the phone, it's very rare that bored teenagers in China are suddenly able to  destroy my phone jacks!  But with email, people literally live in fear of the next email.  That has to end -- it is a massive brake on the hugely increased productivity enabled by digital technology.

Eric Lippert
Thursday, February 5, 2004

Points taken.  I am not as familiar with the exact ways that Outlook works as you far.  But let me still offer something from my user experience.

If you litter the OS with warnings that the user HAS to ignore, eventually he will ignore all of them.  (e.g. the warning about it being unsafe to send info across the Internet seems particularly useless to me).

What you're proposing are heavyweight engineering changes and process changes.  And those will probably be necessary to completely stop the problem.  However, they cost a lot.

What I'm saying is that usability (the focus of this board) is very powerful.  Even though Microsoft's products are generally pretty useable, they are pretty bad in terms of security.  Most people do not understand security.  The UI designers have not shown any particular awareness of this.  The stupid security certificate dialog in IE is a great example -- I'm a programmer and I still haven't bothered to figure out exactly what the dialog means.

My feeling is that defaults are very powerful.  You can rely on the novice not to change them.  What about this -- Outlook automatically _obliterates_ executables from attachments and zip files that are attachments.  If you want this feature, you have to go hunt in a menu 3 levels deep and check a box.  No novice will ever get that far.

This won't affect most users because as I said they have no reason to be sending executables through e-mail.

As for the updates thing -- I think I'm running bare Outlook 2000 from the CD I got back in 1999 (checked the about box, no updates listed).  Never had a problem.  The ONLY thing I do is install the latest service pack for the OS (that you definitely need).  I don't even install the intermediate updates, because they tend to mess up my PC.

I use OE all the time to read newsgroups, and used it for a long time as my main mail reader.  I also only updated the OS service packs (only started doing that around Windows 98SE though).

As a side note, it is atrocious what corporate IT does to your PC to "solve" these security problems.  My P4 3.0 Ghz at work runs pretty much like my Duron 800 at home, and it is way less stable.

Anyway, something has to be done about this, and IMO the cheapest most immediate solution is to improve usability in terms of security, which is a hard thing for most people to understand.  The other solutions you mentioned will be necessary, but they will take much longer.  And it seems like the virus/spyware problems are only getting worse and worse, despite Windows on the whole being more stable.

Roose
Thursday, February 5, 2004

Doesn't do much to stop viruses that spread via .doc files does it though?

Mr Jack
Thursday, February 5, 2004

"The thing is, we really can't blame the users who do that.  Users expect that in the normal operation of their machines, that stuff should just work and be secure.  And people consider clicking on random attachments in email to be "normal operation", so that's what we have to secure."


For the past 20 years, there's been this push to turn the computer into an appliance that's no different than a toaster.  You don't need to know what an executable file is or why it might be bad to click on it.  You don't need to know about stuff like installing anti-virus programs, firewalls  or update patches.  No, you just click on stuff and it "just works".

And that's the problem.

Officer Robert Barone
Thursday, February 5, 2004

I'm sorry, but anybody infected with MyDoom deserves it. Their ISP should take them offline, and charge them a HUGE amount for this pleasure.

If I don't check the tires on my car, and the thread wears so thin I have an accident and run down a child, ignorance won't get me off. So why should it be any different here?

fw
Thursday, February 5, 2004

"You can rely on the novice not to change them.  What about this -- Outlook automatically _obliterates_ executables from attachments and zip files that are attachments.  If you want this feature, you have to go hunt in a menu 3 levels deep and check a box.  No novice will ever get that far."

You'd be amazed at what those same novices can accomplish given the right incentive: "Hey dude, check this out! I found the <insert celeb of choice> orgy vid. I thougth it was fucked but the computer dudes around here found a way to watch it. Here's what you do: in the start thingy choose the run thingy. Type regedit ..."

Just me (Sir to you)
Thursday, February 5, 2004

> If you litter the OS with warnings that the user
>  HAS to ignore, eventually he will ignore all of
> them

This is very true.  Eventually I'll write a blog entry on this, but the gist of my comments can be found here:

http://blogs.msdn.com/ptorr/archive/2004/01/19/60352.aspx

This is why it is important to have a policy-based partial-trust security system -- so that users can express their opinions about security and then have them enforced silently, rather than expressing their opinions a hundred times a day while thinking about something else.  And so that ONE bad trust decision does not grant full administrative access to hostile code. 

Eric Lippert
Thursday, February 5, 2004

Blockng attachments is a hideous method of security, rather like stopping car accidents by immobilizing everybody's car engine.

Blaming users who don't apply security patches is a joke, especially when you see what they break if you install them all unthinkingly.

Stephen Jones
Friday, February 6, 2004

You didn't really read the comment, apparently.  It's not at all like stopping a car's engine, because that would prevent everyone from driving.

Eliminating executables attachments doesn't block anyone from doing anything, because the people who have reason to send executables know how to do so safely.  And it would be an option, like I suggested.

Roose
Friday, February 6, 2004

----" Eliminating executables attachments doesn't block anyone from doing anything, because the people who have reason to send executables know how to do so safely"-----

What, put a picture of a crash helmet as stationary!

Or perhaps I should just send the source code, and ask the recipient to recompile the kernel. Bit of a drag if they are using windows and have to recompile first, but who knows!

My doom comes off as a zip file anyway. Nobody I knew applied the service release until MS published a way you could take all files off their banned list.

Stephen Jones
Saturday, February 7, 2004

"If I don't check the tires on my car, and the thread wears so thin I have an accident and run down a child, ignorance won't get me off. So why should it be any different here?"

Your analogy is flawed because ensuring that tyres have adequate tread is actually not a cause of accidents, and thus educating people to do so will also not cause accidents.

You see, there's this special technique used by email applications to 'attach' files 'to' an email so that the files can be 'sent' to another person. Having spent many years teaching people how to use this feature it's unfair to complain that they're stupid because they use the feature.

No, seriously, it took years for many people to be taught to use the 'attachment' feature of their email program. To now start whining that people are doing what the product's creator told them to do is pretty stupid. The product should have been safe to start with.

But hey, it's easier to blame people who use a feature they were taught to use, rather than blaming the people who created a flawed and dangerous feature in the first place.

The Real Blank
Tuesday, February 10, 2004

*  Recent Topics

*  Fog Creek Home