Contagion: Why Our Dependency on Microsoft Makes Us Susceptible

Noted journalist and Internet activist Jim Warren posted a message which appeared on Dave Farber's Interesting People (IP) mailing list. An excerpt follows:

(The media) should stop mislabeling computer viruses by their *innocent* carrier -- the Internet.

They should start labeling them what they are: "Microsoft Outlook Express virus" or "Microsoft Explorer virus" or "Microsoft Word macro virus (reputedly the single largest source of viruses for years!)." Or more briefly -- and accurately -- just call each one, "the latest Microsoft virus."

Several of you have taken me to task for my comments about Microsoft software quality. I don't say these things to bash MS -- I say them based on over a dozen years of experience and research in infosec issues. Quite simply, Microsoft is the vendor that is putting arbitrary scripting commands into their email clients and servers, Microsoft products are ones that continue to exhibit security flaws and problems known to researchers for decades, and it is Microsoft's design decisions and products that result in problems such as Melissa, the "love bug," and a myriad of computer viruses. Couple this with the nearly total Windows population in some environments, and we have an extremely volatile situation.

Ask any biologist, doctor, historian, or agricultural specialist: what happens when you introduce a severe contagion into a monoculture population with little natural resistance? You get pandemic -- widespread infection and damage. Whether it is measles and smallpox killing something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay of the American forest, or ILOVEYOU in Outlook damaging files on machines worldwide, the result is a massive and quick-spreading epidemic.

Analyze statistics from anti-virus researchers, companies, and on-line documents. You will find that there are currently about 60,000 recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but traditional viruses). Of these (as of this week):

• slightly less than 52,000 are viruses for DOS/Window/NT platforms
• about 6000 of these are Word macro viruses
• about 150-200 of these are known to be widespread "in the wild"
• in 1999, approximately 650 new viruses were reported each month (more than 20 a day)
• 680 are for the Amiga
• A few hundred are for Javascript, Hypercard, Perl, and other scripting languages. Few of these can spread beyond a few machines without active support of the users
• 150 are for the Atari
• 31 are native to the Macintosh, and only two of them are known to exist anymore
• 2 or 3 are viruses native to OS/2
• About 5 are for Linux/Unix/etc, but none have been found in quantity "in the wild", nor would they be likely to spread very far if they were "loose"
• None are for BeOS, ErOS, or other small-population systems.

So, over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well). The rate of new reports -- especially for macro viruses -- means that pattern-based virus detectors can never be up-to-date and provide 100% protection. (Note: I'm not trying to draw grand conclusions here about the reasons for this skew, but simply point out where the overwhelming threat is.) Fast-spreading, self-propagating worms using Outlook move so quickly that they are likely to be upon us before an anti-virus vendor can even get a copy to analyze.

The situation is made worse by Microsoft trying to minimize the scope of the problem and claim that they aren't responsible in any way. The MS spin doctors are even attempting to blame the users! (One MS executive even claimed that we should beat our users to prevent problems such as the "love bug"). Microsoft employees and apologists are attempting to claim that these are problems that every software platform has, as if this somehow makes the gaping vulnerabilities less of a problem. This is simply not true -- you can't construct a "Melissa" or "love bug" worm without Outlook and MS Windows scripting host.

So, we need to do what we can ourselves to help our situation. What should you, as Purdue system and security administrators, consider doing?