Feeds

Opinion: Office virus points toward a bigger hole

The software business is integrating and automating on sand, folks...

  • alert
  • submit to reddit

High performance access to file storage

The software business was due a wake-up call, but it came from an unexpected direction. The Melissa virus might look like it was all Microsoft's fault, but although Redmond's obsession with integration, automation and Web-enablement was primarily responsible for the speed at which Melissa spread, Microsoft is by no means alone in its ambitions. On the contrary - everybody wants to make it easy for you, and hang the consequences. The way Melissa works is simplicity itself. You open a file you were emailed, a Microsoft Office macro runs, and the email you got is sent on to 50 people in your contact book. So Microsoft's macro security is clearly grossly inadequate, and Microsoft Visual Basic for Applications, which can be used to perpetrate such deeds, seems pretty easy to turn into a runaway train the user has no way to control. Consider the sort of things a virus like this could do and you start to think about Melissa as being pretty cuddly. And the more bits of your data and personal and financial information that get integrated and automated, the more nasty things a virus could do. Sure, it could trash your hard disk, but how about it buying a new car with your credit card and shipping it to Omsk? Maybe your credit card information isn't built into your machine, but on the other hand maybe that just means "secure electronic commerce" hasn't been integrated into your machine yet. The reason we find ourselves standing on the edge of this particular precipice today is because software developers (and as I say, not just Microsoft software developers) think certain features are cool, and that they should try to make things easier for the user. Making it easier generally means progressively reducing the number of decisions the user has to make, and deciding for the user what is best for the user. So you're being dumbed down. But the security holes this process creates can be used by all sorts of different characters, not just those nice people who sold you the software. In the near future, the software industry in general confidently expects, your software will just kind of update itself whenever it needs to and/or there's a new bug-fix or update out. You won't need to know about it, it'll just receive an alert, and next time you look it'll all be much more efficient and snappier (or more likely, puzzlingly fatter and slower). Do we trust the software industry to make this kind of process rock-solid secure? Or more immediately, there are things like these little nagware browser windows that pop up every now and again encouraging you to upgrade to IE 5, Navigator 4.51 or whatever. Click yes to these and you'll go through to the vendor's site and start on a process where something out there helpfully installs files on your machine, optimises your settings and cleans up afterwards. But a growing receptiveness on the part of users to trust whatever it is out there that's monkeying with their machines isn't necessarily constructive; Particularly as the checks and authorisations haven't been keeping pace with the process and are in any event not defences whose security you'd like to stake your life on. And then there's the whole privacy issue, which shows how much the software business' thirst to connect things for a greater good has got out of sync with the rules of the game in the real world. They put in features because they're cool, because they're useful to the vendor, even (stretching it a bit) because they're good for the user, who doesn't want to be bothered with the details anyway. So stuff gets sucked of the machine and sent off somewhere - but where? It's obviously going to get worse, and although with every fresh exposure the software developers will issue fresh patches and promise to upgrade security, there's no obvious way to make the whole shooting match secure in the first place. Stopping doing things in your application development that with hindsight turn out to be dumb is one thing, but the Web itself is quite another. As the years roll by we'll all be downloading and running lots more stuff from the Web, and we're going to know about less and less of it as we do so. So how much longer are the platforms we're using going to be able to cut it? ®

High performance access to file storage

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.