Feeds

Opinion: Office virus points toward a bigger hole

The software business is integrating and automating on sand, folks...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The software business was due a wake-up call, but it came from an unexpected direction. The Melissa virus might look like it was all Microsoft's fault, but although Redmond's obsession with integration, automation and Web-enablement was primarily responsible for the speed at which Melissa spread, Microsoft is by no means alone in its ambitions. On the contrary - everybody wants to make it easy for you, and hang the consequences. The way Melissa works is simplicity itself. You open a file you were emailed, a Microsoft Office macro runs, and the email you got is sent on to 50 people in your contact book. So Microsoft's macro security is clearly grossly inadequate, and Microsoft Visual Basic for Applications, which can be used to perpetrate such deeds, seems pretty easy to turn into a runaway train the user has no way to control. Consider the sort of things a virus like this could do and you start to think about Melissa as being pretty cuddly. And the more bits of your data and personal and financial information that get integrated and automated, the more nasty things a virus could do. Sure, it could trash your hard disk, but how about it buying a new car with your credit card and shipping it to Omsk? Maybe your credit card information isn't built into your machine, but on the other hand maybe that just means "secure electronic commerce" hasn't been integrated into your machine yet. The reason we find ourselves standing on the edge of this particular precipice today is because software developers (and as I say, not just Microsoft software developers) think certain features are cool, and that they should try to make things easier for the user. Making it easier generally means progressively reducing the number of decisions the user has to make, and deciding for the user what is best for the user. So you're being dumbed down. But the security holes this process creates can be used by all sorts of different characters, not just those nice people who sold you the software. In the near future, the software industry in general confidently expects, your software will just kind of update itself whenever it needs to and/or there's a new bug-fix or update out. You won't need to know about it, it'll just receive an alert, and next time you look it'll all be much more efficient and snappier (or more likely, puzzlingly fatter and slower). Do we trust the software industry to make this kind of process rock-solid secure? Or more immediately, there are things like these little nagware browser windows that pop up every now and again encouraging you to upgrade to IE 5, Navigator 4.51 or whatever. Click yes to these and you'll go through to the vendor's site and start on a process where something out there helpfully installs files on your machine, optimises your settings and cleans up afterwards. But a growing receptiveness on the part of users to trust whatever it is out there that's monkeying with their machines isn't necessarily constructive; Particularly as the checks and authorisations haven't been keeping pace with the process and are in any event not defences whose security you'd like to stake your life on. And then there's the whole privacy issue, which shows how much the software business' thirst to connect things for a greater good has got out of sync with the rules of the game in the real world. They put in features because they're cool, because they're useful to the vendor, even (stretching it a bit) because they're good for the user, who doesn't want to be bothered with the details anyway. So stuff gets sucked of the machine and sent off somewhere - but where? It's obviously going to get worse, and although with every fresh exposure the software developers will issue fresh patches and promise to upgrade security, there's no obvious way to make the whole shooting match secure in the first place. Stopping doing things in your application development that with hindsight turn out to be dumb is one thing, but the Web itself is quite another. As the years roll by we'll all be downloading and running lots more stuff from the Web, and we're going to know about less and less of it as we do so. So how much longer are the platforms we're using going to be able to cut it? ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.