Feeds

Opinion: Office virus points toward a bigger hole

The software business is integrating and automating on sand, folks...

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

The software business was due a wake-up call, but it came from an unexpected direction. The Melissa virus might look like it was all Microsoft's fault, but although Redmond's obsession with integration, automation and Web-enablement was primarily responsible for the speed at which Melissa spread, Microsoft is by no means alone in its ambitions. On the contrary - everybody wants to make it easy for you, and hang the consequences. The way Melissa works is simplicity itself. You open a file you were emailed, a Microsoft Office macro runs, and the email you got is sent on to 50 people in your contact book. So Microsoft's macro security is clearly grossly inadequate, and Microsoft Visual Basic for Applications, which can be used to perpetrate such deeds, seems pretty easy to turn into a runaway train the user has no way to control. Consider the sort of things a virus like this could do and you start to think about Melissa as being pretty cuddly. And the more bits of your data and personal and financial information that get integrated and automated, the more nasty things a virus could do. Sure, it could trash your hard disk, but how about it buying a new car with your credit card and shipping it to Omsk? Maybe your credit card information isn't built into your machine, but on the other hand maybe that just means "secure electronic commerce" hasn't been integrated into your machine yet. The reason we find ourselves standing on the edge of this particular precipice today is because software developers (and as I say, not just Microsoft software developers) think certain features are cool, and that they should try to make things easier for the user. Making it easier generally means progressively reducing the number of decisions the user has to make, and deciding for the user what is best for the user. So you're being dumbed down. But the security holes this process creates can be used by all sorts of different characters, not just those nice people who sold you the software. In the near future, the software industry in general confidently expects, your software will just kind of update itself whenever it needs to and/or there's a new bug-fix or update out. You won't need to know about it, it'll just receive an alert, and next time you look it'll all be much more efficient and snappier (or more likely, puzzlingly fatter and slower). Do we trust the software industry to make this kind of process rock-solid secure? Or more immediately, there are things like these little nagware browser windows that pop up every now and again encouraging you to upgrade to IE 5, Navigator 4.51 or whatever. Click yes to these and you'll go through to the vendor's site and start on a process where something out there helpfully installs files on your machine, optimises your settings and cleans up afterwards. But a growing receptiveness on the part of users to trust whatever it is out there that's monkeying with their machines isn't necessarily constructive; Particularly as the checks and authorisations haven't been keeping pace with the process and are in any event not defences whose security you'd like to stake your life on. And then there's the whole privacy issue, which shows how much the software business' thirst to connect things for a greater good has got out of sync with the rules of the game in the real world. They put in features because they're cool, because they're useful to the vendor, even (stretching it a bit) because they're good for the user, who doesn't want to be bothered with the details anyway. So stuff gets sucked of the machine and sent off somewhere - but where? It's obviously going to get worse, and although with every fresh exposure the software developers will issue fresh patches and promise to upgrade security, there's no obvious way to make the whole shooting match secure in the first place. Stopping doing things in your application development that with hindsight turn out to be dumb is one thing, but the Web itself is quite another. As the years roll by we'll all be downloading and running lots more stuff from the Web, and we're going to know about less and less of it as we do so. So how much longer are the platforms we're using going to be able to cut it? ®

Website security in corporate America

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.