Feeds

Opinion: Office virus points toward a bigger hole

The software business is integrating and automating on sand, folks...

  • alert
  • submit to reddit

The essential guide to IT transformation

The software business was due a wake-up call, but it came from an unexpected direction. The Melissa virus might look like it was all Microsoft's fault, but although Redmond's obsession with integration, automation and Web-enablement was primarily responsible for the speed at which Melissa spread, Microsoft is by no means alone in its ambitions. On the contrary - everybody wants to make it easy for you, and hang the consequences. The way Melissa works is simplicity itself. You open a file you were emailed, a Microsoft Office macro runs, and the email you got is sent on to 50 people in your contact book. So Microsoft's macro security is clearly grossly inadequate, and Microsoft Visual Basic for Applications, which can be used to perpetrate such deeds, seems pretty easy to turn into a runaway train the user has no way to control. Consider the sort of things a virus like this could do and you start to think about Melissa as being pretty cuddly. And the more bits of your data and personal and financial information that get integrated and automated, the more nasty things a virus could do. Sure, it could trash your hard disk, but how about it buying a new car with your credit card and shipping it to Omsk? Maybe your credit card information isn't built into your machine, but on the other hand maybe that just means "secure electronic commerce" hasn't been integrated into your machine yet. The reason we find ourselves standing on the edge of this particular precipice today is because software developers (and as I say, not just Microsoft software developers) think certain features are cool, and that they should try to make things easier for the user. Making it easier generally means progressively reducing the number of decisions the user has to make, and deciding for the user what is best for the user. So you're being dumbed down. But the security holes this process creates can be used by all sorts of different characters, not just those nice people who sold you the software. In the near future, the software industry in general confidently expects, your software will just kind of update itself whenever it needs to and/or there's a new bug-fix or update out. You won't need to know about it, it'll just receive an alert, and next time you look it'll all be much more efficient and snappier (or more likely, puzzlingly fatter and slower). Do we trust the software industry to make this kind of process rock-solid secure? Or more immediately, there are things like these little nagware browser windows that pop up every now and again encouraging you to upgrade to IE 5, Navigator 4.51 or whatever. Click yes to these and you'll go through to the vendor's site and start on a process where something out there helpfully installs files on your machine, optimises your settings and cleans up afterwards. But a growing receptiveness on the part of users to trust whatever it is out there that's monkeying with their machines isn't necessarily constructive; Particularly as the checks and authorisations haven't been keeping pace with the process and are in any event not defences whose security you'd like to stake your life on. And then there's the whole privacy issue, which shows how much the software business' thirst to connect things for a greater good has got out of sync with the rules of the game in the real world. They put in features because they're cool, because they're useful to the vendor, even (stretching it a bit) because they're good for the user, who doesn't want to be bothered with the details anyway. So stuff gets sucked of the machine and sent off somewhere - but where? It's obviously going to get worse, and although with every fresh exposure the software developers will issue fresh patches and promise to upgrade security, there's no obvious way to make the whole shooting match secure in the first place. Stopping doing things in your application development that with hindsight turn out to be dumb is one thing, but the Web itself is quite another. As the years roll by we'll all be downloading and running lots more stuff from the Web, and we're going to know about less and less of it as we do so. So how much longer are the platforms we're using going to be able to cut it? ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.