There but for the Grace of Bill....
By: Scott Courtney
Friday, May 5, 2000 12:46:23 PM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/1800/1/
Getting Down to that Crazy Nero Beat
It was so nice of the creator of the ILOVEYOU worm to write it in Visual BASIC Script (VBScript). After all, as a Linux advocate, I feel that even malicious code should be open source. It's part of my image as an Eric S. Raymond droog, you see, and I wear it proudly!
I spent a little time looking at the source code for ILOVEYOU yesterday afternoon. I was laughing out loud at the whole thing. The code is childishly simple, and is overtly marked in the MIME headers as a .vbs (VBScript) executable file. The comments made it seem as if it was written by someone in the Philippines, but there were also comments that had Arabic-sounding names in them. My guess is that both are phony, designed to give a false clue to anyone trying to trace the worm's origins.
What amused me most is that this creator of a malicious e-mail worm had misspelled the word "mail" repeatedly in the comments. They kept referring to it as "male," and it took me a while to figure out that their code really wasn't changing its behavior depending on the gender of the recipient. I realize the operating system shouldn't know that, but given that this worm runs on Windows, I would believe just about any surreptitious info collection by the OS.
As a Linux user, I gleefully quipped to anyone who'd listen that I was immune to anything written in VBScript. My wife, a longstanding OS/2 loyalist, positively cackled as she safely read her e-mail in Innoval's PostRoad Mailer. I'm sure FreeBSD, Mac, BeOS, Amiga, UNIX, and mainframe users around the world were doing the same thing as we all listened to the clueless journalists announcing a major, worldwide e-mail crisis. Nyah, nyah! Can't hurt us! Let their cities burn! We're enjoying the fiddle music from this Nero guy!
Well, my little droogies, we are all so busy whistling in the dark that we don't see the headlight of an oncoming train. After these goofballs get tired of Windows, they'll turn their attention to Linux, and we will look even worse than Bill and the Boys from Redmond do today.
Let's get some standard disclaimers out of the way, before my fellow Penguinistas grab the ropes and torches and come banging on my door: Windows is a lame excuse for an operating system. Windows security is an oxymoron. Micros~1 Outhouse is the most vulnerable e-mail software ever written. Bill Gates rips the heads off live bats and feeds them to innocent children in famine-stricken countries, or so I've heard.
Now that my pedigree as a true zealot is established, may I explain why Linux is just as vulnerable as Wintendo, and why we should be thankful to Mr. Bill for being our stunt double?
Worms, viruses, and Trojan horses aren't magical, and they aren't alive or self-aware. They are just programs, mere bits and bytes that have meaning to the operating system or CPU. As such, they can't do anything to the system just by existing on the hard drive. They have to be executed, have to gain control of the CPU. And there are only a few ways for that to happen.
For the moment, let's ignore the case of someone cracking a system from the network. No matter what operating system you're running, vulnerability to network attacks has more to do with an administrator who has--or does not have--a clue than with the quality of the operating system itself. But when malicious code enters a system from a Web page, or e-mail, there are really only two ways for it to be executed: automatic and manual.
How the ILOVEYOU Virus Works
We're all familiar with how Web pages that contain Java applets, client-side scripts (JavaScript or VBScript), or Microsoft CaptiveX components execute automatically when the page is downloaded. Control over these things can be maintained using the browser settings, proxy-based content filters, or the security features of the technology itself (e.g., the Java runtime's "sandbox").
E-mail is a different story, though. A plain-text, RFC822-compliant message simply can't hurt your system, no matter what it contains. I can put a script to format the hard drive right into a text message, send it to the world, and the only way anyone loses data is if they are stupid enough to manually copy the message to a script file on the hard drive and then run it, on purpose. In that case, they deserve what they get!
Real e-mail problems can only happen in attachments or in HTML formatted mail. An attachment, as you are probably aware, is a separate file that is embedded inside an e-mail. The MIME headers mark the boundaries of the file, which is often Base64 encoded to avoid problems with some mail relays. The headers also indicate the file type, which may be something as benign as "image/jpeg" or "text/plain" or as mysterious as the generic "application/octet-stream" type.
HTML e-mail is an atrocity of its own, at least the way it's currently implemented in Netscape and in Outlook. In both cases, the e-mail software displays an HTML view of the message by embedding the browser's page-rendering engine right into the e-mail window. That's an excellent reuse of complex code, and very friendly to the user. Unfortunately, neither program allows you to set separate security limits on HTML e-mails. When you download a Web page that may contain scripts or active content, you typically set security depending on the source of the page (at least, in the Microsoft world). For e-mail, though, which zone applies? Personally, I would trust HTML from a spammer even less than I trust a generic Web site. When it comes to Web sites, I for the most part choose what sites I visit, and I don't visit sites I don't trust.
What's worse is that there is almost no way of avoiding opening HTML e-mail, at least in Netscape Messenger. The preview pane has already opened the page as soon as you select the incoming message with the mouse. Maybe you know it's spam, and you want to delete it. Just selecting it with the mouse to drag over to the trash folder momentarily opens the HTML page. If you deleted the message ahead of it (after reading it), Netscape opens the HTML message automatically as the "next" message in line. The only way I've found to delete a message without opening it is to select it with Control-Click after first selecting another message, then drag them together to the trash folder or select Delete from the menu.
So HTML mail has some ugly side effects, and they are largely the same on Linux as they are in Windows. The only difference is that Windows users have more choices of active content that can be sent inside an HTML message; the underlying problem is the same. Now let's move on to MIME-based file attachments.
When a MIME attachment arrives with an e-mail message (actually, within the message), it is up to the e-mail software and the user what to do with it. In Linux, those who use a graphical e-mail client are used to seeing the attachment as an icon, with menu options to save it to disk, delete it, or open it. Nothing happens without our deliberate action as a user. That's what protects most Linux users against malicious e-mail attachments: we're not dumb enough to open them unless we know what they are.
But Wait...Don't Linux Users Work with Attachments Too?
Guess what? No matter what you've heard about Microsoft Outlook, the situation is basically the same as it is in Linux. The difference is in the knowledge level of the user, not in the e-mail software itself. Windows users are naive about security, even after being hit time and time again with Melissa and all her sisters. They still are likely to double-click on an attachment, even if they have no idea what it is or what it does, and even if it's overtly marked as an executable program. That was the situation yesterday with ILOVEYOU, which is clearly marked as a VBScript executable. The message looked appealing, so users ran the script to see what it would do. They saw, all right, but by then it was too late. Zap!
Once the executable is running (under either Linux or Windows), the security features of the operating system can work to limit its damage potential. In Linux, unless you are running as root (a dumb thing to do), the worst you can do is to corrupt or delete all of your own files. The operating system, if properly configured, is mostly safe unless the attacker is very smart. Most of them aren't that good.
This is the same situation in Windows NT or Windows 2000. Windows 95 and 98, though, have no concept of file-level security and therefore any user can modify or delete any file in any directory. The "login" prompt that Windows 9x users see at bootup is a joke--it only captures the desired username and password for later access to network resources and to determine which desktop profile to load.
So Linux users have the right to be smug about security when compared to Windows 9x, but we still shouldn't feel invulnerable. Losing all your personal files isn't as bad as trashing the operating system, but it's no fun either. And, as I have shown, we Linux users are protected from that situation by our typically greater knowledge and a paranoia that comes from years of server administration experience. Linux is hard to use, so "they" say, and therefore most people running it are techies. We know how to protect ourselves. But this situation will soon change.
Earlier in this article I said that we should be thankful to Bill Gates for being our stunt double. What I meant by that is that the current state of leading e-mail programs, from a security standpoint, is abysmal. This is true no matter which operating system you're using. By being the overwhelming market leader, Microsoft has graciously volunteered to take most of the hits from virii and worms. There but for the grace of Bill go we. As Linux becomes more popular, and starts appealing to less skilled users, we are condemned to the same fate as the Windows community. More Linux users will attract more Linux attacks, because the people who write such code want to hurt as many systems as possible.
The difference is that we will suffer more in the press and in the highly-unfair court of public opinion. The problem is that we Penguinistas have claimed for so long that our system is more secure. "We are open source," we explain, "so security holes are found and fixed quickly through peer review." Then we go on, "Besides, Windows 9x doesn't have user-level security. And Outlook and ActiveX are really vulnerable, but Linux doesn't use any of those bad technologies."
All of these claims are true, in my opinion. Open source does encourage peer review, both for security and for code quality. Outlook does automate things that should be manual, as do Word and Excel. Microsoft time and again trades a lot of security for a little user convenience. ActiveX really does have serious security holes; it was originally designed for component embedding within the local machine, and network/Web functionality was glued on as an afterthought.
The Solution: Rethinking Dynamic E-Mail
The problem is that none of these factors account for the way Melissa and ILOVEYOU and all the other e-mail worms wreak so much havoc. The source of the problem is in front of the keyboard, not inside the software. Nontechnical users see security as a nuisance, not a priority, and as these folks start using Linux we are in for the same trouble as the Windows users are experiencing now.
When that happens--and it will happen unless we do something to prevent it--Linux will be held up to even worse ridicule than Windows is today. People who run Windows excuse its vulnerability with a shrug: "Well, I gotta have [your-favorite-app-here], so whaddya gonna do?" Many of the Windows users realize it's a mediocre system, just as people who bought VHS knew that beta was better. They put up with it because it's easier to swim with the current than to fight your way upstream.
Linux won't have that kind of Teflon-like image protection. When we in the Linux community advocate our favorite operating system, we are asking users to make a conscious choice instead of accepting the default. We are asking them to step out of the crowd, to accept a greater responsibility for the computing tools they use, to take an active part in their own destiny. In return, we offer them empowerment, freedom, and sharp, elegantly designed tools.
If Linux proves to have the same vulnerability as Windows, the novice users and the popular press won't care about all of that. They will decide that Linux is no better than Windows, really, and that people are better off with the devil they already know. Linux will be dismissed as another hype-wagon, sitting beside the road with a broken axle. It isn't fair, but it is exactly what will happen. The credibility of the open source movement will be crushed, just when we were beginning to be taken seriously by the suits in the boardroom. We will have lost our best chance at the mainstream, perhaps our last chance, and it won't even be our own fault.
All of this means that we cannot rely on end users, especially novices coming from the Windows environment, to manage Linux security in e-mail or applications. The stakes are too high, and we cannot afford a major public debacle like ILOVEYOU or Melissa.
By making themselves such an obvious target, and by demonstrating again and again that they are not committed to improving security by taking it out of the hands of apathetic users, Microsoft is taking the fall for all of us. They are taking it on the chin right now, and in doing so they are buying time for the open source community to get ready for what comes next.
There is still time for Linux e-mail software to get smart about active message content. Let's get together and define a standard library interface for scanning arbitrary content. Pass it a file handle or pointer to an in-memory buffer, plus a MIME type string, and it returns a status code indicating that the contents are intrinsically safe (such as plain text or JPEG), that they are a potential risk (such as a Java binary) or that they are high-risk (such as Java code that opens local files or does other out-of-the-sandbox things). I'm not even saying that Linux has to implement these functions--just provide stubs in the default Linux installation, and leave it up to the distribution providers or third parties to implement the filtering. The e-mail software can let the user decide what to do with the results of the scan, and can refuse to let the user execute anything nasty. Anything that isn't intrinsically safe should never be automatically opened by the e-mail software, and it shouldn't be possible for the user to bypass this setting. The key is to have all the leading e-mail software call the same library API, so that content scanning can be implemented once by the system owner and enforced on all users, regardless of their choice of mail client.I'm of the opinion that display of HTML e-mail should be limited to static content only. In other words, the page engine should simply ignore all active content (Java applets, JavaScript, VBScript, OBJECT tags, and so on). Furthermore, any requests for network access by a link embedded in HTML e-mail should be ignored. These are important tools for spammers to track receipt of e-mail. The e-mail client should leave no ambiguity, no configuration options. If the user really wants that active content, he or she can save the HTML to a local file and then open it in a real browser.
Developers of application software for Linux need to learn from Microsoft's mistakes with Word and Excel security. Auto-execute macros that run without warning as soon as a document is opened are a Very Bad Thing. Period. The only good way to implement this feature is not at all. If a legitimate function is complex enough to warrant a macro, then one extra mouse click to activate it manually will not significantly reduce the user's productivity compared to the amount of work the macro accomplishes.
I won't pretend that I've covered every aspect of application or e-mail security here. All I've tried to do is to highlight the most egregious problems, hoping that someone will see the need for solutions. Nor is my proposal for a standard content scanning API meant to be technically comprehensive; others are far more qualified than I to design this. What I hope has happened with this essay is that people in the Linux community realize that we have a problem headed our way, and that we need to act to avoid it before it's too late.
Microsoft users around the world are busy today, reinstalling their operating systems and hoping that they can recover some of their data. Microsoft is getting well-deserved bad publicity for ignoring security, but ILOVEYOU isn't about bad software. It's about software that lets novice users do stupid things entirely too easily. ILOVEYOU only spread because people were gullible enough to open a love letter from someone they barely knew. These people aren't going to get smarter just because they switch to Linux.
We Linux users can learn from Microsoft's mistakes, if we are willing to do so. We can see that actively protective e-mail clients are needed, because we cannot rely on users to protect themselves. By establishing standards for how this is accomplished, we can ensure that Linux gets well-justified credit for making the Internet safer, not unjust blame for the foolish behavior of novice users.
For a few months more, Linux will retain its perception of being too complex for novices, and during that time, Bill Gates and his friends are buying time for us to prepare for those novices to reach our door. Microsoft looks bad today, yet there but for the grace of Bill go we all.