Dear Mr. Ostergren I am writing in response to John Heckmans recent article titled Protecting against Viruses with Outlook (dacs.doc, September 2001, page 4). Unfortunately for your readers Mr. Heckman seems to have fallen into the all too popular Outlook is Evil trap. Mr. Heckman begins his comments
by stating Using Microsoft Outlook is an open invitation
to virus A case in point is W32/Ska.A-m (better known as Happy99), does not target Outlook and is still one of the most successful viruses ever. The same is true for any number of other very successful mass e-mailing viruses, JS/Kak, W32/Hybris, W32/Magistr & W32/Sircam to name a few. One of the reasons non-Outlook targeting mass mailing viruses have been so successful is because users of Eudora, Pegasus Mail, Etc. think they are protected from viruses by not using Outlook. The bottom line is viruses are a user problem not a software problem. As long as users are willing to blindly double-click anything that lands in their inbox, viruses will continue to be a problem. Heckman goes on to state Some newer viruses can execute when a file is viewed in the Outlook viewer pane, so that is no longer adequate protection.. While this true of Outlook Express to the best of my knowledge the Outlook preview pane does not run active content. In reality, disabling the preview pane really does not solve much. The real problem with the preview pane is that it, just like the main message viewer, uses Internet Explorers rather buggy and security challenged HTML parsers to render the messages content. A far better solution is to install all of the relevant patches and updates for Internet Explorer and Outlook. The user should also place Outlook in the Restricted Sites zone which effectively disables Outlooks ability to parse active content. Heckman further states You should update your [anti-virus] software once a month and more often when a new virus becomes widespread. This is generally poor advice. Most anti- virus software developers currently release updates on a daily or weekly basis for a reason. In the age of mass mailing e-mail worms, where a virus can go from unknown to widespread in a matter of hours, a month is a lifetime. Today users really should update their anti-virus software on weekly basis. Whats more important than
frequent updates is the need for users to understand the inherent Thats not to say you shouldnt use anti-virus software. Anti-virus software should be a part of your overall defense strategy, but it should not be a replacement the for zealous practice of Safe Hex. I would encourage readers to take
a few minutes to read the following pages: www.claymania.com/ The simple truth is no piece of software can protect us from our own ignorance. On balance, Mr. Heckmans recommendation that users disable (rename) wscript.exe and cscript.exe is very poor advice and I would not recommend it. In general, home and small office users, need Windows Update to work much more than they need to disable VBS and JS files. The Windows Update site depends on VBS files being downloadable and runnable in order to install updates. Last, on a related but significantly different note, changing the Open setting for VBS files to Notepad is probably the wrong way to handle things. A better solution may be to change the default action for VBS files from Open to Edit, which by default opens files in Notepad. This way when you double- click on a VBS file it, opens in Notepad (but you will still be able to right-click on a VBS file in Windows Explorer and choose Open if you want run it). As technology professionals we need to educate users about the threats of the virtual world and how they can properly defend themselves. We should Not offer them kludged together workarounds that do little to enhance their security. Sincerely; John Heckman RespondsJeff Setaro is certainly an able mouthpiece for the Microsoft line that Outlook is not the problem, user behavior is. Lets examine this further. Blame the Users. This is convenient, and certainly no computer professional lacks for end-user horror stories. However, it is somewhat beside the point. This becomes immediately apparent when you translate the analysis to another realm: the Ford Explorer and Bridgestone tires: all those rollover deaths were due to the fact that users (user is a four-letter word) piled too much equipment into the Explorer and drove it too fast around corners, did not inflate tires correctly to compensate for the weight and the heat. So if they got killed, tough, its their own fault (right?). That the Explorer must rank as one of the most unsafe vehicles ever made is not relevant. Any software company is painfully aware of what users can and will do, and one of the tasks of programmers is to make a product as resistant as possible to user error. This is sometimes known as idiot-proofing. As I frequently tell my clients, never underestimate the creativity of end users when it comes to circumventing your best thought-out routines. Yes, users should be more careful. But they arent. So the question is, in a commercial environment, how do you protect them from themselves? That is the question that needs addressing.Viruses can target any e-mail system. True but irrelevant. While other MAPI-compliant programs are open to certain types of viruses, programs that dont embed VBS scrips (such as WordPerfect and GroupWise) are more resistant to VBS-based viruses and worms. If another vendor were as dominant as Microsoft, viruses would target their product. But that is not the case. The fact is that Microsoft consciously and explicitly opens up VBS in order to provide functionality (such as the Windows Updates) that also involves security problems. There are a number of superior ways of handling security that are entirely feasible within the Microsoft scheme (as the Microsoft sub-culture around Woody Leonhard is quick to point out). But I think it has been amply demonstrated across its product line that security is of marginal concern to Microsoft (after all, its the users fault). Even Jeff criticizes Internet Explorers rather buggy and security challenged (???!!!) HTML parsers. Jeff complains that disabling wscript.exe and cscript.exe would also disable Windows Update and claims that home and small office users need Windows Update to work much more than then need to disable [viruses]. This is indeed the crux of the matter. I disagree. You are better off disabling VBS on a daily basis and re-enabling it on those occasions you need to run Windows Update (or whatever) than leaving yourself open to VBS viruses on a daily basis in order to run Windows Update once a month or whatever. On updating anti-virus software, I certainly agree that it should be done as often as possible. I had several companies write me that the update signatures daily. On the other hand, I hate to tell you how many clients I go to that, when you start the computer, you get a message your anti-virus signatures are more than 6 months old.... (or whatever). Monthly is not optimal but is better than nothing. John Heckman |