Library Zone Articles
External Articles
Byte Size

Discovery Zone Catalogue
Interactive Zone Ask the Gurus
Discussion Groups
Etc Cartoons
Site Builder ASP Web Ring ASP Web Ring

Power your site with idr newswire
The Developer's Resource & Community Site
International This Week Forums Author Central Find a Job

Microsoft Releases the ILOVEYOU Patch for Outlook

Download print article

"Given the global impact of the I Love You virus and the growing threat of malicious hackers, we strongly believe we must take the unprecedented step of limiting certain popular functionality in Outlook to provide a significant, additional security option for our customers." - Steven Sinofsky, senior vice president of Microsoft Office. From Microsoft's Press Release.

File associations are extremely useful because they allow you to be document-centric and not application-centric. Thus, instead of opening Word and then loading a Word document to view it, you merely double click on a Word document in Explorer and it will start the associated application and inform it to load the document. This is fine when you know the origin of a document, which is generally the case for files on your hard disc. If you do not know the origin of a document then you have to be careful when viewing it.

Computer viruses have been around for many years and most users have got used to checking suspect files. In the early days such files came from floppy discs or CDs from dubious origin and users soon trained them selves to scan such discs with a reliable virus scanner. However, the internet has brought new dangers. Possibly the worst aspect it the almost unlimited sources of shareware and freeware applications, any one of which could contain malicious code. Shareware and freeware libraries are a great target for virus authors because the distribution of the malicious code is done for them: the naпve user invites the infected code onto their hard disc and worse, they actually run it. A cautious user checks any executable file before running it.

When you connect your machine to the internet your machine becomes part of a network that extends the entire globe. Windows is notoriously insecure as far as the internet is concerned, and when you are surfing it can leave a gaping hole that a savvy attacker can exploit to gain access to your machine. Although the naпve user is not explicitly inviting a virus on their machine, unprotected connection to the internet is an implicit invitation. Its like leaving your front door open and unlocked while you visit a local shop for a newspaper - you do not put up a sign that says 'Please burgle me', but you may as well. Such a hole can be plugged with a personal firewall (read what Bill Machrone has to say about this; read some tips on protecting yourself). Again, the distribution of malicious to your hard disc is simple for the attacker, but executing the code requires a bit more work, but not much more.

So, you've scanned files and used a firewalls to prevent hackers getting access to your machine, it now means that you're fully protected, doesn't it? No you are not. The reason is that whenever you get email from your mail server you are downloading files from the internet. You should be able to trust your mail server to provide you with your email untampered, but can you trust your email? Anyone who knows (or guesses) your email address can send you an email. Most people download all email sent to them and sift them by eye by opening the email and deleting the junk mail.

However, there are dangers lurking in email, because they can have attachments as MIME. An attachment could be an executable, and if you extract the attachment and run it you are again inviting malicious code onto your machine. Even the most naпve of users will recognise an executable from its EXE extension, but there are other ways to run code. Last year the Melissa virus showed one way of doing this. It was contained as a macro in a Word document. When a user opened the document the email reader used file associations to determine the application used to open the document. Normally this is not a problem because a Word document is merely a file, however, the Melissa document had a macro which Word ran when it opened the document. Now the user invited the malicious code onto his machine by opening a document! The solution was to warn users that a document contained macros when they opened it and gave them the option of disabling all macros.

The ILOVEYOU virus was not as sophisticated. Again, the attacker wanted to get the code onto your machine and execute it there. This time the attacker chose to distribute the virus as a VBScipt file attached to an email. When the user 'opened' the attachment the email reader (Outlook) loaded the associated process (Windows Scripting Host) which then executed the virus. Both the Melissa and ILOVEYOU viruses distributed themselves by using automation to access the Outlook address book and then emailing itself to all the addresses it could find.

Another way to get code executed on your machine is to name it in such a way that the email reader does not think that it is a program. You can do this is to disguise it as another file for example an executable could be named:

"MyPic.jpg<many spaces>.exe".

where <many spaces> is enough spaces to hide the .exe extension. The unsuspecting user would then try to 'open' MyPic.jpg expecting it to be a picture (and hence loaded into a graphics viewer). Instead, the email reader recognises that the file is an executable and simply runs it.

There are clearly three problems that these virus writers are exploiting:

  • file associations - when you 'execute' a data file a process is automatically run and loaded with the data file
  • email readers automatically opening attachments, even when the attachment is an executable
  • allowing any code to have access to address books and the ability to create and send emails

    Microsoft have finally produced a patch to Outlook to address these potentially dangerous areas. The patch can be downloaded from the Office Update Web site from May 22, 2000. The main aspects of the patch is code to stop the naпve user from executing email attachments and preventing code from sending emails with something called Object Model Guard.

    The Object Model Guard detects when code is attempting to send an email and then presents a dialog to inform the user. So is this a good idea? I have my doubts. The Object Model Guard is reported to be unconfigurable and uninstallable, which means that once it is applied you cannot get rid of it. Not all code that accesses the Outlook address book or generates email is malicious, and some is positively useful (for example a MAPI enabled trigger in a database could send an email to a database administrator with details about the database). As far as Outlook is concerned such code is not Outlook and hence the email has to be verified with a dialog. On a server machine locked in a cupboard such a dialog is useless and potentially harmful because it could cause a server process to hang.

    So what can you do? First, execute nothing that you cannot verify to be from a reputable source and preferably scan all files that you download. Second, don't execute any attachments sent to you. Third, save all attachments to your hard disk first and then open the file from the document reader rather than allowing your email reader to use file associations.

    Author Bio:

    Author: Richard Grimes

    Richard Grimes started programming aeons ago on 8-bit computers and hasn't looked back since. He has spent an interesting time as a research scientist (the little known "Grimes Effect" is his creation), underpaid time as a computer trainer and done time as a distributed object developer.

    ATL took hold of Richard while he was part of a team developing a COM-based workflow system and its elegance and simplicity has had a lasting effect on him. Although his is not an obsessively pure COM existence, he finds that an ATL-assisted COM lifestyle gives him more time to enjoy his garden.

    Go to Richards pages in Author Central.

    Click here

    Contribute to IDR:

    To contribute an article to IDR, a click here.

    To contact us at, use our feedback form, or email us.

    To comment on the site contact our webmaster.

    Promoted by CyberSavvy UK - website promotion experts

    All content © Copyright 2000, Disclaimer notice

  • WTL Architecture by Richard Grimes

    Visit our NEW WTL Section

    Java COM integration

    Visit the IDR Forums

    Java COM integration