FWD: The Real Problem With Melissa
Rich Locke (rfl@OFFPRO.NET)
Thu, 1 Apr 1999 08:11:21 -0500
This message was forwarded to you from ZDNet (http://www.zdnet.com) by rfl@offpro.net.
Comment from sender:
Thought some might be interested in this article.
So now it's 19(?) postings.
---------------------------------------------------------------------
This article is from Smart Reseller (http://www.zdnet.com/sr/).
Visit this page on the Web at:
http://www.zdnet.com/sr/stories/column/0,4712,2233693,00.html
---------------------------------------------------------------------
EMail
[IMAGE] The Real Problem With Melissa
By clogging the e-mail arteries of business, Melissa has given
corporate communications a mild heart attack.
By Steven J. Vaughan-Nichols, Sm@rt Reseller
[TABLE NOT SHOWN] Melissa has brought the entire networked world to a
panic. By clogging the e-mail arteries of business, Melissa has given
corporate communications a mild heart attack. Melissa, itself, however
is a trivial Microsoft Word 97/2000 macro written in Visual Basic for
Applications. And, there's the real problem.
All Office 97 and 2000 programs use VBA as a universal programming
language. This inter-application communication (IAC) meta-feature
gives these applications great flexibility, power, and potential for
abuse. Melissa is only the first, others will follow.
VBA lets you promiscuously mix data--a Word document, a PowerPoint
presentation, an Excel spreadsheet-with programs, the Office 97 and
2000 suites. Bad idea. Any halfway decent programmer can build
documents containing macros that can take advantage of IAC to unleash
another Melissa storm. Storms, that because they're built from the
very heart of Microsoft Office design, are almost impossible to detect
in advance. Yes, Microsoft includes macro virus protection, but it,
itself, can be turned off by a macro virus!
There are other ways. The Java Virtual Machine model, which Microsoft
is moving away from, lets you safely run active content. A Java applet
can still foul you up, but it's not going to make your e-mail servers
scream for mercy. Extensible Markup Language (XML) empowers data but
keeps its paws off other applications on the same machine.
ZDNN Report: MelissaBut, then again, Microsoft's XML, currently in
Internet Explorer 5.0 and set to fully bloom in Office 2000, is a
proprietary version of XML. It takes Office's hyperactive active
document content, gives it enormous headers and transforms single
Office documents into numerous XML documents. This is great-for
swapping information with other 2000 or IE 5 users. Given how IAC is
woven throughout Office, though, Microsoft's XML also promises to be
even more fertile ground for macro virus problems than Office's native
formats.
So what can you do about all this? For starters, dump Microsoft
Outlook as a mail client. For a quick, low cost solution, switch your
users to Pegasus Mail or Eudora Light Mail Client. These may be all
your customers need, or you may want to move them to commercial
products. Yes, I'm serious.
The Microsoft IAC approach was defensible, when all PCs were isolated
islands. They're not anymore. In the hands of a competent programmer,
IAC is the most powerful office application macro system to ever
exist. But by virtue of that very same power, Office's very design
makes it inherently unsafe.
By week's end, Melissa will be history. All the major anti-viral
programs have already released fixes to their programs that will
terminate Melissa-infected files with extreme prejudice. Until
Microsoft improves Office's security, it's only a matter of time until
another Melissa strikes at the heart of your customer's enterprises.
[TABLE NOT SHOWN]
---------------------------------------------------------------------
Copyright (c) 1998 ZDNet. All rights reserved. Reproduction in whole
or in part in any form or medium without express written permission of
ZDNet is prohibited. ZDNet and the ZDNet logo are trademarks of
Ziff-Davis Inc.
