[NTLUG:Discuss] What is love?

[Richard Cobbe]

Lo, on Friday, 5 May, 2000, Gregory A. Edwards did write:

> You know what I think is the really sad part of this.  If the creators
> of the "inovative/visionary" program that was used to invite the
> worm/virus into the systems had done a decient job of engineering that
> OS and its tools this could of never happened.  I guess this is an
> example of inovation in action.  I also noticed that NOBODY in the media
> is talking about the inherant design of the OS and the mail tool makes
> this kind of worm/virus unstoppable until after the fact.

Well, partly.  Granted, the lack of any sort of ownership permissions in
Win95/98 leaves systems extremely vulnerable for this sort of thing.

However, the ability to include code in a mail message and automatically
execute this code on receipt can be used for some nifty features; an
example follows.  The developers at MS, however, obviously didn't think
through all the security ramifications of this design, and THAT is
inexcusable.

(Disclaimer: I've spent about 9 months out of my 24 years doing Win*
development, and that was in VC++, so I don't have any real experience with
the sort of thing that I'm about to describe.  However, a co-worker who has
done things like this provided the following example; I'll almost certainly
get some of the details wrong.)

Anyway, it is possible to use VBscript and Outlook and all of these
features that ILOVEYOU exploits to essentially provide a mail front-end to
a database.  To the user, it appears that the mail message is a form, much
like one that would appear on a web page.

While you can do the same thing with a properly-formatted plain-text mail
message and a Perl script, this isn't a bad feature if you've got users who
don't want to learn complex input syntaxes.  As in so many other
situations, though, the greater simplicity comes at a price.  (In this
case, the price would seem to be approaching $1 billion, at least according
to CNN! <grin>)

Richard