Lessons Learned and Forgotten

by Glenn Vanderburg


Here we are again, watching the effects of another Outlook-based email
worm/virus, href="http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html">W32.Klez.
And while this one hasn't had the high media profile that some others
have, it is in many ways one of the worst we've seen. It carries a
destructive virus along with it. It sends email that appears to be
from people who aren't even directly affected. (I received an
infected note that appeared to be from Eric Raymond. I strongly doubt
that ESR uses Outlook.)


One of the most frustrating things about the Outlook travesty is
Microsoft's utter disregard for a fairly rich body of literature
related to sending executable code in email. In November it will be
ten years since the publication of Nathaniel Borenstein's seminal
paper href="http://www.cs.uwm.edu/classes/cs790/digdoc-f2001/p67-borenstein.pdf">Computational
Mail as Network Infrastructure for Computer-Supported Cooperative
Work
, which described his prototype ATOMICMAIL system (and
incidentally contains the funniest joke I've ever seen in a technical
paper). A year later he and Marshall Rose elaborated on those ideas
with A
Model for Enabled Mail
and their href="ftp://thumper.bellcore.com/pub/nsb/st/safe-tcl.txt">Safe-Tcl
system. By mid-1994 I was able to receive email messages containing
executable code running in a secure environment, a demonstration of
the Safe-Tcl ideas.


The original MIME standard, published in September 1993, also addresses the kind of security problems we're seeing today.


All of that activity coincided with a flurry of other activity related
to the idea of "mobile code": General Magic's Magic Cap
environment for PDAs (with its secure Telescript language), the Obliq
language, Perl::Safe, and at the start of 1995, Oak (soon rechristened
as Java).


None of those efforts completely solved the problems that afflict
Outlook. But they all carefully describe the dangers lurking in the
whole concept of sending embedded documents, multimedia, and executable code in email. Each of them makes
clear that the kinds of problems we now see in Outlook are inevitable
without the most careful security
engineering.


Some of that was rather obscure research, it's true. But a company as
large as Microsoft surely should have known about it. For that matter, Telescript
wasn't obscure at all; it was widely hyped as "the next big thing." And MIME is the standard upon which Outlook email is based.
So maybe MS did know, and just didn't care.


I know, I know ... this is just a rant. But it really would've been
nice if Microsoft had taken security -- our security -- seriously
enough to do their homework.