By Kevin Murphy Microsoft Corp is to be challenged over its record on desktop security for the second time in as many weeks, when anti-virus software companies issuing a set of demands to Redmond aimed at reducing the damage done by Office macro-viruses. In an open letter to be published by Virus Bulletin magazine, and […]
By Kevin Murphy
Microsoft Corp is to be challenged over its record on desktop security for the second time in as many weeks, when anti-virus software companies issuing a set of demands to Redmond aimed at reducing the damage done by Office macro-viruses. In an open letter to be published by Virus Bulletin magazine, and signed by Microsoft’s own product manager Larry Tseng, members of the Virus Bulletin Conference 1999 technical panel will make four recommendations on how Microsoft can help the companies fight viruses.
Over 50% of viruses currently on the ‘Wild List’ of viruses currently spreading across the globe are based on the macro function of Microsoft Office applications. As these programs are simple to write (in Visual Basic) and can be run through applications such as Word 97, which are almost ubiquitous on the desktop PC, anti-virus companies such as Sophos Plc and Symantec Corp think Microsoft should be doing more to prevent them.
Paul Ducklin, head of research at Sophos, told ComputerWire the letter will ask that the Office install wizard gives the option to disable the macro function. He said the majority of people do not use macros and if it were turned off, macro viruses would just not work. The letter will also say that macro functions should be stored in separate files to documents themselves, rather than interwoven with, say, Word text. This could stop the spread of infection by allowing users to choose whether or not to email macro data along with a document.
On a similar theme, the panel will recommend that Microsoft should be more open with details of its file formats. It takes them too long to respond to requests for information, said Ducklin, so we have to reverse-engineer the software to be able to understand it. The problem, he concedes, is not malice on Microsoft’s behalf, but the simple size of the software giant slowing down the development of the documentation the anti-virus firms need.
Despite this, Microsoft seems to be developing a reputation for a lack of security on its desktop products (as well as its web-based and server-side problems). Last week, European commissioner Erkki Liikanen voiced the opinions of the cryptography industry when he called for Microsoft to open up the source code to Windows, to allow public key infrastructure software developers more information on the security of the platform they are obliged to work on.