Why PCs Are Easy Targets

By Chris Taylor

Pop quiz: what do the names Laroux, Ethan, Marker, Melissa, Chernobyl, Class, Footer, Form, Happy99 and Explore.zip have in common? O.K., pencils down. Score one point if you said they're all horrible little computer viruses. Score two if you guessed they were the Top 10 digital infections of 1999. And award a dozen bonus points if you worked out the most important and terrifying connection: like the Love Bug, every last one e-mailed its way into our PCs using Microsoft software as a carrier.

Laroux arrives as an unassuming Microsoft Excel file known as a macro. Ethan, Marker, Class and Footer hide inside Microsoft Word macros. Happy, Form and Chernobyl work on Windows, while big-league heavies like Explore.zip (not to mention year 2000 contenders Kakworm, Bubbleboy and, of course, ILoveYou) head straight for Microsoft Outlook Express.

This is no accident. Nearly all these viruses were written in Microsoft's Visual Basic, a programming language that works across the wide world of Windows. "It's not even a loophole," says Richard Smith, the Boston-based security expert who helped track down Melissa's author. "It's all by-the-book Microsoft programming."

Security experts have long warned that Microsoft software is so widely used and so genetically interconnected that it qualifies as a monoculture--that is, the sort of homogeneous ecosystem that makes as little sense in the business world as it does in the biological. Using Word, Excel and Outlook exclusively on Windows machines in a company network "is like planting Kansas with the same grain of wheat," says Bill Cheswick, a senior researcher at Lucent. When a virus preys on the crop, nothing is left standing. The companies hit hardest by the Love Bug were closed Microsoft shops. Users who had planted their PCs with a slightly more colorful selection of seeds--even just substituting Eudora for Outlook--suffered not at all.

That lesson in biodiversity was not lost on the trustbusters at the Justice Department. Their legal bid to break Microsoft in two is intended to promote precisely such healthy genetics. The most overused example of what would happen if the Windows half of Microsoft were wrenched from the half that produces Word, Excel and Outlook is that the latter would start churning out versions of its products for rival operating system Linux. Call it enforced crossbreeding.

Microsoft resists the monoculture argument as strongly as it does the DOJ breakup plan. "The reason [Love Bug] spread so rapidly is more a matter of the connectedness of systems than the specifics of platforms," insists Steve Lipner, manager of Microsoft's security-response center. Still, the company recognizes the threat from at least one source of infections. The latest version of Word profits from its predecessor's mistakes and comes with macros disabled by default, meaning that viruses like Ethan, Marker and even Melissa will find it harder to gain a toehold. But Outlook's macros are set to remain stubbornly open to infection, meaning that the field is ripe for the next infestation of Love Bugs.

--By Chris Taylor