(December 11, 1999) Oops. I was wrong.
For years, I have received emails from friends and strangers alike, urgently warning me about email viruses that could be triggered simply by reading an email message.
I always knew they were wrong, because I know that an email message is nothing more than plain text, and a virus can only be activated by executing a software program. These warnings were hoaxes concocted to fool the gullible, and they were often distributed (often in modified form) by people who were gullible.
After the first few dozen warnings, I found these emails annoying, especially when the same person would re-send the same warning about the same message even after I warned them a month earlier that it was a hoax. Usually, the warning described a particular message header or title, or the name of a particular sender whose name would appear in the return address.
Last year, when the “Melissa” email virus was released, many people again reported that it was triggered simply by “reading” the email, but this was again a mistake: the virus could only be triggered by executing a program file that was sent as an attachment. The author of the “Melissa” virus was simply more devious than his predecessors: his virus caused itself to be re-sent to the first 25 or 50 email addresses in a Microsoft address book, but again only if someone executed a file attachment. Unfortunately, since the email came from someone who had your email address in their address book, it was more likely than usual to come from someone you knew and trusted. But long before the Melisa virus was even a gleam in its designer’s eye, we were all warned to never trust any file attachments, and always use a virus-scanning program for all downloads, regardless of their source.
But throughout it all, I was absolutely, positively certain that there was never any email virus that could wreak havoc just by being read.
This fall, I was proven wrong. The flaw came not from a particularly clever virus author, but from a implementation defect in Microsoft’s Outlook (and Outlook Express) software, when used on computers with “Windows Scripting Host” enabled.
My understanding is that Microsoft Outlook executes some attached ActiveX code when messages are viewed in its “preview pane.” (Microsoft’s proprietary ActiveX technology has been the entry point for a wide range of malicious programmers in the past year or so.) Microsoft was advised that this could be exploited as a security breach, and released a patch for Outlook in August.
The first virus to exploit this defect was identified as the “bubbleboy ” virus, which was described by anti-virus experts as a “proof of concept” virus. In other words, its author created the virus just to show that it worked, and sent copies to anti-virus experts so they could develop ways to prevent damage from more malicious virus authors.
Microsoft’s August patch for Outlook, if installed, would have blocked this virus from executing in the “preview pane.” But many users don’t regularly check for updates and patches. And some corporate information technology (IT) departments are unable to install such patches on corporate without restarting all Y2K compliance testing from scratch, since every change to software renews the risk of bugs and unexpected side effects.
Anti-virus software makers released patches and updates to detect the “bubbleboy” virus with a few days after its release.
I would have been unaffected by this virus, since I do not use Microsoft Outlook. However, I did reply to the first warning about the “bubbleboy” virus with a firm dismissal of the suggestion that an email virus could be activated simply by opening an email, without actually opening or executing an attached file.
I can take no consolation in the notion that I was only wrong because of a design flaw in Microsoft’s software, nor that my reaction was reasonable since it was accurate for dozens of prior hoax emails. Millions of people use Microsoft Outlook, and now they are vulnerable to a new form of virus attack.
Since this event prompted me to read many recent news articles about current activities by malignant virus programmers, I am even more upset to learn that there are a substantial number of viruses that are scheduled to “activate” on January 1, and more terrorists who are threatening to release new viruses in the final days of 1999. Some of these “Y2K” viruses are designed to create damage that simulates predicted Y2K bugs, and others are simply designed to create more problems.
I strongly advise everyone to update your anti-virus software every single day until at least the first week of January.