Bubbleboy virus a warning on e-mail

Risk: Remember assurances that attachments were the only danger in e-mail? Not anymore. Beware of messages in HTML.

November 22, 1999|By Hiawatha Bray | Hiawatha Bray,Boston Globe

Microsoft Corp. just finished a pretty rough few weeks, and I was planning to ease up on them. And then along came Bubbleboy.

By now you may have heard of this computer virus. If you use Microsoft's Internet Explorer 5 browser and the company's Outlook or Outlook Express e-mail programs, Bubbleboy will send a copy of itself to everybody in your address book. Other than that it's pretty much harmless.

The scary part is the way it works. You get Bubbleboy by reading an e-mail message. Just display the message on your screen, and your computer can be infected.

It's not supposed to work this way. And it didn't, until Microsoft got a little creative, and a little careless.

We all know the drill. Computer programs -- like viruses -- are clumps of binary "machine language" that must be run to do anything. Standard e-mail messages are sent as plain text, so they can't contain a virus or any other executable programs. This means standard e-mail is safe.

E-mail attachments can be dangerous because they can contain computer programs, including viruses. So, never open an attachment that comes from a stranger -- or, at least run it through a virus scanner first, we're told.

That's what I've been writing for years. And it's wrong.

Standard e-mail is safe, but many of us don't use only standard e-mail. For years there have been e-mail programs that allow you to send and receive messages in HTML, the simple language used to create Web pages. These mail programs work by having little Web browsers in them, or by using features from the browser already installed on your computer. Open the e-mail, and the message window becomes, in effect, a mini-browser, running the HTML code that's part of the message.

Browsers don't run just HTML code. They also let you run software written in "scripting languages" like Microsoft's Visual Basic for Applications and Netscape Communications Corp.'s Javascript. Unlike other computer languages, scripting languages don't have to be converted into machine language -- they'll run as-is.

Consider what this means. An e-mail written in HTML can have a program lurking inside. Open the message and your browser can run that program. Actually, this happens all the time. Many of the fancy features on your favorite Web sites are little Javascript programs included on the Web page. Your computer downloads the Javascript, and your browser runs it.

This makes HTML e-mail riskier than plain-text mail, but nothing to panic about. The computer is supposed to set limits on what a Javascript or VBA program can do. But it turns out that IE 5 has a bug that lets malicious VBA scripts run wild.

Richard Smith, retired founder of Phar Lap Software Inc. in Cambridge, Mass., told me that the bug has been common knowledge for months. It was published on "Bugtraq," an Internet mailing list where security experts swap tales of software gone wrong (www.securityfocus.com). Microsoft promptly issued a repair patch that plugs it up.

But how many people download patches? "They have a patch," Smith said. "Great. Now all we have to do is get 50 million people to install it."

Smith directed me to the Web site of a Bulgarian programmer who's posted a demonstration of the bug. This version installs a creepy but harmless bit of code on unprotected machines. Sure enough, it worked on my computer. That sent me scurrying to download the patch.

Microsoft has made IE 5 browser upgrades dead easy. Connect to the Internet, click the Tools menu at the top of the browser and then click Windows Update. You're taken to a Web site that offers a selection of upgrades, with the life-or-death ones at the top. Download and reboot.

You can also download Bubbleboy shields from the leading antivirus software makers.

Smith thinks that the creator of Bubbleboy read about the bug on the Net and whipped up his virus as an experiment. Then the parent of Bubbleboy turned in this delinquent child to an antivirus company before it did any real damage.

We come away from the Bubbleboy affair with our software intact, but with a good deal less confidence in the safety of e-mail. In the old days the stuff was drab but harmless. But add HTML, and e-mail becomes colorful, memorable -- and occasionally toxic.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.