Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Beg! Roll over! Good reporter. Here's a virus treat...

Rob Rosenberger, Vmyths co-founder
Thursday, 21 January 1999

Domes­ti­cated re­por­ters wait for com­pu­ter secu­rity firms to feed them stories. Today's non-event demon­strates it.

HEADLINES SCREAMED LAST month when Network Associates announced the most complex virus ever discovered. (In their opinion.) Headlines screamed again this month when Finjan announced the most dangerous Internet security hole ever discovered. (In their opinion.) Yet reporters yawned earlier today when experts announced a bigger Internet security hole known as Word Template.

Don't let the media's inattention fool you. Word Template can strike twice as many victims compared to Russian New Year. It's 1/40 the size of Remote Explorer. It can do anything to your computer if you read a web page with your eyeballs. You can fully describe it to a hacker in two sentences and you can implement it in ten minutes. Microsoft employees worked around the clock to release a security patch before anyone found out.

Why did the press ignore it? Simple — nobody staged a media circus. I've complained for years about domesticated reporters who wait for computer security firms to feed them juicy stories, and this non-event demonstrates my point. Check out the refreshingly ho-hum items on PC World and ZDNet if you need some eye candy.

Why didn't the media scream in terror? Answer: nobody staged a media circus.
Why didn't Net­work Asso­ciates or Finjan alert their own cus­to­mers? Answer: they didn't dis­cover it.

Let me bring you up to speed on what happened:

  1. Microsoft Office expert Woody Leonhard received an email from someone who noticed an obscure feature (not a bug) in Word.
  2. Leonhard showed it to virus expert Vesselin Bontchev (FRISK), who combined it with a two-year-old anomaly in Internet Explorer ... and the Word Template Internet security hole came to light.
  3. Leonhard & Bontchev immediately notified Redmond. Microsoft employees freaked out when they visited Bontchev's demo web page.
  4. A tiger team worked around the clock to develop a patch before the press found out. Microsoft's much-maligned computer security office kept a close eye on the tiger team.
  5. Leonhard & Bontchev agreed with Office product manager John Duncan on the need for secrecy until a patch appeared.
  6. Leonhard postponed an issue of his popular WOW newsletter so he could write a happy ending.
  7. Microsoft released a patch and issued a computer security alert.

It certainly looks like a happy ending for Microsoft. As for Leonhard? He scooped the world with his newsletter today. Bontchev? Well, FRISK didn't issue a press release about his important discovery, but he knows he did a great job.

The media waited a month before screaming about Micro­soft's Rus­sian New Year patch. They screamed be­cause Finjan goaded them. Will the media scream next month about Micro­soft's Word Tem­plate patch? Who will goad them?
History sug­gests Richard M. Smith will goad the media this time. It's a safe bet, trust me...

OKAY STUDENTS, TIME for a quiz. Which computer security firm is not like the others?

  • Coordination:
    • Finjan didn't notify Microsoft's computer security team about Russian New Year.
    • FRISK notified Microsoft's computer security team on Word Template.
  • Press conferences:
    • Network Associates staged a press conference for Remote Explorer. They teased reporters with hints of an immediate worldwide threat to computing. They waited hours before announcing details.
    • Finjan staged a press conference for Russian New Year. They teased reporters with hints of an immediate worldwide threat to computing. They waited hours before announcing details.
    • FRISK didn't hold a press conference for Word Template.
  • Which came first, the chicken or the egg:
    • Finjan discovered Russian New Year one month after Microsoft developed a patch for it.
    • FRISK discovered Word Template before Microsoft ever knew of the threat.
  • Hacker instruction manuals:
    • Finjan refused to explain how Russian New Year works, yet they sent complete instructions to reporters' computers as a demonstration.
    • FRISK refused to explain how Word Template works, and they refused to demonstrate it publicly.
  • Website hype:
    • Network Associates hyped Remote Explorer on their website and called it the most complex virus ever discovered.
    • Finjan hyped Russian New Year on their website and called it the most dangerous security hole in Internet history.
    • FRISK didn't announce Word Template on their website.
  • Mainstream media coverage:
    • Reporters described the immediate worldwide threat posed by Remote Explorer.
    • Reporters described the immediate worldwide threat posed by Russian New Year.
    • Reporters did not cover Word Template.
  • Computer industry media coverage:
    • Reporters described the immediate worldwide threat posed by Remote Explorer.
    • Reporters described the immediate worldwide threat posed by Russian New Year.
    • A handful of reporters wrote stock stories about a patch for the "theoretical" Word Template exploit.

In the final analysis, Word Tem­plate quali­fies as one of many Inter­net secu­rity holes dis­covered over the years. It will soon join its brothers in the land of obscu­rity. Down­load the patch, install it, and get on with your life.

Did you guess which computer security firm is not like the others?

WELL, I'VE BASHED Finjan & Network Associates enough. Let's discuss what I think of Word Template. In the final analysis, I lump it in with all the other serious Internet security holes discovered in the last twelve years. I predict it will soon join its brothers in the land of obscurity. Download the patch, install it, and get on with your life. Ta da! Enough said.

I must admit, today's lack of hysteria felt very refreshing. Of course, everybody "in the know" let Microsoft downplay it — something you can't say for the previous two events. Amazingly, FRISK walked away from millions of dollars in free publicity when they abandoned Word Template. Bontchev still grumbles about security problems in Microsoft products yet he remains politely quiet.

(Redmond will host a little-known conference next month for computer security vendors. Man, if they don't pick up Bontchev's entire tab...)

Leonhard went a little overboard with rhetoric in his newsletter, but I can easily forgive the co-author of a book called "Office 97 Annoyances." He kept quiet and postponed his WOW newsletter until Microsoft released a patch. He even asked me for constructive criticism four days before the news broke. (For the record: I offered zero criticisms.) Leonhard honestly cares about computer security and he, too, hoped to avoid a media circus.

FRISK walked away from millions of $$$ in free publi­city when they aban­doned Word Tem­plate. How­ever, I doubt it will remain an orphan for long. (Did I mention Richard M. Smith?)

Unfortunately, I don't think the media will ignore Word Template for long. Richard M. Smith (Phar Lap) likes to adopt orphaned computer security issues and he'll find this one hard to resist. Smith will probably point to my website as proof of a massive world threat: "even Rosenberger thinks this thing is twice as big as Russian New Year!"

(No offense to Smith. We actually get along quite well in private if you can believe it. He knows I fight people like him as a hobby; I know he dabbles in computer security. He believes in his cause; I believe in my cause.)

I'LL STEP ON some toes when I say this, but I just don't see a philosophical need to keep every security hole a secret until a patch comes out. Notice I said "a philosophical need." Let me explain.

Did friends scare you with Hallo­ween stories about Russian New Year? Why didn't they scare you with Hallo­ween stories about Word Tem­plate? Answer: the media feeds them Hallo­ween stories.

Suppose Leonhard or Bontchev alerted the media when Word Template first came to light. We lived with it for years, so why should a few more weeks make any difference? How many computers would succumb to this exploit in the time it takes to develop a patch? "Aha, but now the hackers know it," you say. "The world faces imminent danger."

Knowledge of this exploit's existence would somehow make it a race against the clock? Bah. Most people only visit sites like CNN, Yahoo!, ESPN, antivirus.com, coworkers' home pages, etc. Where do you go that makes you so vulnerable to hacking? Do you fear the Weather Channel will spring this newly discovered security hole on website visitors? What makes you or your company special enough for a malicious to single you out for a Word Template email hack? Can you honestly say "my computer is secure except for this one exploit"? Do you honestly think you'll wind up in an unemployment line if you don't fix it immediately?

(Many computer security specialists disagree with me on this point. They simply cannot trust all employees to visit only safe websites and read only safe emails. I share their viewpoint, yet I must ask the obvious question: "why do you let an employee use the Internet at all if you can't trust him/her to use it safely?")

Okay, I'll bite. How many com­pu­ters will suc­cumb to Word Tem­plate just be­cause it lacked a media circus?

Hackers know a lot of ways to make your computer miserable. They don't even need to use security holes — they can exploit various features of the Internet if they wish. Or they can use the Internet itself to damage your reputation. For example, how would you stop someone from... oh, let me think... Aha! How would you stop someone from using the Internet to announce a major security flaw in your flagship business application?

Realistically, then, a company like Microsoft hides any given security problem just to avoid negative publicity. This means Leonhard & Bontchev did two big favors. First, they found an important security hole; second, they didn't embarrass the folks in Redmond.