Vmyths.com uncovers a willing scapegoat

Rob Rosenberger, Vmyths co-founder
Friday, 2 February 2001 LAST MONTH'S MELISSA hysteria created some bad press for Microsoft. As you may know, an obscure error crept into the Word 2001 for Macintosh file format. The error doesn't affect Microsoft Word users, but it did impact the way some antivirus programs look for macro viruses.

Microsoft made themselves a willing scapegoat during the Melissa hysteria.

Some antivirus products couldn't detect viruses in the "unanticipated" file format. This problem came to the forefront when a 1yr-old variant of Melissa slipped past corporate email defenses. Media outlets around the world raised alarms when they heard about it. Vmyths.com has just learned Microsoft made themselves a willing scapegoat in this controversy. Up until now, just about everyone believed this snafu came to light in mid-January. Vmyths.com reported for almost two weeks that "it appears no one noticed the error before [Melissa's resurgence]." WOW Newsletter believed it, too, and they blamed it on Redmond's quality control standards:

The change of [compilers] should have directly led to a scrupulous checking of document structures among many things — these checks were apparently not done or done incorrectly. The failure to notice the effect of the change demonstrates that Microsoft doesn't include in their testing any decent checks for compatibility with existing anti-virus products. It also demonstrates, yet again, that anti-virus issues have too low a priority at Microsoft.

Vmyths.com obtained confidential email traffic which sheds new light on this controversy. We now know Microsoft (1) identified the file format error last year, (2) realized its impact on antivirus software, and (3) disclosed the details to antivirus vendors on 4 December — more than a month before W97M/Melissa.W caused a re-ruckus. Some vendors either lagged behind in their updates, or they failed to perform adequate software testing, possibly due to holiday vacation schedules. These vendors raced to patch their software after the media cried wolf in mid-January. At least one vendor issued a "band aid fix" to appease customers (and the media) while they worked on a more permanent solution. This "update lag time" didn't surprise Robert Vibert, moderator of the Anti-Virus Information Exchange Network. He notes it has occurred before and it will almost certainly occur again. "It's customary in the antivirus industry to apply virus-specific band aids until the engineering changes can be implemented in the next software release," Vibert explained. "I don't see any way for [antivirus] developers to change that practice and continue to provide protection against fast-breaking viruses while using known-virus scanning technology."

Microsoft could have told reporters "we notified virus experts on December 4." But they didn't.

VIRUS EXPERTS MUST sign a non-disclosure agreement (NDA) before Microsoft will talk to them about sensitive topics. The folks in Redmond practiced "security through discretion" when they warned antivirus vendors about their file format snafu. The email traffic shows they did not want the public to know what caused the error. When those details emerged, Microsoft reprimanded the unknown "offending party" in a confidential memo to antivirus vendors. (I suspect they'll fire off another confidential memo when they read this column.) The message was clear: obey your NDAs or we'll stop talking to you. Microsoft received bad press for "failing" to notice their file format error. Antivirus vendors received good press for "tackling" the problem when it came to light. Why? Gates Inc. could have deflected some negative publicity if they'd said "we notified virus experts on December 4..." What does Microsoft hope to gain by this kind of secrecy? Believe it or not, I think Bill Gates & Steve Ballmer want secrecy for secrecy's sake. They want it bad. It all stems from last October's legendary hacking incident. It's a well-known secret (pun intended) that Microsoft no longer wants to deal with blabbermouths. It looks like Microsoft will even play the role of an antivirus scapegoat — so long as vendors agree to keep their mouths shut.

[continued in part 2]