MS Outlook: Cloudy security

Did Microsoft learn from Melissa?

Security experts said they believe Microsoft, of Redmond, Wash., should take more responsibility for the threat of VBScript-borne viruses. It had more than a year to react after last March's Melissa virus but did nothing to prevent the recent rash of similar viruses, they contend.

"They [Microsoft] have integration as a default, they have permissiveness as a default. The OS assumes that every application is trusted and gets complete control," Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., of San Jose, Calif., said in an interview at NetWorld+Interop in Las Vegas this week.

Shimon Gruper, executive vice president of the Internet security unit at Aladdin Knowledge Systems Inc., said the inherent vulnerabilities of the Microsoft technology likely mean that virus attacks such as ILoveYou will continue.

"The tools are very open for everybody to write new executable programs," Gruper said from his office in Haifa, Israel. "However, there is no security built in."

Just shutting off the scripting language may not be the simple answer. Because of tight integration, Gruper noted that if companies try to disable VBScript to avoid problems, users could have difficulty logging in to their corporate network.