Ever wonder how the news really works behind the scenes? I got a powerful firsthand lesson on 3 March, when Worcester Polytechnic student Paul Greene discovered that "serious flaw" in Microsoft's Internet Explorer. That's when I became the unwitting source of a sound bite that overshadowed the real news.
My first indication that something was up was an email from Gene Spafford, who has been my co-author and editor on three computer-security books. Gene subscribes to bugtraq@netspace.org, a "full-disclosure" mailing list about hot computer security holes. The subject line was "FYI - browser bug." The message pointed to Greene's Cybersnot Web page.
As I read the message, my jaw dropped. "Cool," I thought. "I can run any program I want on anybody's computer who looks at my Web page with Internet Explorer." Sort of like ActiveX without the code-signing.
Five minutes later my phone rang. It was Thomas Reardon, who works at Microsoft on IE. "I want you to know that this isn't an ActiveX problem," were the first words out of his mouth.
I told Reardon that I had read the Cybersnot message and didn't think that this IE problem was any more significant than the numerous security problems that have plagued Netscape's Java engine. After all, the Secure Internet Programming group at Princeton University had discovered a dozen or so ways of making Java Virtual Machines run arbitrary machine code. The only difference between their attacks and this one was that you needed to be fluent in Java bytecodes, x86 assembler language, and obscure type systems in order to exploit the Princeton attacks. For the Greene bug, all you needed to know was HTML.
But Reardon was worried. He said that his co-workers at Microsoft were certain that the press was going to burn them alive. And the bug was so simple - just two flipped bits in IE's registry entries. Internet Explorer has a list indicating whether files are safe or dangerous to open, Reardon explained to me. URL files and LNK files had been listed as safe, meaning it's OK for IE to open them without first asking the user's permission. They should have been listed as dangerous.
Next my pager went off. My friend Beth Weise, cyberspace correspondent for the Associated Press, wanted me to call another reporter, and fill him in. I tried to stress to the reporter that the real problem wasn't Internet Explorer - it's the fact that people use the Windows operating system, which has no built-in security. "What we really need is secure operating systems, but corporate America doesn't buy them," I said. But that didn't make for a good story.
The AP story must have gone out over the wire about 10 minutes after I hung up the phone, because I had just sat down to dinner when my phone rang again. This time it was CBS Radio News. They wanted to do an interview-to-tape right then! So I told the guy from CBS the same thing I had told George from the AP. The impact of this bug, I said, was that it acted as if somebody were messing with your computer while you "went out to lunch."
That "lunch" quote had wings of its own. Within the next 24 hours I was quoted on CNN, CNBC, National Public Radio, and dozens of publications. The Seattle Times ran my quote. It was really weird, because the woman who wrote the story knows me, knows my home phone number, but she found it easier just to grab the quote from the AP than to call me up and get the story behind the sound bite.
This sort of quote reuse is actually typical for the nation's news services. I shouldn't be surprised. But I was upset that everybody focused on the immediate problem - a bug (oh no!) in Internet Explorer.
Nobody asked why today's computers are so brittle that a single bug could leave a Web surfer wide open to attack.
Nobody made the connection between this bug in Internet Explorer and ActiveX. Microsoft goes to great pains to make sure that security-critical bugs like this don't slip into its applications, and yet this one did. What about signed ActiveX components? They're sure to have security-critical bugs as well - especially since many of them will be written in C++. This is a problem that Java applets simply don't have, because they run within the restricted sandbox environment.
Nobody seems to be looking to the future. We're building a wired world, but all those wires are crossed. We've had a lot of warnings. Pretty soon, we're going to start having disasters. It's time we started looking harder at the threats.
