Vaccinating by mail is just a simple way to push security fixes
A little more than 200 years ago, Dr. Edward Jenner discovered he could protect people against the smallpox virus by vaccinating them.
A couple of months ago, after the discovery of a Microsoft Windows flaw that makes systems vulnerable to malicious code in unopened e-mail, Timothy Mullen began working on a similar idea. He decided to exploit the vulnerability to fix it.
Microsoft's Internet Explorer browser executes ActiveX controls from Microsoft Access database files before checking configurations to see whether it should be doing so. That means malicious code in Hypertext Markup Language-formatted e-mail messages could execute from the preview pane, without even being opened.
Mullen, chief information officer for Anchor Sign Inc. of Charleston, S.C., came up with an interim fix by sending e-mail with 'vaccination' code to about 100 of his company's systems. He gave the fix to the Air Force to evaluate for safeguarding military systems.
Mullen, who works at Anchor Sign's facility in Truckee, Calif., doesn't like to use the term vaccinate.A scary site
'That's what scared everybody,' he said. 'The first thing people think of is 'a virus''unaccountable replication, uncontrolled distribution. That's not the case at all. You send the mail to the user, it opens, the exploit gets fixed, it cleans itself up and it dies there.'
The Air Force dropped his e-mail fix when Microsoft Corp. came out with its own patch for the problem. And that is as it should be, Mullen said.
'Certainly, the recommended course of action is to follow the manufacturer's advice,' he said.
But something strange happened: Even after Microsoft released its fix, people still asked Mullen for his, because it was easier to distribute.
'This was a clear indication to me that there is a need for an automated distribution system' for fixing security flaws, he said.
The Microsoft fix is superior to his, Mullen said, but it requires installing a different patch for each version of Internet Explorer, down to the service pack level.
Many administrators have no easy way of getting the patches out to thousands of users.
'I would venture to say that only a small percentage of machines have been fixed,' he said.
And therein lies a vulnerability more persistent than any flaw ever accidentally programmed into a piece of software. Manufacturers can turn out patches and fixes until they are blue in the face, and it doesn't do a bit of good until somebody installs them.
Mullen took pains to make his e-mail vaccination benign. Because it was intrusive and changed settings without permission, he didn't want recipients to forward his e-mail to other users. He considered having the message automatically delete itself and empty the recycle bin.
But, Mullen said, 'It's not right to push a delete command to a recycle bin.' So he opted for having the e-mail overwrite its code, once executed, rendering the code inoperative.
Microsoft's patches, downloadable from www.microsoft.com/windows/ie/download/critical/patch11.htm
, do a better job of solving the Explorer-Access problem at the root, but getting them onto users' systems is far more difficult.
In an ideal world, as soon as systems administrators learn of a vulnerability, they download and install the fix right away.
'And then you have the real world,' Mullen said.
In the real world, administrators download patches and install them when'and if'they get the time. Back burners get piled high with things they need to get around to, and in the meantime new crises come to the fore and demand attention each day.
'Each individual entity can do its job, and the problem still doesn't get solved,' Mullen said.