Office 2000:
Are New Features Worth the Risk?

By Birrell Walsh

DOUBLE AGENTS

As a result, a Word macro virus that invades a system by e-mail can cause substantial damage. A virus could launch other Office applications, such as Excel, and request quotes from a stock-quote service. Based on what it finds, it could make sell and buy decisions, then send off instructions to your online brokerage. A virus also could launch Excel and Outlook and e-mail your spreadsheets to someone who would use the data to harm your company. Or it could modify a Web page created in FrontPage, attacking your Web site or intranet.

FrontPage can read a clock and build and deploy new intranet pages on schedule using information from Word, Access or Outlook files. The upside: Users can create applications that automatically update their intranet sites with new appoint- ments or database information. The downside: So can a malevolent virus.

These untouched-by-human-hands programs are called agents: semi-autonomous scripts that carry out tasks for you. VBA is a bit obscure; the obscurity will slow the initial deployment of these agents because it will probably take a professional programmer to write most VBA programs. But Microsoft has such a large chunk of the market that professionals will be quickly attracted to writing customized agent-scripts for businesses large and any determined, motivated student can learn to use VBA.

Because VBA is similar to Visual Basic (VB), the stand-alone language, programmers will trade many procedures and functions between them. The VBA community will draw on the rich body of VB code as it writes for wealthy and demanding consumers who want their customized automated Office 2000 right now.

Someone once asked the thief Wil1y Sutton why he robbed banks. "Because that's where the money is," he replied. Suddenly a large new part of the business world will have programmable applications that reach right into their most precious data. And some of those applications can receive instructions from the outside (Outlook) and send information to the outside (FrontPage and Outlook).

Does this feature look like virus-bait to you?

It could be. Whatever motivates virus-writers and saboteurs, opportunity is a major part of it. Biological viruses, after all, infect oyly programmable systems such as the cell; they don't touch unprogrammable systems, no matter how nutrient-rich they are.

Microsoft has turned the nutrient-rich world of Microsoft Office data into a programmable system. A virus can now command applications to do anything they're capable of, including sharing, changing, erasing and exporting data.

The Melissa virus that hit the business community hard in March was just a virus in Office 97, which has a much less robust programming system. This Word virus examined Outlook 97's address book, found 50 names, and used the User Information we al1 have filled out to create a subject heading that said "Important message from [user name]."

Virus-writers can do a lot more with the interprogrammability of Office 2000. Melissa will spawn children

Microsoft is aware of the potential problems in having a data-rich programmable system exposed to the Internet. The Microsoft Office 2000 Visual Basic Programmer's Guide devotes more than 90 pages to security issues. Programmers can employ passwords and compile and hide code. Security levels range from totally trusting to totally paranoid. Encryption is now augmented with digital signatures and certificates that identify work from people you trust - people whose documents you can accept and run without fear of infection.

But these security systems are prime targets for saboteurs. One possibility is the binary virus. A departing employee leaves a harmless-looking but oddly named procedure buried in a VBA application. An arriving document has a different harmless-looking macro in it that calls the oddly named procedure already resident in the distant application. Each is harmless alone, but put them together and the whole system blows up.

Another possibilihy is a procedure designed not to crash a system, just slow it down. It's not a deadly virus, just a cold, but over months the system loses efficiency.

A third potential binary virus is embedded VBA code that would be damaging but it is prevented from running by a weekly inhibiting e-mail message. If the trusted employee becomes disgnuntled and leaves, the inhibiting message stops arriving, and the whole system goes down.

This is where the visions of The Matrix come in. The film is about artificial intelligence taking over the world, with agents dressed in business suits doing the dirty work.

Such visions reflect the perception that the American business model is based on, let us say, a divergence of interests between the employer and the employees. Nineteenth-century French workers are said to have dropped their wooden shoes - sabots - into machines. The "use-em-and-lose-em" employee relationship gives workers plenty of motivation to drop an occasional wooden shoe into the data-flow gears of the business. Office 2000 now gives each employee the tools to craft those wooden shoes.

CHILDREN OF MILISSA

"OK," the system administrator says. "I will just not use any of the VBA features. And I will make having Visual Basic code on your machine a dischargable offense!"

It's not that easy. Any time a user records a macro, it is kept as VBA code. No more Excel macros? No more automated database projects in Access? Many third-party products use VBA interfaces. Are we not going to use the voice-to-text Dragon NaturallySpeaking because it uses VBA to connect to Word?

Programmability will give Office 2000 users a powerful competitive edge. If you don't allow your employees to use its features, you will block them (and yourself) from being competitive. Your rivals, who will deploy automated Web pages and auto-responding e-mail and online quotes from inside Office 2000, will simply be better and faster than you are.

We have here what I will call Walsh's Dilemma: "If your system is not Internet-connected and programmable, you are not competitive. If it is Internet-connected and programmable, you are vulnerable."

A large number of companies using Office 95 or Office 97 today will deploy and use Office 2000. Office 2000 will attract hackers and virus-crafters, and some will succeed. Microsoft and virus-fighters will keep creating new interceptors to protect systems. And neither side will win.

In biology this is called co-evolution. Predator and prey evolve together, creating new strategies of attack and defense. The process never ends, because it is the mechanism of evolution itself.

In strategic terms, it means that before deploying Office 7000, users need to inform themselves about the vulnerabilities they are incurring. They will need to spend more time on security than ever before. The cost of operating computer systems will increase. Productivity of systems will also increase, because Office 2000 will be abel to do more than any of its predecessors.

In specific and practical terms. users will need to find a trusted source of virus-killers and sabotage prevention that will become a primary. business resource. Two possibilities for users are the venerable McAfee, Santa Clara, CA, which has a free virus-information library, and the innovative Icelandic company Frisk, which provides the powerful (and free to individuals) f-prot and f-macro viricides.

Users will also need to learn Office 2000's powerful hidden tools. This is one product worth going to school for, or at least investing in some new books on. The stakes are going up, and there is no point looking for an exit.

Resources