Following the wrong script

Microsoft's Office 95 macros were meant to reduce repetition. But the automatic proved problematic, says Charles Arthur
Click to follow
The Independent Online

Some time in 1994, Bill Gates had a brainwave that was to benefit a huge group of people – mostly in two opposed, but symbiotic, groups: antivirus companies, and virus writers. But that wasn't his intention. What the head of Microsoft decided was that his company's products should be able to execute what programmers call "scripts", and most other people would call "programs". (As a compromise, Microsoft calls them "macros".)

"It was Bill's idea. He had this dream of taking the office applications – the word processor, spreadsheet, database – from simply being document creators, and advancing their capabilities to allow for the automation of tasks," explains Mike Pryke-Smith, UK group marketing manager for the Office suite. "The idea was to speed up repetitive editing – formatting particular words or inserting a table with specific boundaries and columns into documents, or checking the contents of the fields in a submitted form. And the idea was that the language that was used would be transparent across applications. That's VBA – Visual Basic for Applications."

VBA first appeared in 1995 with Office 95, and Word 6. Its greatest potential benefit was to spreadsheet users, who would often have to take many numbers and format them in particular ways. Such "work-flow automation" is an ideal, and something that programmers aspire to. However, the power of VBA was also the potential undoing of users. Microsoft allowed macros to be included with documents, and to execute as soon as they were opened. The briefest reflection suggests that this action is very unsafe – especially when a macro can change any of the contents of a file. Macros would change the file Normal.dot, the "template" of every document, and so infect the program, and auto-execute on any document that was opened.

The first "macro virus" emerged in August 1995. Industry whispers say that it was written by a contractor at Microsoft who realised what could be done; it accidentally emerged into the "wild" on a document on a CD-ROM that the company sent out. Microsoft has never confirmed this, but all the signs point there. And given that it was the company where all the bright sparks looking to show off worked in the mid-Nineties, it would be disappointing if one of them hadn't been smart enough to figure that out.

Two more important aspects were that this virus, quickly dubbed "Concept", went unnoticed by antivirus software of the time; and that it was cross-platform, meaning that for the first time ever, machines running both Windows and the Apple Macintosh operating systems were vulnerable. Though patches were quickly written, they were only effective against that one macro. Others followed as virus writers around the world, who had previously needed assembly code to write viruses, realised that they could create them with a simple, English-like language.

Soon others such as "wazzu" followed: this simply changed random words in any document that you opened to "wazzu". It may seem merely annoying, but it could be disastrous in, for example, a legal brief. Macro viruses for Excel followed. These could be even more dangerous, because changing one formula in a table could have a dramatic effect on a calculation. They never caught on, though, partly because people don't swap spreadsheets very often, and also because the layout of a spreadsheet varies far more than that of a document.

Virus writers and antivirus companies alike had a field day, the first producing and the second defeating new versions of this exploit. Microsoft insisted that people really wanted VBA, though, and in 1997 standardised it across the Windows platform. This made the problem even worse. The only way to defeat macro viruses for certain was to block their ability to change the template of documents. But that takes you full circle to some time before 1995.

"Some companies do that – they lock the Normal.dot file," says Pryke-Smith. "But that means you can't run any macros at all."

Microsoft did wise up to what was happening – later versions of Office brought up a warning when a document contained a macro, offering the user the choice to run it or not. However, it couldn't tell you what the code would do – making it rather hard to decide whether to go ahead or not, if the document came from someone you know. Office XP, its latest version, brings in "digital signing" for macros, so that only those written by people you trust can run.

But we haven't seen the last of macro viruses. "We reckon there are 10,000, of a total of 78,000 of all sorts of worms, viruses and so on," says Graham Cluley, senior technology consultant at the antivirus company Sophos. "So macro viruses certainly haven't done badly."

Comments