By Gary Kirchherr
Those who've visited my Web pages know I'm a fan of Internet Relay Chat, or IRC. Consider what America Online's chat rooms would be like if you, the individual user, and not AOL could be in charge of a permanent room; if you could select those to help you run the room; and if you could remove and keep out disruptive individuals. Further imagine that several chat "networks" of every size exist to choose from. Dream no more; all this is what IRC is all about.
The IRC user selects the program he or she uses to chat. The most popular such program with those stuck with Micro$oft Windoze is mIRC. Unfortunately, about a month ago a serious flaw has manifested itself in the then-recent version of mIRC, and it has wreaked havoc on IRC networks all over the Internet.
It seems that there's an mIRC file called script.ini, which by itself is innocuous. With mIRC 5.11, the most recent version of the program at the time, script.ini resided in the default directory for receiving IRC user-to-user file transfers. Further, mIRC 5.11's default settings are set up such that either one of two things happen: The user receives files automatically, and automatically overwrites any like-named files there; or the user is asked whether to accept the file transfer, and whether to overwrite the original. I don't know which one is correct; I've heard both. But even if mIRC asks whether to accept a file and delete the old one in its place, many newbies simply are going to go ahead and do so. And therein lies the problem.
Some clever lamer with too much time on his hands figured out how easy it was to get other users to replace their legit script.ini file with a bogus one. He further discovered that mIRC will accept the bogus file as normal, and read and execute the code within it. The computer code in the bogus script.ini could make the affected copy of mIRC do all sorts of things that its owner wouldn't want it to do.
Is the picture becoming clearer? Well, if not, let me recount my own recent experience on DALnet, one of the larger IRC networks in the world, where I do virtually all my online chatting.
When the script.ini problem first hit, all these other DALnet users tried sending me a copy of script.ini. Like any IRC user who isn't totally naïve, I don't accept file transfers unless I know exactly what I'm getting, and from whom. And I certainly wouldn't accept anything that I know isn't for a Macintosh. Anyway, I soon found out why so many people were trying to send that file. One of the features of the bogus script.ini is that it tells mIRC to send itself to every new person who comes into a channel (what you AOL'ers call "rooms.") And of course, the newbies accept it without even realizing it, and these newbies' mIRC programs try sending script.ini to others ... and then you have a mess.
But this Trojan horse does more than duplicate itself. The code in that file could allow a hacker to access your passwords, or view your private messages. It could cause your computer to delete important files. And many of these script.ini files are booby-trapped in such a way to inflict even more damage if the user tries to remove it from his or her mIRC directory the wrong way.
The IRC networks responded to the threat swiftly. News about it appeared in Usenet message boards. Those in charge of IRC networks warned users not to accept script.ini files. One former DALnet IRCop, Christopher Mitchell, put up a script.ini FAQ. This is definitely required reading for anyone with mIRC 5.11.
As one might guess, mIRC's author has been catching heat on the Net for the sloppy programming that allowed this problem to surface and spread, especially among unsophisticated mIRC users. One critic, Crazy Diamond, complained on Usenet: "The major cause to the problem here is that the author failed to recognize that stupid people also buy computers." He adds: "For a programmer to set, as DEFAULT, auto-get and auto over-write to such vulnerable and easy-to-abuse functions, in a program to be used en mass, is a clear indication of his/her ineptness in designing, unbelievably short-sighted thinking, logically-impaired decision making, and complete lack of understanding of security issues."
Perhaps not coincidentally, a new version of mIRC was released shortly after the script.ini problems began. And it's my understanding that version 5.3 corrects these problems. One of the fixes, a separate default directory for downloads, by itself could have spared everyone a lot of grief. Anyone using mIRC who doesn't have the new version should visit the mIRC Web site and get it. Now.
I'm going to confine my remarks about America's favorite monopoly and its ongoing war with the U.S. Justice Department by referring you to two columns by Jesse Berst, editorial director of ZDNet AnchorDesk.
Berst's Nov. 24 column noted a couple of events that the mainstream media glossed over. One was that the Computer and Communications Industry Association, in a court brief it filed in support of the DOJ, accused Micro$oft of "extortion." Muses Berst: "I knew Microsoft's stock was low in the high-tech industry, but I didn't realize how universally feared and despised it has become." Also around that time, Ralph Nader portrayed Micro$oft as a "danger to the Internet." And finally, you've got Bill Gates showing he's taking the whole legal battle with the DOJ very personally. Observes Berst: "He's starting to sound shrill. Paranoid. Over the line." Yup, the world is getting a very interesting perspective on Mr. Gates, and it's quite different than the one of a cute, cuddly nerd the media is so fond of.
Next, Berst's Dec. 17 column writes on what he feels are three hidden dangers facing Micro$oft, and all of them have to do with that company's negotiations with others: Computer makers who are fed up with having Micro$oft dictate to them; the DOJ; and the industry, which would look less favorably on M$ if Windows 98 hit a snag because of what's going on in court right now.
Should you care about any of this? You should. As I've mentioned before, the future of personal computing hangs in the balance.
|
Talk online to the author by appointment |