Microsoft plans to release an Outlook security patch in the wake of the devastation wrought by the Loveletter (aka Love Bug) virus, a Visual Basic (VB) Script bug that propagated by exploiting Outlook's address book feature to pass itself along as an email attachment. This patch makes it harder for viruses such as Loveletter to gain access to Outlook's address book.
The security patch prevents an Outlook user from opening any attachment that contains Level 1 Security Files (attachments with executable code), including .exe files, .com files, .bat files, .vbs files, and .js files or any links that might link to executable code including .url files, .isn files, .lnk files, and .pif files. The patch also warns a user accessing Level 2 Security Files (attachments with .zip or other archive files).
The patch pops up a window that prompts you for positive input when an application attempts to access the Outlook address book. The message reads: An external application is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this? This requirement prevents simple scripts, such as Loveletter, from opening your address book without your knowledge and using the email addresses there. The prompt asks you to specify a length of time that you'll allow automated access to the address book. You can choose 1, 2, 5, or 10 minutes or you can refuse access. The original suggestion for this patch came, not from a techie, but from US Congressman Anthony Weiner of New York in a US Senate Subcommittee hearing in the wake of Loveletter.
The patch also bumps up Outlook's default security from Internet Zone to Restricted Zone. Of course, in disabling automated access to address book functionality, Microsoft's fix interferes with the functioning of many third-party products that depend on such access. The fix affects products from Novell, Palm, Accountmate, Great Plains Software, Chapura, FileNET, Instinctive, Micro Eye, Motiva, Paragan Software, Pumatech, Rim, Slipstick Systems, and others.
This patch marks the first time that Microsoft has had to remove a feature to respond to a security crisis. Microsoft representatives called this patch unprecedented. "In today's growing environment of cyberterrorism, Microsoft believes that stronger security options should be built into Outlook." Patches are available for Outlook 2000 and Outlook 98. For more information and the patch itself, see Microsoft's Web site. According to a Microsoft spokesperson, the patch will be available sometime during the week ending May 26.
End of Article
The headline to this article is misleading.
I knew that Microsoft *planned* to release a patch this week. This article headline made me think that this patch had now been released.
It would have saved all of us a bit of time if the headline would be "Imminent Release of Outlook patch after recent viruses" or similar until such time as the patch is indeed released at which time you can make that fact clear in your header e.g. "Outlook patch now released"
Mike Walsh May 25, 2000
"The original suggestion for this patch came, not from a techie, but from US Congressman Anthony Weiner of New York in a US Senate Subcommittee hearing in the wake of Loveletter."
In fact, many "techies" made the suggestion of object model protection for Outlook long before any congressional hearings. I don't see why Cong. Weiner should be credited.
Furthermore, the object model guard feature affects not just address book access but also any functions that send messages automatically. This means the update breaks many significant built-in features such as Net Folders and mail merge to e-mail via Microsoft Word.
Your article lists companies whose products will be affected. This is not quite accurate. It would be better to say that these companies' products "may" be affected. My company, like the others listed, will not be able to say exactly what will be affected until Microsoft releases the final version of this update.
Sue Mosher May 30, 2000
I find myself quite upset after applying the Outlook security patch - inadvertently, I might add. As a routine part of my job, I frequently send and receive Access (.mdb) files and self-extracting zip files. Now I flat out can't receive them. I'm not an idiot and am perfectly capable of determining on my own whether or not I wish to receive these files, but Microsoft has removed any and all option.
Not only that, but they've seen fit to make this patch non-removable. I've gone as far as to re-install Office, but the darn thing's still with me. I just recently reformatted my hard drive and I don't feel compelled to go through that again.
I, as our company's primary Microsoft proponent, have been strongly pushing our upper management to switch our corporate email client from Eudora to Outlook, but after this patch I think I may be me that switches from Outlook to Eudora.
Todd Hobdey June 19, 2000
Your Comments (required):Thanks for the info. It answered my question. I use Chapura, can you tell me how to avoid the message or remove the patch ?. Thanks again
Jesus Bilbao July 08, 2004
Well, since no one else pointed this out, if you search the MS KB, you'll find a detailed article about how to edit the registry and allow .mdb or .exe files to be saved or opened from Outlook. I believe the information is here: http://support.microsoft.com/default.aspx?scid=kb;en-us;829982
Look Todd, it's me!
Anonymous User December 20, 2004
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
I knew that Microsoft *planned* to release a patch this week. This article headline made me think that this patch had now been released.
It would have saved all of us a bit of time if the headline would be "Imminent Release of Outlook patch after recent viruses" or similar until such time as the patch is indeed released at which time you can make that fact clear in your header e.g. "Outlook patch now released"
Mike Walsh May 25, 2000