In the wake of the Love Bug virus debacle, Microsoft had announced a new Outlook patch that the company initially planned to release on the Web during the week ending May 26. The intent of this patch was to prevent automated access to the Outlook Address Book and prevent users from opening any executable file received as an attachment or any hyperlink that might lead to an executable file. The response from users and analysts alike was negative, and Microsoft has changed its plan to accommodate the criticisms. The company announced late Wednesday, May 24, that it will delay the Outlook patch until the week ending June 2. Microsoft now plans to include the ability to modify the list of restricted files.
Many users criticized Microsoft for overkill. In the words of one anonymous posting, "That's like killing a moth with a sledgehammer." Many users send Visual Basic (VB) scripts, executables, batch files, and hyperlinks as part of their daily traffic. Microsoft's initial plan would have prevented any such action: Administrators could have added to the restricted files list, but not removed any files from it.
GartnerGroup analyst Chris LeTocq quickly fired off a Gartner report, in which he attacked Microsoft for making its patch overly burdensome. He pointed out that the patch required users to install the full Office 2000 Suite, Service Release 1. He also argued that the requirement for manual user affirmation every time an application tries to access the Outlook Address Book would interfere with many programs, such as Personal Digital Assistant (PDA) synchronization programs. An IDC analyst pointed out that the patch would have killed many basic functions of Microsoft Internet Explorer, including JavaScript and VB script execution, and ActiveX calls.
End of Article
I'd agree with comments related to installation of this fix. It also seems to be very radical. Maybe allowing users to select which options to enable/disable would be a more natural approach. On the other side, most users know very little about computers and Outlook itself and would find these options too much. They just want their "thing" to work. I think the answer lies more in educating and instructing users on what and how to do things. Microsoft has gone a long way to create such a powerfull tool. A lot of things users freaquently do seem to happen so easily in Outlook. Why take that away? Teach them what viruses do and how to defend themselves from it. That's much better fix than any. In my opinion, Outlook is target of malicious attacks these days only because it's so user friendly and so popular. Other applications of this sort should actually be worried that "geniousis" didn't make virus version for their applications as well.
Thank you.
Rajko Bogdanovic May 26, 2000
Being in the military and running a NT LAN that contains two Exchange Servers 5.5, this article was helpful. I always look forward to reading and keeping up with Exchange Server articles and FAQ's. I did hear several people in the Military's Information Systems Department discussing this patch. However, the appeared to rely on the first type of information released is the best and most reliable for their Military sites, without doing extensive research that requires planning and testing before the deployment. This particular article allows myself to discuss the information with my superiors and will allow them to provide adequate answers to their superiors. Thanks for the article and look forward to hear about the June release of this patch.
Thomas Gonzalez May 26, 2000
1) "Microsoft now plans to include the ability to modify the list of restricted files."
This ability will be there, but only as an administrative tool. Individual Windows NT and Windows 2000 users will not be able to remove file types from the list of restricted files.
2) "Many users send Visual Basic (VB) scripts, executables, batch files, and hyperlinks as part of their daily traffic."
Hyperlinks, yes. Executables, maybe. Scripts and batch files as part of the daily traffic of many users, hardly.
3) "An IDC analyst pointed out that the patch would have killed many basic functions of Microsoft Internet Explorer, including JavaScript and VB script execution, and ActiveX calls."
Simply not true. The Outlook patch was never designed to have any effect whatsoever on any functionality of Internet Explorer itself.
4) The author (along with many other writers, to be fair) completely misses the most important feature of the revised patch. From the Microsoft Office Update page at http://officeupdate.microsoft.com/2000/articles/Out2ksecOrg.htm
"Organizations using server-based security can customize certain components of the update to meet their specific security needs. For example, administrators can add or remove file types from the attachment lists (the Level 1 and Level 2 security file lists), the Outlook Object Model warning notifications, and the user or group security levels for all components of this update."
Being able to modify the restricted file type list is trivial compared with being able to alter the behavior of the Object Model Guard. In the patch as originally announced, the object model restrictions would have guaranteed that a large percentage of third-party and in-house Outlook applications would either stop working completely or have their functionality severely impaired. The changes announced mean that administrators can decide whether to allow unrestricted access to certain automation functions that their Outlook-dependent applications require. In other words, those applications won't be crippled by the patch if administrators decide to allow access to certain object model features.
Sue Mosher May 30, 2000
Microsoft should include with Exchange Server the functionality to filter out certain file types at the Internet Mail Connector. This could be strengthened further by delivering the message to an alternate mailbox and sending a message to the intended recipient stating that an e-mail was sent to you that contains a file that is a possible security threat to the company network. Please see your administrator for further information. By diverting that message to another mailbox, the company could create a policy that would force the administrator to virus check the mailbox, and also access it from a PC that has no network rights and the PC is a worthless computer so that no data could be damaged. Furthermore whatever user id logs on to that mailbox where the possible virus is stored, that users permission should only have the ability read messages and not send messages so that the virus could not be spread through e-mail. I am sure Microsoft is doing something like this internally because I called them and their tech support said they were, but I had to call their per incident support and pay $250 to find out how.
Brad Shaffer June 01, 2000
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
I think the answer lies more in educating and instructing users on what and how to do things.
Microsoft has gone a long way to create such a powerfull tool. A lot of things users freaquently do seem to happen so easily in Outlook. Why take that away? Teach them what viruses do and how to defend themselves from it. That's much better fix than any.
In my opinion, Outlook is target of malicious attacks these days only because it's so user friendly and so popular. Other applications of this sort should actually be worried that "geniousis" didn't make virus version for their applications as well.
Thank you.
Rajko Bogdanovic May 26, 2000