In the aftermath of the VBS.LoveLetter (aka ILOVEYOU) virus, let's look at the security features built into Outlook. Microsoft has issued an update for Outlook 2000 and Outlook 98, but that update won't resolve the open security concerns with Outlook in every organization.
What is the Outlook E-mail Security Update? Should I roll it out in my organization?
In June, Microsoft released the Outlook E-mail Security Update, a patch for Outlook 2000 Service Release 1a (SR1a) and Outlook 98. No version is available for Outlook 97. This update makes several major changes to a system running Outlook:
- It increases the default security settings for HTML mail messages so that neither script nor ActiveX controls work in Outlook mail messages.
- It causes "dangerous" attachments to be invisible to the user. These include .vbs, .exe, .bat, .url, and other file types. The user running a patched copy of Outlook can't see these files in mail attachments, open them from the mail message, or save them as files. These attachments essentially disappear from the user interface (UI), though they remain in the mail message and take up space in the user's mailbox.
- It blocks or delays access to the address book and to send techniques when external programs or even forms designed for Outlook invoke them.
This last feature means that the update will cripple or at least modify the behavior of many Outlook add-ins. The update also completely breaks the sequential routing of documents through Microsoft Word.
For administrators in Exchange Server environments, Microsoft provides some flexibility in how you implement the update. With a custom form that you put in a public folder, you can relax some of the restrictions that the update imposes for individual users. I'll go into detail about how these administrative settings work in next month's issue.
I recommend that you delay installing this update until you work out the administrative details for your organization. Several hundred add-ins, plus many inhouse applications, exist for Outlook. Without knowing exactly how this patch could affect those applications—many of them mission-critical tools, such as customer relationship management (CRM)—you might find that installing this patch creates more problems than it solves.
Also, for Outlook 2000, you must install Microsoft Office 2000 SR1a before installing the patch, and Microsoft offers no uninstall process. The only way to remove the update is to remove and reinstall Outlook or, if you installed Outlook as part of Office 2000, remove and reinstall the entire Office 2000 suite. Fortunately, the process is quite a bit easier with Outlook 98, in which you can remove the patch through the usual Control Panel Add/Remove Programs applet.
If you want more information about this patch, go to http://officeupdate.microsoft.com/ 2000/downloaddetails/out2ksec.htm (Outlook 2000) or http://officeupdate.microsoft.com/downloaddetails/out98sec.htm (Outlook 98), and be sure to read all the linked articles in the Microsoft Knowledge Base. I also have a page about the update at http://www.slipstick.com/outlook/esecup.htm, where I'll be tracking applications that are affected, administrative methods, and other concerns related to the patch.
Can scripts run by themselves in the Outlook preview pane?
Scripts can be attached to a message or embedded in a message. A script that is a file attached to a message can't run by itself, but a script embedded in a mail message might be able to. The answer depends on the version of Outlook, the version of Microsoft Internet Explorer (IE), and the user's Internet security settings for Outlook.
Outlook—like other mail programs—doesn't open any attached files (including .vbs files) automatically, either in the preview pane or in an open item. Opening files automatically would be a really stupid "feature" because it would spread viruses. (I have a lot more to say about Outlook security regarding file attachments in another question.)
What about scripts embedded in HTML messages? If an HTML message contains embedded script code, Outlook 2000 won't run the script in the preview pane. Instead, you see the VBScript script file icon on the header bar above the preview pane. If you click that icon, you see the message in Figure 1.
Outlook 98 is another matter, however. In Outlook 98, whether an embedded script runs when you preview an HTML mail message depends on the Internet security settings for Outlook. The Internet security settings also govern whether a script in an HTML message runs when you open (not preview) the message in either Outlook 2000 or Outlook 98. (Outlook 97 doesn't support HTML-format messages.)
IE 5.0 and IE 4.0 deal with security in terms of zones. For Outlook, you have a choice between the Internet zone—the default for Web sites—and the Restricted sites zone. (I cover changing the zone in a subsequent question.)
The default zone for Outlook is the Internet zone, which usually uses a built-in set of security options called Medium. When Outlook is using the Internet zone, a script in an HTML message will run when you open the message in Outlook 2000 or Outlook 98 or if you just view the message in the Outlook 98 preview pane. Table 1 shows why this behavior occurs. The default Medium settings for the Internet zone in both IE 5.0 and IE 4.0 allow most basic scripting, including scripts against "safe" ActiveX controls. (See the question Does Microsoft offer any other patches for Outlook that affect its security against virus attacks? for information about some dangerous controls that were marked safe by mistake.)
When it comes to the preview pane, Outlook 2000 is more restrictive than Outlook 98. Outlook 2000 doesn't allow any script in an HTML message to run from the preview pane. If an HTML message contains script code, the script doesn't run until you open the message, as I noted earlier.
In any case, generally only harmless script commands—such as an alert that pops up—can run in the Internet zone because the default Internet zone settings provide some protection from potentially malicious script code. This protection is considerably greater with IE 5.0 than with IE 4.0. The relevant option, as Table 1 shows, is Initialize and script ActiveX controls not marked as safe.
The IE 4.0 setting for this option is Prompt, which means that if a script embedded in an HTML mail message tries to access the file system or the Outlook programming model, the user sees the message that Figure 2 shows. The user must click No to avoid problems.
The IE 5.0 default setting for Initialize and script ActiveX controls not marked as safe in the Medium zone is Disable—a much safer option, because the user never even sees a prompt. Code that tries to access powerful features such as the Outlook Address Book or the file system never runs at all. As you can see in Table 1, Disable is also the default setting for the Restricted sites zone in both versions of IE. For better protection against malicious scripting in HTML mail messages, set Outlook to use the Restricted sites zone.
The Microsoft article "Description of Internet Explorer Security Zones Registry Entries" (http://support.microsoft.com/ support/kb/articles/q182/5/69.asp) describes the Windows Registry entries for each zone and the zone's settings.
How do I change the Outlook security zone?
To move Outlook from the Internet zone to the more secure Restricted sites zone, choose Tools, Options, then switch to the Security tab. Under Zone, select Restricted sites zone.
Does putting Outlook in the Restricted sites zone prevent all script code from running in an HTML message?
Not quite. As you can see from Table 1, even with Outlook in the Restricted sites zone, a harmless script or a script for ActiveX controls that is considered safe for scripting can still run in HTML messages. Even though the script might be harmless, seeing an unexpected alert pop up from an email message might frighten users into thinking that they've contracted a virus or are at risk for message script-borne viruses. Responding to those cries of alarm could consume as much administrator and Help desk time as dealing with real viruses. Therefore, you might want to disable scripting in Outlook HTML messages altogether. To suppress scripting in HTML messages completely, follow these steps:
- Choose Tools, Options, then switch to the Security tab.
- With the Zone set to Restricted sites zone, click Zone Settings, and respond OK to the prompt that appears.
- In the Security dialog box that appears, click Custom Level (Outlook 2000) or, in Outlook 98, select Custom, then click Settings.
- In the Security Settings dialog box, change the option from Enable to Disable for these two settings:
- ActiveX Controls and plugins, Script ActiveX controls marked safe for scripting
- Scripting, Active Scripting
- Click OK three times to apply your changes.
If you install the Outlook E-mail Security Update, it automatically moves Outlook into the Restricted sites zone and disables scripting and ActiveX controls, as I described earlier.
What other features in Outlook can help prevent users' machines from becoming infected by viruses that spread by means of email messages?
As I described in the previous questions, you can prevent Outlook from running any script in HTML messages. That precaution takes care of one class of potential dangers. A much greater threat comes from files attached to mail messages. The VBS.LoveLetter virus was a simple script file attached as a mail message. Opening it caused the code to run, destroying files and, on machines running Outlook 2000 or Outlook 98, propagating it further through additional mail messages.
The best rule for attachments is simply never to open an attachment that you weren't expecting to receive. You also need to save any expected attachments to a system folder, then scan them with a virus scanner before opening them. Even this precaution is no guarantee, however, because no antivirus program can be totally up-to-date on all viruses.
The Outlook E-mail Security Update offers a strong layer of protection for file attachments in Outlook messages. If you're using Outlook 2000 and aren't ready to install that update or if you're using Outlook 97, Microsoft offers a way to prevent the user from running program files (.exe, .cmd, .com, .bat, and many others) directly from the preview pane or from an open mail message.
Microsoft first issued attachment security patches for Outlook 2000, 98, and 97 in July 1999. Unfortunately, Microsoft withdrew the original Outlook 2000 and Outlook 98 versions when the company released the Outlook E-mail Security Update. Therefore, a simple attachment security patch for Outlook 98 is no longer available. The approach is all or nothing: Either install the Outlook E-mail Security Update, or let users open all kinds of files from within Outlook messages.
- For Outlook 2000, you can get simple attachment security protection by installing Office SR1/1a.
- For Outlook 97, download the Outlook 97 E-mail Attachment Security Update from http://officeupdate.microsoft.com/downloaddetails/o97attch.htm.
Without the attachment security protection that these updates afford, when the user tries to open the file, Outlook either prompts the user with the message that Figure 3 shows or shows the file without user intervention. Even with the warning, the user can easily ignore it and open the file. With attachment security protection, users see the more stringent warning in Figure 4 and must take additional steps to save the file and open it from a system folder.
Note that this update affects only certain program files. For Outlook 97, it doesn't block .vbs files such as those used in the VBS.LoveLetter worm, nor does it affect document files for programs such as Word or Microsoft Excel. Whether you can open these document files directly depends on the settings for each particular file type that you set in Windows Explorer under View, Options (Tools, Folder Options in Windows 2000) on the File Types tab. Look for the Confirm open on download check box. If the confirm setting is enabled, users will see the dialog box in Figure 3 when they try to open that type of file.
Office 2000 SR1/1a offers better protection against inadvertent opening of dangerous files than the Outlook 97 patches. The service release expands the default list of file types to include .vbs files. Another improvement in SR1/1a is the ability to make additional file types subject to the security warning. See the Microsoft article "OL2000: Attachment Security Features Included in Service Release 1/1a" (http://support.microsoft.com/support/ kb/articles/q259/2/28.asp) for details about the required Windows Registry entries. If you find that the Outlook E-mail Security Update isn't suitable for your situation, the customizable attachment security in SR1/1a is an excellent way to make Outlook more secure without removing key functionality.
Does Microsoft offer any other patches for Outlook that affect its security against virus attacks?
Outlook 2000 and Outlook 98 share HTML mail components with IE. Several IE 5.0 and IE 4.0 security updates also affect HTML mail. (IE 5.5 and IE 5.01 incorporate these updates successfully, as far as I know.)
The most important update is the scriptlet.typelib and Eyedog update, which Microsoft first issued in August 1999. Microsoft mistakenly marked these two "safe for scripting," which means that they could run in HTML messages even with Outlook in the Restricted sites zone, unless you customized the Restricted sites setting as I described earlier. For more information and download details, see "Microsoft Security Program: Microsoft Security Bulletin (MS99-032)" at http://www.microsoft.com/technet/ security/bulletin/ms99-032.asp.
Depending on your OS and IE version, you might need to install these additional Microsoft Security Bulletins from the Microsoft Security Advisor Program:
- MS99-001—"Patch Available for Exposure in Forms 2.0 TextBox Control That Allows Data to Be Read from User's Clipboard" (http://www.microsoft.com/security/bulletins/ms99-001.asp)
- MS99-012—"MSHTML Update Available for Internet Explorer" (http://www.microsoft.com/security/bulletins/ms99-012.asp)
- MS99-048—"Patch Available for 'Active Setup Control' Vulnerability" (http://www.microsoft.com/security/bulletins/ms99-048.asp)
- MS99-049—"Patch Available for 'File Access URL' Vulnerability" (http://www.microsoft.com/security/bulletins/ms99-049.asp)
- MS00-034—"Patch Available for 'Office 2000 UA Control' Vulnerability" (http://www.microsoft.com/technet/security/bulletin/ms00-034.asp)
I have installed all the patches and made the other security changes you suggested. Does that mean Outlook is now safe?
In the broadest sense, these changes—even the Outlook E-mail Security Update—don't make Outlook 100 percent safe. An outside program (e.g., a VBScript file such as the VBS.LoveLetter virus) can still send itself by automating Outlook with this latest update installed—if you allow it to. However, the update makes it much, much harder for a malicious program to do that.
If you don't plan to install the Outlook E-mail Security Update but feel the need for protection against some program using your copy of Outlook to send messages behind your back, you can take several precautions. First, you can set up Outlook to work offline with an offline folders .ost file, even when you're connected to the network. If you check the Outbox before you synchronize with the Exchange server, you'll know whether some program is trying to send messages without your knowledge.
Another idea is to run the code in Listing 1. This code is a small Outlook 2000 Visual Basic for Applications (VBA) routine that forces the user to manually release every outgoing message that contains an attachment. Put it in the ThisOutlookSession module if you want to try it out on your computer.