MS to patch things up, Outlook good

The patch, which is for the Office 98 and 2000 clients, but not the free Outlook Express software, was released on Monday through Microsoft's Office Update web site, http://officeupdate.microsoft.com/ . A completed version is expected to be available in the week of May 22, said Lisa Gurry, a product manager for Office.

Users installing the patch will lose some functionality in Outlook but, Gurry said, a growing number of users are willing to make that sacrifice in return for a more secure product.

"We've thought about the balance for a long time. Hackers are getting much more sophisticated and, based on this growing sophistication and exploitation of vulnerabilities in Outlook, we looked at security versus functionality," Gurry said. "In the past we focused more on functionality but this update tips the balance in terms of security."

Roger Thompson, director of malicious code at ICSA.net said he wondered whether the company had gone too far in the opposite direction. "It's a real good step. I'm just wondering if they have broken more functionality than they needed to. The anti-virus people would have been pleased to see them just disable the launching of any applications from within Outlook."

The patch tackles the security problem at three levels.

First, the patch attempts to automatically delete all file attachments that could contain executable code. Microsoft has created a list of files that will be caught by the filter and it includes everything from batch files and HTML help files to executable programs and Photo CD images. When a message is received with such an attachment the user will be denied access to the file and notified that the attachment was unsafe.

Users will be able to add to the list of unsafe file types, but won't be able to delete any file types specified by the company.

"This is by design," Gurry said. "We are looking at this as a very strong update to the security of Outlook and adding such an option dilutes the update.

A second definition file, which at present includes just compressed ".zip" files will also exist in the software. Whenever such attachments are received, the user will be warned that viruses can exist within the file and instructed to save the file to disk before it can be opened.

A second level of protection will come from what Microsoft calls the "Object Model Guard." This will intercept attempts by other programs to access the Outlook address book or use the mail client to send messages. Such attempts will result in an alert to the user who will have to positively grant the program access.

As a final measure, the patch pushes the default security settings for Outlook from the Internet zone to the restricted zone. "This disables some scripting and Active X downloads so that some scripts and some downloads, which would be automatically run, are disabled," Gurry said.

The patch received a cautious welcome from some in the anti-virus industry.

"This is a step in the right direction," said Dan Schrader, chief security risk analyst at Trend Micro. "It's not nearly a big enough step but Microsoft can't be taking these steps alone."

He said users need to be better educated about handling of files through e-mail and corporations also need to do more to stop such malicious code from getting to the desktop.

"We're relying on desktops as our first and only line of defense. We can only do so much at the desktop," he said. "Any security model that relies on the user doing the right thing is doomed to fail."

Nevertheless, Schrader said, while the steps taken by Microsoft won't leave Outlook impervious to all viruses, it will stop the software from being hit by the so-called "script kiddies" who manage to cause problems with relatively simple files.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Martyn Williams

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?