Skip to main content
ad info technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Microsoft Outlook update impedes functionality, but enhances security

May 16, 2000
Web posted at: 3:42 p.m. EDT (1942 GMT)

In this story:

Blocks certain file types

Locking the address book door

A balancing act

Too far, too little, or both?

Redmond at turning point


(CNN) -- Microsoft, in a major philosophy shift, has released an update patch to Microsoft Outlook designed to quash recent and future self-propagating e-mail worms, though some analysts have serious problems with its implementation.


The update doesn't go far enough in some respects, they say, but too far in others. Russ Cooper, administrator of the noted BugTraq mailing list for systems administrators and computer security professionals, pointed to the list of known issues with the patch as evidence that he described as rushed and ill-conceived.

Even representatives from a company that was consulted about the patch before its release now have serious issues with it. But Cooper had the most scathing indictment of the added code, saying on his mailing list that "it's not a patch; it's Outlook on Training Wheels."

Blocks certain file types

Microsoft's update only affects the 2000 and 98 versions of the full-version Outlook program. The company is still working on possible updates to the consumer-version Outlook Express application. The update has two main additions. First, e-mail attachment filtering prevents users from accessing certain file types sent as attachments. Executable code, such as programs, are restricted, as are JavaScript files, VisualBasic scripts (the programming language that the "ILOVEYOU" virus was written in) and potentially dangerous Windows Script programs.

But those aren't the only file types affected. Photo CD images, Windows Help files, Internet shortcuts, batch files, some Microsoft Access files, and some PowerPoint files are all blocked by the update. While a user may e-mail the files out, the Outlook recipient won't be able to read or even save the files to their hard drive.

Compressed files also face some restrictions, though they're not deleted outright. When receiving a ZIP file, the user is warned that it might contain a virus and their only option is to save the file to the hard drive. Curiously, the popular ZIP format is the only compression file type affected by this restriction -- several others that can be opened by the WinZip compression/decompression programs aren't affected at all and can be opened straight from the e-mail message.

Microsoft's Web site states that users wanting to share restricted files should do so through a network, community Web site or some other means other than e-mail.

Locking the address book door

The update also implements what Microsoft calls an "Object Model Guard" that essentially protects Outlook and its Address Book from any access by external programs, even others within the Microsoft Office suite. While this blocks the common distribution method of mailing out virus copies to everyone in a user's address book, it also takes away some functionality that Outlook users may hold dear.

If any program tries to access the Address Book, a confirmation button appears. That requirement makes remote synchronization with a mobile access device, like a Palm computer, impossible since no one is there to confirm the operation. It also makes mail merges impossible from Word, though they can be started from Outlook. The company is attempting to work with third-party software developers to try to work through the several known functionality problems caused by the update.

The biggest problem to system administrators and users may be the no-turning-back issue. Once the update is installed, it can't be uninstalled without wiping out and reinstalling the entire Microsoft Office suite -- never an appetizing option.

A balancing act

Tom Bailey, a group product manager for Microsoft's Office products, says the large number of file types is needed because they can all run code and don't have their own security model. For example, an attached Word document opens in Word and that program has its own security mechanism. And while administrators can add file types to the restricted list, they can't remove them. Bailey says that's to keep out the hackers.

"There would have to be a setting that would allow customers to do that," Bailey said. "That would most likely happen at the registry level, and it's hackable." The Windows registry, a basic group of settings that control Windows functions, was modified by the "ILOVEYOU" virus to change a user's Internet start page.

Bailey also said that Microsoft is calling corporate customers to see if they have suggestions on how to make the security update better -- particularly with regard to those software makers that now see their code crippled by the update.

Too far, too little, or both?

While many analysts believe that the update is a good start, all of them had specific suggestions to make the update more secure.

Cooper worries that users may think that after downloading the update, Outlook is secure.

"If Microsoft's publicity of this update is successful, far too many consumers will believe they have received a comprehensive security update," Cooper said. "This will make it significantly more difficult to convince them to take additional steps to secure themselves."

Richard Smith, the man who tracked down the author of the "Melissa" virus, was dismayed that the patch doesn't address JavaScript issues.

"There are tons of Internet Explorer security holes, but keeping e-mail in the restricted site zone it would make those irrelevant," Smith says. "(Recently-released e-mail worm) Kak wouldn't run, but with JavaScript running you could mount an attack from a spawned window."

Bailey says that the Internet Explorer team is looking at the JavaScript issue and exploring how to deal with that hole.

"It's not a perfect solution," Smith said. "Historically, it takes Microsoft a few reps to get a patch right."

Roger Thompson, technical director of Malicious Code Research at security firm, said Microsoft was consulting with ICSA while working on the update. At the time, Microsoft told ICSA what it was going to do, and the security company approved, saying that it was a step in the right direction.

But now that Thompson has had a chance to take a look at the finished product, he's not nearly as impressed.

"If they had this in place before Loveletter came out," Thompson said, "it wouldn't have happened. But I think they need to think it out a little more. They broke more functionality than they needed to break."

Thompson cites Microsoft's decision to delete restricted files outright, instead of allowing users any sort of choice. He also notes that having Outlook make its decisions based upon file extensions is meaningless. An executable file could still get through if an extension is gibberish.

"With programs, you can call a program anything you like," Thompson said. "The operating system can see it's a program and run it anyway. You can't nearly have enough extensions to cover them all."

Instead, Thompson thinks that Microsoft should have just changed Outlook to keep users from running attachments without another step.

"They should have made it impossible to launch any attachments straight from e-mail," he said. "Any organization that wants to secure what they're sending around can say no one can double-click on an attachment."

Redmond at turning point

Even with all the admonishments, all of these security professionals were impressed and even somewhat astonished at Microsoft's basic philosophy change.

In the past, Microsoft has prided itself on valuing functionality and flexibility above all else -- even complete security. When a new virus or malicious program shows a hole in the security of a Microsoft operating system or application, it has been business-as-usual to blame it on either another software company or hackers.

But now, the company is no longer trusting users to handle the myriad of dialog boxes, checkboxes and settings in order to choose the best security. In the tradition of the most cutting-edge security advocates, their current course places data integrity and the protection of users over gee-whiz gadgetry.

"This is a significant shift in the way that we're going to be addressing security," Microsoft's Bailey said. "This has been a balancing act. We've tended to be reactive. It's time for us to take a harder-core stance to try to eradicate these types of viruses by being proactive."

Like an addict just seeing the light of his affliction, Microsoft has a long way to go, Thompson says, though they're finally on the right track.

"It's a first step toward admitting they've got a problem," he said. "If people are prepared to listen, then we will eventually get the right balance. They don't have to strip away all the functionality, they just have to remove the right functionality or make it optional."

Smith wishes that Microsoft would have addressed these problems earlier.

"It's clear cut that there have been problems since Melissa," he said. "They've had more than a year to look at this. But I do appreciate the difficulty."

New e-mail virus may hurt worse than 'Love'
May 12, 2000
Security experts say hackers have the edge
May 11, 2000
Hotmail, Yahoo scramble after email security flaws exposed
May 10, 2000
'Love bug' investigation turns to 2 computer school students in Philippines
May 10, 2000
Former computer student investigated in 'ILOVEYOU' attack
May 10, 2000

   •Microsoft Office - Microsoft Outlook
BUGTRAQ: Introduction

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.