RealTime IT News

Experts Applaud Microsoft's Security Moves

To combat future versions of the recent "Love Bug" assault, which wreaked havoc in Windows and Office platforms and paralyzed e-mail systems worldwide last week, Microsoft is expected to announce modifications to its software.

The company announced Monday that it's making some fundamental changes in Outlook -- its e-mail, contact management and calendar program. The repair patch for Outlook 98 and Outlook 2000, which will require a download of about 1 megabyte, will be made available on the MSN Web site next week.

The changes take two basic forms. First, Outlook will refuse even to look at certain types of message attachments, such as the so-called VB Script attachment that carried the Love Bug payload, and users cannot override this. Essentially, all program attachments will be blocked.

Industry experts say they are relieved to see Microsoft making these efforts.

"It is the first time in two years I have heard Microsoft say, 'Hey, we really have to do something here,'" said Richard M. Smith, an independent security consultant. "Overall the virus has hit two vulnerable areas: VB Script makes it easy to write things and all email worms are using Outlook address books. More needs to be done, but this is extremely encouraging."

Smith has published a page of tips on improving Outlook security that's available here.

Microsoft has a lot to do by trying to come back and represent to its clients that it is trying improve things, said James P. Hurley, managing director of information security for consulting firm Aberdeen Group." They have been avoiding this for two years," he said. "I am glad to see they are doing the right thing."

Other changes affect how programs get access to the Outlook address book. The Love Bug sent a copy of itself to everyone listed in the address book, something which Outlook's design made very easy. A program other than Outlook itself will need permission from the user every time it needs access to the address book. This feature, too, cannot be turned off.

With the revisions, Palm or Windows CE handheld will have to ask permission each time it syncs with Outlook. It will not be possible to sync remotely over a network. Mail merges from Word or other Office programs will also be affected, as will a number of business applications, such as Siebel's customer-relationship-management applications and SAP's enterprise resource-planning software. Antivirus programs are also likely to trigger an alert during scans. Microsoft is working with the third-party software companies to minimize these impacts.

While Outlook Express is somewhat harder to attack than Outlook 98 or 2000, vulnerability exists there also, Sinofsky said. He reported that the company is working on changes to make Outlook Express more secure.