Experts Applaud Microsoft’s Security Moves

To combat future versions of the recent “Love Bug” assault, which wreaked
havoc in Windows and Office platforms and paralyzed e-mail systems
worldwide last week, Microsoft is expected to announce modifications to its software.

The company announced Monday that it’s making some fundamental changes
in Outlook — its e-mail, contact management and calendar program. The
repair patch for Outlook 98 and Outlook 2000, which will require a download
of about 1 megabyte, will be made available on the MSN Web site next week.

The changes take two basic forms. First, Outlook will refuse even to
look at certain types of message attachments, such as the so-called VB
Script attachment that carried the Love Bug payload, and users cannot
override this. Essentially, all program attachments will be blocked.

Industry experts say they are relieved to see Microsoft making these

“It is the first time in two years I have heard Microsoft say,
‘Hey, we really have to do something here,'” said Richard M. Smith, an
independent security consultant. “Overall the virus has hit two vulnerable
areas: VB Script makes it easy to write things and all email worms are using
Outlook address books. More needs to be done, but this is extremely

Smith has published a page of tips on improving Outlook security that’s available here.

Microsoft has a lot to do by trying to come back and represent to
its clients that it is trying improve things, said James P. Hurley, managing director of information security for consulting firm Aberdeen Group.” They have been
avoiding this for two years,” he said. “I am glad to see they are doing the
right thing.”

Other changes affect how programs get access to the Outlook address book.
The Love Bug sent a copy of itself to everyone listed in the address book,
something which Outlook’s design made very easy. A program other than
Outlook itself will need permission from the user every time it needs access
to the address book. This feature, too, cannot be turned off.

With the revisions, Palm or Windows CE handheld will have to ask
permission each time it syncs with Outlook. It will not be possible to sync
remotely over a network. Mail merges from Word or other Office programs will
also be affected, as will a number of business applications, such as Siebel’s
customer-relationship-management applications and SAP’s enterprise
resource-planning software. Antivirus programs are also likely to trigger an
alert during scans. Microsoft is working with the third-party software
companies to minimize these impacts.

While Outlook Express is somewhat harder to attack than Outlook 98 or
2000, vulnerability exists there also, Sinofsky said. He reported that the
company is working on changes to make Outlook Express more secure.

News Around the Web