MS issues Outlook security patch
Microsoft has released a security patch of its Outlook mail client aimed at closing holes exploited by numerous viruses in the past 18 months.
In addition to other safeguards, the patch prevents e-mail from directly accessing almost 40 potentially unsafe file types, including Visual Basic Script (VBS) and object code (EXE).
It's a good first step, said Carey Nachenberg, chief researcher for Symantec's Anti-virus Research Labs. The patch "by no means solves the problem," he said, "but it helps to neuter a vector of spread."
Ever since the Melissa virus clogged email servers in March 1999, and continuing on with the "ILOVEYOU" worm in early May, companies and individuals running Microsoft's Outlook mail client have been prime targets for virus writers.
Both Melissa and ILOVEYOU used several security weaknesses in the Outlook program to spread, including the ability of attachments to open or execute directly from the email and the accessibility of the Outlook address book to any program.
In the ILOVEYOU incident, the original worm -- contained in an email -- used a bit of wordplay to convince the reader to click on a Visual Basic Script attachment labeled "LOVE-LETTER-FOR-YOU.TXT.vbs". Once opened, the attachment accessed the user's Outlook address book and sent mail to every address. In addition, the worm could spread through Internet Relay Chat and deleted several different multimedia files types.
"This is an extension of an update that we made available last year," said Lisa Gurry, Microsoft Office product manager. That patch, created in response to the Melissa virus, required users to save certain file types to the hard disk first. Microsoft hoped that doing so would cause users to look more closely at what they were opening.
In addition, whenever another program attempts to access the Outlook address book, the patched version of Outlook will prompt users with a warning dialogue box. The patch causes Outlook to similarly prompt the user when a program attempts to send an email on the user's behalf.
Finally, the update will cause Outlook to operate as a "restricted" Internet zone with scripts disabled -- the highest security setting allowed by Internet Explorer.
Security specialists gave the patch mixed reviews. "I think Microsoft is doing the right thing. They are doing the anti-virus vendors' work for them," said Rob Rosenberger, editor of the Computer Virus Myths Web site. "Are they doing enough? No. Their systems are not secure; they need a lot of work."
Elias Levy, chief technology officer for security Web site SecurityFocus.com, said the patch's security features could be circumvented quite easily.
"It's an incremental improvement," he said. "But is it a solution to solve the problems? Well, maybe for the next four months until virus writers learn to get around it." Furthermore, a large security holes still exists -- the user.
The greatest problem may be getting users to update their software, Levy said.
"Most people don't bother to patch their systems," he said. "Where you are going to see this patch deployed the most is in corporations. That is good. A lot of times where we see the greatest concentrations of infections are in corporations."
Microsoft, however, has high hopes that home users as well will be more savvy this time around.
"With each more virus that hits, and the greater the damage is becoming, people are becoming more aware of protecting themselves," said Microsoft's Gurry.
Get hold of Microsoft's email security updates for Outlook 98 and Outlook 2000, and guard against viruses such as the ILOVEYOU, Melissa and NewLove viruses.
In the light of this years Denial of Service attacks and the ILOVEYOU virus John Dvorak worries that we ain't seen nothin' yet. Go with him to AnchorDesk UK for the news comment.
What do you think? Tell the Mailroom. And read what others have said.
Go to ZDNet's ILOVEYOU Special Report