BOSTON (05/17/2000) - Microsoft Corp. announced this week that it will issue a patch for its popular Outlook e-mail client that's aimed at preventing the software from propagating viruses like "I Love You" and Melissa. Those viruses were spread via e-mail attachments or Internet worms that replicated through the Outlook address book.
The patch, which is currently being analyzed by developers, could have a wide-ranging impact on third-party software designed to interoperate with Outlook.
The recent "I Love You" virus overwhelmed many corporate and government networks when it triggered Outlook to automatically mail the virus to everyone in victims' Outlook address books. The upcoming patch will prevent Outlook 2000 and Outlook 98 from receiving certain types of programs files, such as .exe and .bat, that contain executable code used to spread viruses.
Updated versions of Outlook will also block script modules and files such as .js, .bas and .vbs Visual Basic script attachments. The "I Love You" virus payload was a .vbs attachment. Internet links and shortcuts to files such as .lnk and .pif files will be restricted. "The goal is to take the guesswork out of determining whether an attachment is safe," said Lisa Gurry, a product manager with Microsoft's Office team.
Gurry confirmed that the patch will impact a number of business applications, including Siebel System Inc.'s customer relationship management applications and SAP AG's enterprise resource planning software. But she said they and other software partners are just now receiving the beta code, and it's too early to know what the specific impact will be. "We will be inviting them to campus to discuss the right balance between security and functionality and ensure that our products continue to work well with theirs," Gurry said.
Microsoft has made a beta version of the patch available to independent software vendors whose products may be impacted by the update. The beta, available at http://officeupdate.microsoft.com/2000/articles/o2ksecISV.htm is intended only for use by systems administrators and independent software vendors.
Microsoft posted a warning on the site that "the beta is not intended to be placed into production situations and should be deployed only on machines that can be reformatted after testing without serious concerns." The site includes a link through which companies can contact Microsoft to report bugs or provide feedback on the update.
A patch for all Outlook users, known as the Microsoft Outlook 98/2000 E-mail Security Update, will be available next week.
To further restrict programming access to the Outlook address book and contacts list, Outlook is being updated to issue a pop-up screen warning that a program is attempting to access the address book and ask for permission to proceed.
"Most people who were affected by the Love virus had no idea that they were mailing the virus to their friends," Gurry said. "The warning notification puts people in control of their computers and lets them know what's going on behind the scenes."
Microsoft has acknowledged that the patch will impact certain functionalities within Outlook and will also affect the interaction of some third-party software with Office. Some vendors, including Novell Inc., Palm Inc. and Paragon Software Ltd., are evaluating the effect on their products, according to information posted on the beta download site.
The development of this patch is a departure for Microsoft, which has often countered criticism of security weaknesses in its Office products by arguing that users want a range of automated features, even if they're vulnerable to attack. Gurry said the company has tried to strike the right balance in product development but that the growing sophistication of attacks convinced the company that it needed to "scale more effectively for security than functionality."
According to Gurry, companies that want to exchange .exe, .bat or .vbs files are being encouraged to place them on file shares within a network, on an online storage service or on community Web sites such as Microsoft Network communities. Microsoft is also working on changes to its free Outlook Express program, which doesn't use the same address book system.
The Outlook update is integrated into the product when it's installed, and there's no remove/uninstall utility. To remove it, you must remove and then reinstall Office.
According to Microsoft, the update has failed to install in some cases, and the company said it is investigating those cases before the patch is shipped. Users are being strongly advised not to apply the beta version of the patch and to wait until the final code ships next week. "Of course, we will make sure that it is really solid before we release it broadly to the public," Gurry said.