BOSTON (05/23/2000) - When it comes to viruses, Microsoft Corp. can't win for losing.
Two weeks ago Microsoft Outlook was blasted for being too loose with attachments, allowing the love bug to run rampant. Now the software giant is being blasted again, this time for clamping down too hard.
The controversy was prompted by a patch set for release this week that blocks a broad array of attachments, a blunt force effort to kill viruses such as Melissa and the recent ILOVEYOU virus.
The patch for Outlook 98 and 2000 totally blocks attachments such as .bat, .exe, .vbs. and 35 other extensions. The patch also won't let programs access the Outlook Address Book. The ILOVEYOU virus and others used the address book to quickly spread their havoc. Scripting, however, remains activated unless a user manually blocks it.
Not all agree with the blocking tactic though. "Microsoft is making it impossible to run certain files from Outlook and we think that goes too far," says Roger Thompson, technical director of malicious code research for ICSA.Net, which certifies antivirus and firewall products.
"It breaks a lot of functionality," he says.
About a dozen vendors, including Palm and Novell, are currently testing the impact on their products.
What to do
Virus expert Thompson says Microsoft should make optional the use of Office 2000 macros - which run code inside programs - and says Microsoft was on the right track last year when, as part of a patch to fight the Melissa virus, it forced users to transfer attachments to a hard drive before opening. This simply makes users go through one more step before opening a possibly dangerous attachment.
"It's not the viruses that you attack, it's the infection method," Thompson says. "The problem is that you have 10,000 programmers in Redmond designing for functionality and not security."
Others suggest Microsoft institute digital signatures for VBScript attachments much like the digitally signed objects concept introduced with Office 2000.
"To check all those signatures may be cumbersome and not a quick fix, but it's a good idea," says Russ Cooper, a noted Windows security expert and editor of the NT BugTraq Web site.
Cooper says Microsoft should have never released the patch until it had more feedback from the security community.
He says the blanket ban on file attachments should be reversible, letting users add back the types of files they want to accept. As it stands now, users who install the patch can only get rid of it if they uninstall, then reinstall Office.
Others are sympathetic to the Microsoft plight. "The problem is that it is nearly impossible to offer security without blocking legitimate files," says Carey Nachenberg, chief researcher at Symantec's Antivirus Research Center in Santa Monica, California. "Microsoft's effort is a good first step. At least it should reduce the speed at which viruses can spread."
Nachenberg recommends users filter all documents and strip out macros, executable files and scripts. But the bottom line is enterprises will have a difficult decision between convenience and security. Nachenberg says building protective walls will be difficult because it will require changes in network configurations, and software development and deployment.
"In the end it will come down to corporations deciding how important their intellectual capital is and the level of risk they are willing to take," he says.
The customer view
While enterprise users generally applaud Microsoft's efforts, customers say in a perfect world security would be adjustable.
"We need to have a set of controls that we can either dial up or dial down as we see fit," says Shaun Brachman, systems project leader for plumbing and power system manufacturer Kohler in Kohler, Wis.
Brachman has about 5,000 users on Microsoft's Outlook and spent a few days digging out from the recent ILOVEYOU virus. "With Outlook, the security is either on or it's off, and that's not enough for the enterprise."
Another user agrees. "In some ways this update appears to go a little too far," says David Ellis, senior technical analyst for Carlson Shared Services, a travel, hospitality and marketing firm in Minneapolis. "We have some people who run customized forms and scripts in Outlook, and all that will be affected. We will really have to test this update."
Ellis has some 20,000 users worldwide, and "like it or not, e-mail is used for file transfer."
Microsoft defended its decision on the grounds that security is paramount.
"When we created the update, we weighed functionality vs. security, and in this case we decided to offer unprecedented security," says Lisa Gurry, product manager for Microsoft Office. "We know this is not bulletproof. It's a single step and we will continue to work on it."