SAN FRANCISCO (07/07/2000) - In the wake of may's worldwide "love bug" virus attack, Microsoft Corp. has come up with a way to inoculate Outlook 98 and 2000 from similar viruses. But like many other vaccines, the Outlook E-mail Security Update has some unpleasant side effects. As a default, the fix prevents Outlook users from receiving many types of e-mail attachments, and it conflicts with features in other programs, including Microsoft Office.
Microsoft's outlook fix has two prongs. "I Love You," Melissa, and other viruses wreak their havoc through executable code attached to e-mail messages.
So the update prevents users of Outlook 98 and 2000 from receiving attachments that contain executable code, including .exe and .com files and script modules such as .vbs and .js files.
Both " I Love You" and last year's Melissa virus e-mailed themselves to users listed in the address books of infected PCs. To prevent viruses from broadcasting themselves to everyone you know, the update will warn you whenever another application tries to access your Outlook address book or send e-mail via Outlook.
Corporations burned by "I Love You" or Melissa will likely welcome the update, but users accustomed to the convenience of sharing files by e-mail may find it a hard pill to swallow. By default, the update blocks various file types, like Microsoft Access Projects and self-extracting zipped files. The update also prevents some features in other apps (including Microsoft Office's mail-merge and Palm synchronization software) from working at all.
So if you take your medicine, how can you share the banned file types?
Microsoft recommends using servers within your company's network or using Web-based file storage locations. At press time, Microsoft reported that administrative tools would be added to allow customization of the new security measures.
Get the update for Outlook 98 or 2000 at www.officeupdate.microsoft.com. Office 2000 users must install the SR-1 or SR-1a update before installing the Outlook E-mail Security Update. So far, there's no security update for Outlook Express.
Microsoft officials are deciding whether to produce one.
Office 2000 Security Fix
Meanwhile, the Microsoft Office team has been working to close another security breach: In Office 2000 and its individual apps, such as Excel and Word, a hacker could exploit an ActiveX control that automates demonstrations in the Office help files to turn your files to mush. Microsoft admits that the security hole exists because Microsoft incorrectly labeled the code as "safe for scripting." An HTML e-mail message or the host of a Web site you visited could introduce a destructive script armed with the ActiveX control into your PC. To find a link to the 149KB patch and to get instructions for installing the fix, hop to officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm.
IE Security Triple Play
Microsoft's latest security update to Internet Explorer (versions 4 and 5) bundles fixes that repair three weak links that could let bad-guy Web site operators have their way with your system. The most dangerous of the three could permit a Web site operator to perform any action on your system that you could do, including reformatting the hard disk. The other two security breaches could allow site operators to read some types of files on your system without your permission and to access cookies they should not be able to read. For installation instructions and a link to the 1959KB download, simply point your browser to www.microsoft.com/windows/ie/download/critical/patch7.htm.
Installing the patch requires having IE 4.01 Service Pack 2 or IE 5.01 in place first.
Holes Bug Eudora, Too
Microsoft isn't the only software company struggling with e-mail security.
Qualcomm Inc. has issued an E-mail security advisory about a weakness in its Eudora e-mail package. Eudora 4.2 and later versions ask the user for permission to proceed before opening most types of file attachments, including programs such as .exe files. But a recently discovered vulnerability allows an .exe file introduced through a link attached to the message to run unannounced.
The security advisory also warns that .vbs files--the type of attachment the "I Love You" virus rode in on--can execute without warning. Qualcomm says that the 4.3.2 version of Eudora adds alerts for all .exe and .vbs files. The advisory provides steps for solving the problem yourself for versions 4.2.1 and later.
You can find the advisory by visiting www.eudora.com/security.html.