Microsoft has announced it will delay until next week the release of a major security update to its Outlook 98 and 2000 e-mail software.
The delay will allow Microsoft to make certain last-minute modifications to the software in response to feedback from customers, the company said in a written statement.
Microsoft originally planned to release the update this week, but the statement issued late Wednesday said the software patch will now be available sometime next week.
New to the update will be a set of tools that give administrators more say in what e-mail attachments are allowed through to users' desktops, Microsoft said. The beta version of the software, which was released last week, includes a set of predefined file types - the ones most likely to contain a virus - to be automatically removed when received, whether containing a virus or not. Users can add file types but not remove any from the master list.
"(What) we've seen with service packs that Microsoft released for its Windows NT operating system is that it breaks things instead of fixing things," said Chris Davis, CEO of Hexedit Network Security Inc., a security consultancy in Ottawa. "We've seen this a few times - engineers overlook the implications of a patch and that it might not be compatible with (certain applications). So Microsoft's decision to delay release of the Outlook patch didn't really surprise me. (I figured) they wrote it and it broke something so they're trying to fix it."
Based on customer feedback, the update will now allow administrators of systems where files are scanned at network level to modify the master list and decide exactly which files users can see. Microsoft, which stressed security was its No. 1 concern when designing the Outlook patch, said the change doesn't weaken the security of the systems because additional scanning at network level is also taking place.
"At this point, for many people this is an unusable patch because (they would) have to update all their applications," said Ira Winkler, president of Internet Security Advisors in Severna Park, Maryland. "My feeling is, (Microsoft) should look to modify the patch so applications don't have to be updated, or if that can't be accommodated, then they should put it out there and leave (the decision to use it) up to the administrators. There are some users who could benefit from it, and they are being left insecure."