Microsoft admits shortcomings in Outlook

In a rare mea culpa, Microsoft this week admitted that vulnerabilities in its Outlook e-mail program helped propagate the damaging "I Love You" worm, prompting the software giant to release a free security upgrade to protect users from opening and spreading computer viruses.

Yet some observers say that although Microsoft's intention is good, the patch leaves much to be desired.

"This implementation was rushed to market and shows the signs of quickly getting something out to answer criticism and really missing badly," said John Pescatore, network security research director at Gartner Group.

Specifically, some analysts and IT managers say the fix is too file-attachment restrictive and impedes such functions as Palm synchronisation. Another major gripe of IT managers is the "all or nothing" aspect of its installation, meaning the upgrade cannot be uninstalled without wiping clean the entire Microsoft Office suite and starting from scratch.

"If we were to push something like that to our clients, it would be a nightmare because we'd have to go fix [reinstall] the entire system. It's unwieldy and unreasonable to expect people to do that," said Alex Polomski, network systems manager at the Massachusetts Department of Education, in Malden.

"If that's their only solution, they should come up with something better," Polomski added.

In the past, Microsoft has proved reluctant to install any anti-virus measures at all in to Outlook, despite fallout for serving as a launching pad for other e-mail attacks, such as 1999's Melissa virus. The company had concerns that much of the software's appeal and functionality would be lost on users because of the integration of security features, said Lisa Gurry, product manager of the Microsoft Office team.

The fix Microsoft is now offering restricts users from running any type of executable code attachments in e-mail; ZIP files must be saved to disk to be viewed. The company also will release a patch that will issue an alert if an e-mail attachment attempts to access Outlook or tries to send itself to parties listed in the user's e-mail address book.

The Outlook e-mail attachment filtering update takes no prisoners: Besides Visual Basic Script, Windows Script, and JavaScript files, it also stops Windows Help files, batch files, PowerPoint files, Photo CD images, and Internet shortcuts, Microsoft officials said.

Kyle Ross, IS coordinator at the McGahn Medical Centre, in Santa Barbara, California, said that he would prefer waiting for a reinforced new version of Outlook to hit the market rather than installing the questionable update so as to receive the updated security measures.

The update for Outlook 98 and 2000 is available for download on the Microsoft Web site.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GartnerGartnerMicrosoft

Show Comments