Microsoft Patches Outlook for Better or Worse

In mid-May, Microsoft Corp. unveiled its Outlook E-mail Security Update. The new patch -- addressing the recent wave of virulent e-mail borne viruses -- represents a change in the way Microsoft ( approaches fixes to Office software. For some organizations, however, the cure is proving to be worse than the disease.

The ILOVEYOU virus represented a difficult problem for Microsoft: How should Redmond protect users from the problems that occur when e-mail attachments are launched, while keeping Outlook a flexible and programmable information manager? Is security important enough that allowing other features to break while patching security problems is acceptable?

In the Outlook Security Update, Microsoft imposed security on software users rather than giving them the tools to manage security themselves. In addition, Microsoft considers the Update important enough that they are willing to have some messaging and groupware applications stop working once the patch is applied. Many corporate users and analysts have been shocked by the lengths to which Microsoft has gone to shore up security in Outlook.

Microsoft published an list of impacts: programs or features that will not work as usual once the Update has been installed. Some of the problems encountered once the Update is in place include the following: Microsoft Word document routing through e-mail no longer works; mail merge fails if used from within Word; Palm, PocketPC and Windows CE devices fail to synchronize properly; and SQL Server’s SendMail features are restricted.

Microsoft also identified a list of third-party software vendors whose programs are affected by the patch. In a test conducted by ENT, synchronization of Outlook contact and calendar databases with Internet-based personal information systems failed after the beta version of the Outlook patch was installed. In addition, once the update is installed there is no uninstall utility. Microsoft indicates that to remove the E-mail Security Update, you must remove and reinstall Office.

According to a short analytical paper by GartnerGroup Inc. analysts Chris LeTocq and John Pescatore, "Microsoft has … provided security capabilities at the expense of promoting Outlook as a middleware platform." An executive of a public relations firm that uses Outlook in standalone mode was equally shocked. Jan Loiselle, CEO of Progressive Solutions, decried the patch, saying, "If that’s the medicine I have to take to make Outlook safe, I’m not sure I want it fixed."

Microsoft responded to the backlash within a week by announcing that, while the Update would remain as announced, a set of administrative tools would be added to help customize the security options of the new patches. According to a press release, the new version of the Security Update will allow organizations with server-based security to select the attachments to be received or saved to disk before opening. It can be customized when Outlook Object Model warnings are shown.

Microsoft seems especially sensitive to the danger of high-risk attachments in Outlook. According to Samir Bhaavnani, a research analyst with Computer Economics, the first attack did more than $15 billion of damage. "We saw damages growing by $1 billion to $1.5 billion each day until the virus was eradicated."

When the Melissa virus attacked users of Word, Microsoft gave users and system administrators the tools needed to detect rogue code in documents. To preserve flexibility, Microsoft allowed users to customize their security environment rather than imposing it on the Microsoft Word user. With the Outlook E-mail patch, Microsoft has taken a new -- and apparently not entirely welcome -- approach.

When Microsoft officials announced the Security Update they indicated that they would provide a list of unsuitable e-mail attachments that would be prohibited from opening. The current list includes more than 35 file types. In addition, the patch requires that the user authorize any application that attempts to read Outlook’s address book. Finally, the announced version of the Update sets the user’s security zone to Restricted.

Such an approach to Outlook security has some unintended problems for users. For instance, companies using Outlook as a standalone client are unable to subtract from the list of unsafe attachments. Any directory application that uses the Outlook address book -- such as PDA synchronization or customer relationship management software -- requires a manual, short-term authorization. Setting the default security zone to "Restricted" effectively prohibits basic Internet Explorer functions.

A production version of the Security Update was expected to be available in the last week of May. Current information on the update can be found on Microsoft’s web site at: