Microsoft Re-releases Outlook Patch

Microsoft Corp. released its long-awaited Outlook e-mail security patch this month. The patch is intended to protect Outlook 98 and Outlook 2000 users from viruses spread by destructive e-mail attachments.

According to Microsoft (www.microsoft.com), the security update provides protection from most viruses that are spread through electronic mail, including the recent ILOVEYOU and Melissa viruses. The update limits certain features in Outlook, with the intent of providing a higher level of protection against viruses that run as executable code.

After the update is installed, Outlook users are no longer able to access attachments with file types that run executable code or change settings on a computer -- two actions that could allow an e-mail virus to spread.

The new security patch is the third attachment-handling update Microsoft has made available for Outlook users. The first required that certain files, when sent as attachments, always be saved to disk before opening. The second was included as part of Office’s SR-1 and gave system administrators control of the list of file types that were being protected by the first patch.

The new security update comes in two forms: an update for those running Outlook in an Exchange Server environment and another for those people running Outlook as an independent e-mail client.

In the newly released patch, attachments are divided into three groups. The first is a category called "unsafe." Any attachments sent with extensions in the "unsafe" list are unavailable to Outlook users. A second category is a list of attachments which are not "unsafe," but require caution when opening them. A last category of attachments are deemed safe for Outlook users. When these are received an Outlook user is asked if he or she wants to open the file directly or save it to disk.

When the Outlook patch was initially announced, Microsoft received some criticism from industry analysts and Outlook users that the patch was too draconian. The inability to control which attachments were deemed "unsafe" could lead legitimate applications, built on top of Outlook, to fail because of the restrictions imposed by the patch. In addition, programs that had legitimate requirements to access a user’s Outlook address book, such as mail merge or collaboration tools, would be stopped.

In the time between the announcement of the patch and its final release Microsoft tried to address those concerns. According to a spokesperson from Microsoft, "New functionality has been added since the update was originally announced. It now provides organizations with the ability to customize the new security features for the functionality they require without sacrificing security. By relying on server security features, IT administrators will be able to choose which file types can be accessed as attachments and how the warning dialog boxes are shown."

The difficult balance between changing the feature set of Outlook and ensuring safety for users was clearly on other vendor’s minds. "I don’t know if I’d ask a vendor to reduce a feature set in a product," says Narender Mangalam, product manager for Computer Associates Int’l Inc. (www.cai.com) eTrust. "After all, you can’t blame [the e-mail attacks] on Microsoft -- the fault rests squarely on those doing the abuse."

Frank Prince, a senior analyst in Forrester’s eBusiness Infrastructure group, agreed: "Most e-mail vendors don’t need to add security features -- they’re already there and waiting to be used. What we’re likely to see after all this is that the default configurations the vendors ship will change to provide better access to the security capabilities already provided."

Microsoft has addressed some of the criticism leveled after the announcement of the patch by emphasizing security tools available at the server. Those users taking advantage of Outlook in an Exchange Server environment can control the specific features that are changed by the security update. Users who are using Outlook as a standalone client or who have their mail delivered to a local personal storage file with an extension of .PST must install the full feature set of the update and cannot configure the settings once the update is in place.

Two features of the update, which worried some users, remain in the final update. Clients must upgrade Outlook with the Office SR-1 patch before installing the security update. In addition, the patch cannot be removed without uninstalling the software that Outlook was originally installed with. For instance, if Outlook was installed as part of an Office Premium Edition installation, you must uninstall all of Office before reinstalling Outlook.

The security update is available at no cost. It can be downloaded from Microsoft’s web site.