 |
|
| technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Outlook patch called overkill
|
(IDG) -- When it comes to viruses, Microsoft can't win for losing.
Two weeks ago Microsoft Outlook was blasted for being too loose with attachments, allowing the love bug to run rampant. Now the software giant is being blasted again, this time for clamping down too hard.
The controversy was prompted by a patch set for release this week that blocks a broad array of attachments, a blunt force effort to kill viruses such as Melissa and the recent ILOVEYOU virus.
The patch for Outlook 98 and 2000 totally blocks attachments such as .bat, .exe, .vbs. and 35 other extensions. The patch also won't let programs access the Outlook Address Book. The ILOVEYOU virus and others used the address book to quickly spread their havoc. Scripting, however, remains activated unless a user manually blocks it.
 | MESSAGE BOARD | |
|
| ||
Not all agree with the blocking tactic though. "Microsoft is making it impossible to run certain files from Outlook and we think that goes too far," says Roger Thompson, technical director of malicious code research for ICSA.Net, which certifies antivirus and firewall products.
"It breaks a lot of functionality," he says.
About a dozen vendors, including Palm and Novell, are currently testing the impact on their products.
What to do
| MORE COMPUTING INTELLIGENCE |
IDG.net home page
|
| Take control of Outlook Express |
| Top 10 nifty email add-ons |
| Postmarking e-mail |
| Find elusive email addresses |
| Reviews & in-depth info at IDG.net |
| E-BusinessWorld |
| Year 2000 World |
| Questions about computers? Let IDG.net's editors help you |
| Subscribe to IDG.net's free daily newsletter for network experts |
|
Search IDG.net in 12 languages |
| News Radio |
Fusion audio primers
|
|
Computerworld Minute
|
Virus expert Thompson says Microsoft should make optional the use of Office 2000 macros - which run code inside programs - and says Microsoft was on the right track last year when, as part of a patch to fight the Melissa virus, it forced users to transfer attachments to a hard drive before opening. This simply makes users go through one more step before opening a possibly dangerous attachment.
"It's not the viruses that you attack, it's the infection method," Thompson says. "The problem is that you have 10,000 programmers in Redmond designing for functionality and not security."
Others suggest Microsoft institute digital signatures for VBScript attachments much like the digitally signed objects concept introduced with Office 2000.
"To check all those signatures may be cumbersome and not a quick fix, but it's a good idea," says Russ Cooper, a noted Windows security expert and editor of the NT BugTraq Web site.
Cooper says Microsoft should have never released the patch until it had more feedback from the security community.
He says the blanket ban on file attachments should be reversible, letting users add back the types of files they want to accept. As it stands now, users who install the patch can only get rid of it if they uninstall, then reinstall Office.
Others are sympathetic to the Microsoft plight. "The problem is that it is nearly impossible to offer security without blocking legitimate files," says Carey Nachenberg, chief researcher at Symantec's Antivirus Research Center in Santa Monica, Calif. "Microsoft's effort is a good first step. At least it should reduce the speed at which viruses can spread."
Nachenberg recommends users filter all documents and strip out macros, executable files and scripts. But the bottom line is enterprises will have a difficult decision between convenience and security. Nachenberg says building protective walls will be difficult because it will require changes in network configurations, and software development and deployment.
"In the end it will come down to corporations deciding how important their intellectual capital is and the level of risk they are willing to take," he says.
The customer view
While enterprise users generally applaud Microsoft's efforts, customers say in a perfect world security would be adjustable.
"We need to have a set of controls that we can either dial up or dial down as we see fit," says Shaun Brachman, systems project leader for plumbing and power system manufacturer Kohler in Kohler, Wis.
Brachman has about 5,000 users on Microsoft's Outlook and spent a few days digging out from the recent ILOVEYOU virus. "With Outlook, the security is either on or it's off, and that's not enough for the enterprise."
Another user agrees. "In some ways this update appears to go a little too far," says David Ellis, senior technical analyst for Carlson Shared Services, a travel, hospitality and marketing firm in Minneapolis. "We have some people who run customized forms and scripts in Outlook, and all that will be affected. We will really have to test this update."
Ellis has some 20,000 users worldwide, and "like it or not, e-mail is used for file transfer."
Microsoft defended its decision on the grounds that security is paramount. "When we created the update, we weighed functionality vs. security, and in this case we decided to offer unprecedented security," says Lisa Gurry, product manager for Microsoft Office. "We know this is not bulletproof. It's a single step and we will continue to work on it."
RELATED STORIES:
Clues lead to ILOVEYOU writer's older, cruder work
May 6, 2000
Internet provider in Philippines homes in on virus author
May 5, 2000
Copycat viruses following 'ILOVEYOU' computer bug are no joke
May 4, 2000
Destructive 'ILOVEYOU' computer virus strikes worldwide
May 4, 2000
RELATED IDG.net STORIES:
Top 10 nifty email add-ons
(PC World)
Postmarking e-mail
(FCW.com)
Find elusive email addresses
(PC World)
Take control of Outlook Express
(PC World)
Love Bug postmortem: No sure prevention for e-mail attacks
(Infoworld)
Penguinistas feel the love
(Linuxworld)
Love Letter worm rated most damaging ever
(IDG.net)
Frisking computers at the door
(Network World Fusion)
RELATED SITES:
Take a tour of Outlook 2000
Microsoft's Outlook security update
Details of the LoveLetter virus
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.