MS to patch things up, Outlook good

The patch, which is for the Office 98 and 2000 clients, but not the free Outlook Express software, was released on Monday through Microsoft's Office Update web site, http://officeupdate.microsoft.com/ . A completed version is expected to be available in the week of May 22, said Lisa Gurry, a product manager for Office.

Users installing the patch will lose some functionality in Outlook but, Gurry said, a growing number of users are willing to make that sacrifice in return for a more secure product.

"We've thought about the balance for a long time. Hackers are getting much more sophisticated and, based on this growing sophistication and exploitation of vulnerabilities in Outlook, we looked at security versus functionality," Gurry said. "In the past we focused more on functionality but this update tips the balance in terms of security."

Roger Thompson, director of malicious code at ICSA.net said he wondered whether the company had gone too far in the opposite direction. "It's a real good step. I'm just wondering if they have broken more functionality than they needed to. The anti-virus people would have been pleased to see them just disable the launching of any applications from within Outlook."

The patch tackles the security problem at three levels.

First, the patch attempts to automatically delete all file attachments that could contain executable code. Microsoft has created a list of files that will be caught by the filter and it includes everything from batch files and HTML help files to executable programs and Photo CD images. When a message is received with such an attachment the user will be denied access to the file and notified that the attachment was unsafe.

Users will be able to add to the list of unsafe file types, but won't be able to delete any file types specified by the company.

"This is by design," Gurry said. "We are looking at this as a very strong update to the security of Outlook and adding such an option dilutes the update.

A second definition file, which at present includes just compressed ".zip" files will also exist in the software. Whenever such attachments are received, the user will be warned that viruses can exist within the file and instructed to save the file to disk before it can be opened.

A second level of protection will come from what Microsoft calls the "Object Model Guard." This will intercept attempts by other programs to access the Outlook address book or use the mail client to send messages. Such attempts will result in an alert to the user who will have to positively grant the program access.

As a final measure, the patch pushes the default security settings for Outlook from the Internet zone to the restricted zone. "This disables some scripting and Active X downloads so that some scripts and some downloads, which would be automatically run, are disabled," Gurry said.

The patch received a cautious welcome from some in the anti-virus industry.

"This is a step in the right direction," said Dan Schrader, chief security risk analyst at Trend Micro. "It's not nearly a big enough step but Microsoft can't be taking these steps alone."

He said users need to be better educated about handling of files through e-mail and corporations also need to do more to stop such malicious code from getting to the desktop.

"We're relying on desktops as our first and only line of defense. We can only do so much at the desktop," he said. "Any security model that relies on the user doing the right thing is doomed to fail."

Nevertheless, Schrader said, while the steps taken by Microsoft won't leave Outlook impervious to all viruses, it will stop the software from being hit by the so-called "script kiddies" who manage to cause problems with relatively simple files.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Martyn Williams

PC World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?