The patch, which is for the Office 98 and 2000 clients, but not the free Outlook Express software, was released on Monday through Microsoft's Office Update web site, http://officeupdate.microsoft.com/ . A completed version is expected to be available in the week of May 22, said Lisa Gurry, a product manager for Office.
Users installing the patch will lose some functionality in Outlook but, Gurry said, a growing number of users are willing to make that sacrifice in return for a more secure product.
"We've thought about the balance for a long time. Hackers are getting much more sophisticated and, based on this growing sophistication and exploitation of vulnerabilities in Outlook, we looked at security versus functionality," Gurry said. "In the past we focused more on functionality but this update tips the balance in terms of security."
Roger Thompson, director of malicious code at ICSA.net said he wondered whether the company had gone too far in the opposite direction. "It's a real good step. I'm just wondering if they have broken more functionality than they needed to. The anti-virus people would have been pleased to see them just disable the launching of any applications from within Outlook."
The patch tackles the security problem at three levels.
First, the patch attempts to automatically delete all file attachments that could contain executable code. Microsoft has created a list of files that will be caught by the filter and it includes everything from batch files and HTML help files to executable programs and Photo CD images. When a message is received with such an attachment the user will be denied access to the file and notified that the attachment was unsafe.
Users will be able to add to the list of unsafe file types, but won't be able to delete any file types specified by the company.
"This is by design," Gurry said. "We are looking at this as a very strong update to the security of Outlook and adding such an option dilutes the update.
A second definition file, which at present includes just compressed ".zip" files will also exist in the software. Whenever such attachments are received, the user will be warned that viruses can exist within the file and instructed to save the file to disk before it can be opened.
A second level of protection will come from what Microsoft calls the "Object Model Guard." This will intercept attempts by other programs to access the Outlook address book or use the mail client to send messages. Such attempts will result in an alert to the user who will have to positively grant the program access.
As a final measure, the patch pushes the default security settings for Outlook from the Internet zone to the restricted zone. "This disables some scripting and Active X downloads so that some scripts and some downloads, which would be automatically run, are disabled," Gurry said.
The patch received a cautious welcome from some in the anti-virus industry.
"This is a step in the right direction," said Dan Schrader, chief security risk analyst at Trend Micro. "It's not nearly a big enough step but Microsoft can't be taking these steps alone."
He said users need to be better educated about handling of files through e-mail and corporations also need to do more to stop such malicious code from getting to the desktop.
"We're relying on desktops as our first and only line of defense. We can only do so much at the desktop," he said. "Any security model that relies on the user doing the right thing is doomed to fail."
Nevertheless, Schrader said, while the steps taken by Microsoft won't leave Outlook impervious to all viruses, it will stop the software from being hit by the so-called "script kiddies" who manage to cause problems with relatively simple files.