MS to patch things up, Outlook good

The patch, which is for the Office 98 and 2000 clients, but not the free Outlook Express software, was released on Monday through Microsoft's Office Update web site, . A completed version is expected to be available in the week of May 22, said Lisa Gurry, a product manager for Office.

Users installing the patch will lose some functionality in Outlook but, Gurry said, a growing number of users are willing to make that sacrifice in return for a more secure product.

"We've thought about the balance for a long time. Hackers are getting much more sophisticated and, based on this growing sophistication and exploitation of vulnerabilities in Outlook, we looked at security versus functionality," Gurry said. "In the past we focused more on functionality but this update tips the balance in terms of security."

Roger Thompson, director of malicious code at said he wondered whether the company had gone too far in the opposite direction. "It's a real good step. I'm just wondering if they have broken more functionality than they needed to. The anti-virus people would have been pleased to see them just disable the launching of any applications from within Outlook."

The patch tackles the security problem at three levels.

First, the patch attempts to automatically delete all file attachments that could contain executable code. Microsoft has created a list of files that will be caught by the filter and it includes everything from batch files and HTML help files to executable programs and Photo CD images. When a message is received with such an attachment the user will be denied access to the file and notified that the attachment was unsafe.

Users will be able to add to the list of unsafe file types, but won't be able to delete any file types specified by the company.

"This is by design," Gurry said. "We are looking at this as a very strong update to the security of Outlook and adding such an option dilutes the update.

A second definition file, which at present includes just compressed ".zip" files will also exist in the software. Whenever such attachments are received, the user will be warned that viruses can exist within the file and instructed to save the file to disk before it can be opened.

A second level of protection will come from what Microsoft calls the "Object Model Guard." This will intercept attempts by other programs to access the Outlook address book or use the mail client to send messages. Such attempts will result in an alert to the user who will have to positively grant the program access.

As a final measure, the patch pushes the default security settings for Outlook from the Internet zone to the restricted zone. "This disables some scripting and Active X downloads so that some scripts and some downloads, which would be automatically run, are disabled," Gurry said.

The patch received a cautious welcome from some in the anti-virus industry.

"This is a step in the right direction," said Dan Schrader, chief security risk analyst at Trend Micro. "It's not nearly a big enough step but Microsoft can't be taking these steps alone."

He said users need to be better educated about handling of files through e-mail and corporations also need to do more to stop such malicious code from getting to the desktop.

"We're relying on desktops as our first and only line of defense. We can only do so much at the desktop," he said. "Any security model that relies on the user doing the right thing is doomed to fail."

Nevertheless, Schrader said, while the steps taken by Microsoft won't leave Outlook impervious to all viruses, it will stop the software from being hit by the so-called "script kiddies" who manage to cause problems with relatively simple files.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Martyn Williams

PC World
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?