SAN MATEO (05/21/2000) - In a rare mea culpa, Microsoft Corp. last week admitted that vulnerabilities in its Outlook e-mail program helped propagate the damaging "I Love You" worm, prompting the software giant to release a free security upgrade to protect users from opening and spreading computer viruses.
Yet some observers say that although Microsoft's intention is good, the patch leaves much to be desired.
"This implementation was rushed to market and shows the signs of quickly getting something out to answer criticism and really missing badly," said John Pescatore, network security research director at Gartner, in Stamford, Connecticut.
Specifically, some analysts and IT managers say the fix is too file-attachment restrictive and impedes such functions as Palm synchronization. Another major gripe of IT managers is the "all or nothing" aspect of its installation, meaning the upgrade cannot be uninstalled without wiping clean the entire Microsoft Office suite and starting from scratch.
"If we were to push something like that to our clients, it would be a nightmare because we'd have to go fix [reinstall] the entire system. It's unwieldy and unreasonable to expect people to do that," said Alex Polomski, network systems manager at the Massachusetts Department of Education, in Malden.
"If that's their only solution, they should come up with something better," Polomski added.
In the past, Microsoft has proved reluctant to install any anti-virus measures at all in to Outlook, despite fallout for serving as a launching pad for other e-mail attacks, such as 1999's Melissa virus. The company had concerns that much of the software's appeal and functionality would be lost on users because of the integration of security features, said Lisa Gurry, product manager of the Microsoft Office team.
The fix Microsoft is now offering restricts users from running any type of executable code attachments in e-mail; ZIP files must be saved to disk to be viewed. The company also will release a patch that will issue an alert if an e-mail attachment attempts to access Outlook or tries to send itself to parties listed in the user's e-mail address book.
The Outlook e-mail attachment filtering update takes no prisoners: Besides Visual Basic Script, Windows Script, and JavaScript files, it also stops Windows Help files, batch files, PowerPoint files, Photo CD images, and Internet shortcuts, Microsoft officials said.
Kyle Ross, IS coordinator at the McGahn Medical Center, in Santa Barbara, California, said that he would prefer waiting for a reinforced new version of Outlook to hit the market rather than installing the questionable update so as to receive the updated security measures.
The update for Outlook 98 and 2000 is available for download on the Microsoft Web site.
Microsoft Corp., in Redmond, Washington, is at www.microsoft.com.
IT eyes external e-mail help
The unforgiving wake-up call delivered by the "I Love You" worm has once again spurred attention to increased e-mail protection for those who may have absently let their Melissa-virus memory run dry.
With the state of anti-virus software still primarily in reactive mode, outsourcing e-mail under an anti-virus blanket could be a big step in weathering future virus attacks, said John Pescatore, network security research director at Gartner, in Stamford, Connecticut.
"It makes a lot of sense. It doesn't stop the problem, particularly when the virus hits. The window that outsourcing closes is the next window: How long did it take from the time when someone [first] noticed [the virus infiltration] to when you noticed [it]?" Pescatore said of having such close monitoring of e-mail traffic.
According to Gartner, by 2001 more than 40 percent of enterprises will be outsourcing all or part of their e-mail systems.
Last week, Yahoo chose Symantec to scan and safeguard its Yahoo Mail users from receiving or sending e-mail attachments that could bear lurking malicious code attacks. Symantec will feed up-to-date virus definitions to Yahoo in real time, officials said.
Pescatore said that the increased protection is dispelling old myths that free mail means "you pay for what you get," security-wise. It also helps eliminate many unguarded e-mail relay connections, he added.
Following "I Love You" epidemic, automotive giant Ford jumped into the act, signing up for Mail.com's MailZone e-mail firewall service to protect its corporate infrastructure from virus attack.
Ford spokeswoman Kathleen Vokes said MailZone works extremely well with the company's "layered" security approach, adding another level of e-mail defense to its enterprise.
Symantec Corp., in Cupertino, California, is at www.symantec.com. Yahoo Inc., in Santa Clara, California, is at www.yahoo.com. Ford Motor Co., in Dearborn, Michigan, is at www.ford.com. Mail.com Inc., in New York, is at www.mail.com.