PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
The vulnerability of Microsoft products to hacker attacks has long caused about as much consternation among computer-security experts as the company's business practices have among antitrust lawyers. But in the wake of the "Love Bug" assault, which used well-known weaknesses in Windows and Office to paralyze computers and e-mail systems around the world, Microsoft finally seems to be sitting up and taking notice.
On May 15, Microsoft will announce that it's making some fundamental changes in Outlook -- an e-mail, contact management, and calendar program widely used in business. The repair patch for Outlook 98 and Outlook 2000, which will require a download of about 1 megabyte, will be made available on Microsoft's Web site the week of May 22.
Once the patch is applied, Outlook will become a program that is somewhat less convenient to use but a lot safer. Microsoft's long-time philosophy was that if people choose to do risky things with their computers, it's their own business and not Microsoft's role to stop them. But I have over 1,000 names in my Outlook address book, and if I had foolishly opened a Love Bug attachment, I would potentially have put all of them at risk.
BASIC CHANGES.
"In the past, we've always sided with users' desire for power and flexibility," says Steven Sinofsky, senior vice-president in Microsoft's Office group. "Now we are saying that because of the pervasiveness of networking, there are some things you cannot do because of the risk they pose to other peoples' systems."
The changes, which were under consideration before Love Bug but accelerated after the attack, take two basic forms. First, Outlook will refuse even to look at certain types of message attachments, such as the so-called VB Script attachment that carried the Love Bug payload, and users cannot override this. Essentially, all program attachments will be blocked.
A second set of changes, which most Outlook users will be more likely to notice, severely restricts how other programs get access to the Outlook address book. The Love Bug spread so quickly because it sent a copy of itself to everyone listed in the address book, something which Outlook's design made very easy. A program other than Outlook itself will need permission from the user every time it needs access to the address book. This feature, too, cannot be turned off.
NOT-SO-EASY SYNCING.
The most obvious effect is that a Palm or Windows CE handheld will have to ask permission each time it syncs with Outlook. No longer will it be possible to sync remotely over a network. Mail merges from Word or other Office programs will also be affected, as will a number of business applications, such as Siebel's customer-relationship-management applications and SAP's enterprise resource-planning software. Antivirus programs are also likely to trigger an alert during scans. Microsoft is working with the third-party software companies to minimize these impacts.
The new approach does not affect the free Outlook Express mail program, which, despite its name, has almost nothing in common with Outlook. It doesn't even use the same address book. And while Outlook Express is somewhat harder to attack than Outlook 98 or 2000, vulnerability exists there also, Sinofsky admits. Microsoft is working on changes to Outlook Express that will make it, too, more secure.
These changes represent an important philosophical shift by Microsoft. "From this point forward," says Sinofsky, "security is the top design point for Office, even if it means less flexibility."
Stephen H. Wildstrom in Washington EDITED BY DOUGLAS HARBRECHT
Get BusinessWeek directly on your desktop with our RSS feeds.
Add BusinessWeek news to your Web site with our headline feed.
Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.
To subscribe online to BusinessWeek magazine, please click here.
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
