PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Whatever else Microsoft may be accused of, the company certainly listens to its customers -- at least the big, irate ones. In response to howls of protest from corporate information technology managers, Microsoft has decided to scale back on the tougher security planned for a new version of its Outlook contact, calendar, and e-mail program. The decision will delay the update until early June, with changes designed to prevent a recurrence of the "Love Bug" virus.
Back on May 16, Microsoft announced that it was making two fundamental changes to Outlook 98 and 2000 (see BW Online, 5/15/00, "Post Love Bug, Microsoft Trades Flexibility for Security"). Once users downloaded and installed a patch, which was to have been available on Monday, May 22, Outlook would no longer accept certain types of programs as an attachment. This would stop the easy distribution of so-called worms like the Love Bug, which was contained in a type of program called a VB Script.
Second, Outlook would no longer allow other programs to have access to its address book unless the user explicitly agreed to each request. This would have stopped the Love Bug from automatically sending itself to everyone in an infected computer's address book, but it also would have added a manual step to legitimate activities, such as synchronizing Outlook with a Palm handheld.
FAVORITE FEATURE.
When the Love Bug first appeared, security experts said the attack didn't so much exploit a hole in Microsoft software as take advantage of a design feature. For example, a company could distribute software by e-mail and have users install it just by clicking on an attachment. The ability of Outlook to run programs downloaded from an attachment and give access to the address book "is really at the heart of the problem," says security researcher Steven M. Bellovin of AT&T Research. "These features are there because there are benefits, but the mechanism has been developed and deployed without thought to the consequences."
But since then, corporate users have made it clear that they weren't going to give those features up without a fight. "We heard from customers that they would evaluate the patch, but they would have difficulty deploying it unless they would be able to customize it," says Tom Bailey, group product manager for Microsoft Office. Independent software vendors also complained that the new Outlook would disable programs that depended on access to the address book.
Faced with a revolt that threatened the installation of the patch at large enterprises, Microsoft backed down on May 25. Corporations that run their mail systems on Microsoft Exchange, Hewlett-Packard OpenView, Novell GroupWise, or Lotus Domino will able to override the new Outlook security settings and replace them with their own. Rules set on the mail server will determine what attachments can be received and which programs can use the address book without permission. Companies can also set different rules for different groups of users. A revised patch is expected to be available for download from www.officeupdate.microsoft.com sometime during the week of May 29.
LAUNCHING PADS.
In theory, the more customizable Outlook could be just as safe as the original patch. Only corporate IT managers can do the customization -- the idea being that, since they know what they're doing, they will make sure that nothing dangerous is allowed. Unfortunately, however, these are the same IT managers who failed to use these same server-based security controls in the wake of the Melissa attack in early 1999 and left their systems wide open to the Love Bug.
It's easy to say corporations that fail to take adequate security measures get what they deserve. But in this age of inter-networked systems, lax policies at one company could threaten the security at others by allowing one company's e-mail system to be used as a launching pad for attack. Much of the damage done by the Love Bug was in the sheer volume of mail traffic that it spawned.
Still, it's hard to fault Microsoft for backing down when faced with the reality that if it didn't, corporate accounts might simply refuse to install the new software. "We had to balance what we're trying to achieve," says Bailey. "The revised patch doesn't jeopardize any security, but it does increase the chances that corporations will deploy it sooner rather than later."
I would urge anyone who uses Outlook 98 or Outlook 2000 at home or on a small or midsize business network to install the security patch as soon as it becomes available. Better to put up with a little inconvenience than deal with a trashed hard drive in the inevitable next attack.
Stephen H. Wildstrom in Washington EDITED BY BETH BELTON
Get BusinessWeek directly on your desktop with our RSS feeds.
Add BusinessWeek news to your Web site with our headline feed.
Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.
To subscribe online to BusinessWeek magazine, please click here.
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
