Software patch called overkill
- By John Fontana
- May 24, 2000
Critics are knocking Microsoft Corp.'s blunt-force effort to kill viruses.
Two weeks ago Microsoft Outlook was blasted for being too loose with
attachments, allowing the "love bug" to run rampant. Now the software giant
is being blasted again, this time for clamping down too hard.
A patch to be released this week blocks a broad array of attachments,
stamping out bug-bearing files such as those in the "Melissa" and " ILOVEYOU"
The patch for Outlook 98 and 2000 totally blocks attachments such as
.bat, .exe, .vbs and 35 other extensions. The patch also won't let programs
access the Outlook Address Book. The "love bug" and others used the address
book to quickly spread havoc.
Not everyone agrees with the blocking tactic. "Microsoft is making it
impossible to run certain files from Outlook, and we think that goes too
far," said Roger Thompson, technical director of malicious code research
for ICSA.Net, which certifies antivirus and firewall products. "It breaks
a lot of functionality."
Instead, Thompson said Microsoft should make optional the use of Office
2000 macros. He said Microsoft was on the right track last year when, as
part of a patch to fight the Melissa virus, it forced users to transfer
attachments to a hard drive before opening. This makes users go through
one more step before opening a possibly dangerous attachment.
"It's not the viruses that you attack, it's the infection method," Thompson
says. "The problem is that you have 10,000 programmers in Redmond designing
for functionality and not security."
Users who install the patch can only get rid of it if they uninstall,
then reinstall Office, according to Russ Cooper, a noted Windows security
expert and editor of the NT BugTraq Web site. He says the blanket ban on
file attachments should be reversible, letting users add back the types
of files they want to accept.
Microsoft defended its decision on the grounds that security is paramount.
"When we created the update, we weighed functionality vs. security, and
in this case we decided to offer unprecedented security," says Lisa Gurry,
product manager for Microsoft Office. "We know this is not bulletproof.
It's a single step and we will continue to work on it."
For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network
World Inc. All rights reserved.