Software patch called overkill

Critics are knocking Microsoft Corp.'s blunt-force effort to kill viruses.

Two weeks ago Microsoft Outlook was blasted for being too loose with attachments, allowing the "love bug" to run rampant. Now the software giant is being blasted again, this time for clamping down too hard.

A patch to be released this week blocks a broad array of attachments, stamping out bug-bearing files such as those in the "Melissa" and " ILOVEYOU" virus outbreaks.

The patch for Outlook 98 and 2000 totally blocks attachments such as .bat, .exe, .vbs and 35 other extensions. The patch also won't let programs access the Outlook Address Book. The "love bug" and others used the address book to quickly spread havoc.

Not everyone agrees with the blocking tactic. "Microsoft is making it impossible to run certain files from Outlook, and we think that goes too far," said Roger Thompson, technical director of malicious code research for ICSA.Net, which certifies antivirus and firewall products. "It breaks a lot of functionality."

Instead, Thompson said Microsoft should make optional the use of Office 2000 macros. He said Microsoft was on the right track last year when, as part of a patch to fight the Melissa virus, it forced users to transfer attachments to a hard drive before opening. This makes users go through one more step before opening a possibly dangerous attachment.

"It's not the viruses that you attack, it's the infection method," Thompson says. "The problem is that you have 10,000 programmers in Redmond designing for functionality and not security."

Users who install the patch can only get rid of it if they uninstall, then reinstall Office, according to Russ Cooper, a noted Windows security expert and editor of the NT BugTraq Web site. He says the blanket ban on file attachments should be reversible, letting users add back the types of files they want to accept.

Microsoft defended its decision on the grounds that security is paramount. "When we created the update, we weighed functionality vs. security, and in this case we decided to offer unprecedented security," says Lisa Gurry, product manager for Microsoft Office. "We know this is not bulletproof. It's a single step and we will continue to work on it."

For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network World Inc. All rights reserved.

MORE INFO

"Cybersentries assailed again" [FCW.com, May 19, 2000]

Extensive "love bug" virus coverage [FCW.com, May 8, 2000]

Microsoft's page about the patch

BY John Fontana, Network World
May 24, 2000

More Related Links

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.