Software patch called overkill

Critics are knocking Microsoft Corp.'s blunt-force effort to kill viruses.

Two weeks ago Microsoft Outlook was blasted for being too loose with attachments, allowing the "love bug" to run rampant. Now the software giant is being blasted again, this time for clamping down too hard.

A patch to be released this week blocks a broad array of attachments, stamping out bug-bearing files such as those in the "Melissa" and " ILOVEYOU" virus outbreaks.

The patch for Outlook 98 and 2000 totally blocks attachments such as .bat, .exe, .vbs and 35 other extensions. The patch also won't let programs access the Outlook Address Book. The "love bug" and others used the address book to quickly spread havoc.

Not everyone agrees with the blocking tactic. "Microsoft is making it impossible to run certain files from Outlook, and we think that goes too far," said Roger Thompson, technical director of malicious code research for ICSA.Net, which certifies antivirus and firewall products. "It breaks a lot of functionality."

Instead, Thompson said Microsoft should make optional the use of Office 2000 macros. He said Microsoft was on the right track last year when, as part of a patch to fight the Melissa virus, it forced users to transfer attachments to a hard drive before opening. This makes users go through one more step before opening a possibly dangerous attachment.

"It's not the viruses that you attack, it's the infection method," Thompson says. "The problem is that you have 10,000 programmers in Redmond designing for functionality and not security."

Users who install the patch can only get rid of it if they uninstall, then reinstall Office, according to Russ Cooper, a noted Windows security expert and editor of the NT BugTraq Web site. He says the blanket ban on file attachments should be reversible, letting users add back the types of files they want to accept.

Microsoft defended its decision on the grounds that security is paramount. "When we created the update, we weighed functionality vs. security, and in this case we decided to offer unprecedented security," says Lisa Gurry, product manager for Microsoft Office. "We know this is not bulletproof. It's a single step and we will continue to work on it."

For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network World Inc. All rights reserved.