Outlook security patch - wait - 5/31/2000 > Forums

Unanswered

Active Topics

Forums

Forums > Viruswarning Forum > Viruswarning archive

Subject: Outlook security patch - wait - 5/31/2000

Email me when someone replies to this thread.

You are not authorized to post a reply.

Author

Messages

Lee Drake
Posts:238

05/20/2002 1:50 PM
DO NOT apply Microsoft's Outlook Security Patch What is he crazy? He's recommending that we do NOT apply a Microsoft Security patch? Why is that!? Well David Gray and I have looked over the specs for the patch, and what we've found is that rather than trying to finesse the problem of worm type viruses, MS has applied a sledgehammer approach to solving it, which makes your email program considerably harder to use, with limited success at preventing the spread of worms. We've provided here some details on why we don't like this patch let's take the analysis point by point: 1) This is a beta patch - it's not in full production release yet, and many vendors are testing to see whether it breaks their software. 2) I've tested it with my software (Mailer 2000) and it breaks that - I suspect it will break other software that interacts with Outlook as well. You can at best run my software for 10 minutes at a time. During that 10 minutes, you are as vulnerable to attacks as if this patch was not applied since it disables the patches security features for ALL apps during that period of time. 3) MS admits it breaks a huge number of programs that interact validly with Outlook: From Microsoft (all Microsoft text in "") - information was gleaned from the following link and its sublinks: http://officeupdate.microsoft.com/2000/articles/Out2ksecOrg.htm "Functionality Impacted by Outlook 98/2000 E-mail Security Update When the Outlook Email Security Update is installed, some functionality in Outlook and other Office applications may be impaired. This list is not comprehensive as the update is currently in development. Updated information will be posted when the update is available. Following are examples of functionality that may be impaired: " Our responses in RED A) "In some cases, the update fails to install. Microsoft is investigating, and these cases should be addressed before the ship version of the update is released. " This means the install may mess up your Outlook and/or cause you to have to reinstall it. B) "There is no remove/uninstall utility for this update. To remove it, you must remove and then reinstall Office. " Which means it if DOES mess up Outlook; you have to uninstall and reinstall the entire office package. C) "Net Folders do not always work with the update. This is under investigation. " Many people use net folders to share files and update websites. D) "In Word, routing documents through e-mail does not work. " This valuable feature of word allows you to establish a routing list for a document. This patch breaks that without offering alternative functionality. E) "Mail merge fails if used from within Word. If you start mail merge from within Outlook, mail merge works. " Since Mail Merge from within Word is far more useful and flexible, this is a major pain. F) "Palm, Windows CE devices (PDAs) have synchronization issues. These include: Syncing with the Inbox displays a prompt and then fails. This is under investigation. Synching with contacts/address book also displays a prompt, but should work. " Have a palm top or WinCE device? DO NOT install this patch - it breaks the synch functionality. G) "When working with Team Folders, many prompts are displayed when mail is sent on your behalf. If you work through the prompts, the feature works. " Most users of Exchange allow their admin assistants and others to send on their behalf - it's a powerful feature of Outlook, that again is disabled by the patch (or at least made so hard to use it's useless). H) "When using the Small Business Customer Manager (SBCM) of the Microsoft Office Small Business Tools, many prompts are displayed; however, the Customer Manager still works. " If using Microsoft's small business server, this patch breaks your management app, forcing you to reply to hundreds of dialog boxes just to get simple things done. I) "When sending PowerPoint presentations through e-mail, a warning is displayed since all presentations mailed as attachments include a Script.JS file (.JS files are included in the restricted file types list). " You'll need to zip all your Powerpoint attachments to successfully send them, otherwise Outlook will strip the attachment. This adds an extra step and requires more software which you may or may not have or know how to use. J) "When accessing the Address Book from within Word or Microsoft Excel, the prompt indicating a program is trying to access your Address Book is displayed. " Using Word to generate form letters and need an address? Then you'll have to go through additional prompts. K) "In Microsoft Access, the Send.Mail macro displays the programmatic access prompt. Due to the programmatic access limits of the update, the SQL SendMail feature is affected and restricted." Accessing your mail from a database (to send or receive)? This will break it. L) They completely eliminate the ability to send around ALL content that is an executable of any sort - not just a warning or whatever you simply can't send it. "Level 1 security files Level 1 security files (restricted access in Outlook) are files that may contain executable code themselves, or they may contain links to other files that contain executable code that could execute a virus on your computer. Level 1 file types include program files (.EXEs, .COMs), script modules and files (.BASs, .VBSs, .JSs), Internet links (URLs, .ISNs), and shortcuts to files (.LNKs, .PIFs). " M) They themselves admit this is not a solution, only a band-aid. "This update provides substantial security protection for Outlook and Microsoft encourages all Outlook 2000 and Outlook 98 users to install it. This update limits certain functionality within Outlook to provide a higher level of security for users, but does not fix a security vulnerability in Outlook. Microsoft is introducing this update to help users protect themselves from malicious coder's virus attacks. This update provides a variety of additional security safeguards for Outlook" In short they've just slapped a beta patch on with no real way to configure it to allow or not allow certain behaviors in known circumstances. It's not terribly configurable in terms of what extensions and applications are allowed to access your Outlook object model, so as new threats pop up you'll need to get into registry entries to configure the protection properly, and valid applications that depend on a tight interlink with Outlook's address book or send.mail features will now need to be babysat through multiple interactive prompts to work properly. As a result, David and I are NOT recommending that you upgrade to the latest Outlook security model beta patch at this point. Note the following warning in the documentation that they give their developers: "THIS BETA IS NOT INTENDED TO BE PLACED INTO PRODUCTION SITUATIONS, AND IT SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS." and "A beta of this update is available for system administrators or independent software vendors (ISVs) to download and test for compatibility with their organization or application. This update should not be downloaded by end-users or on any machine that is not a test machine. This code is for technical evaluation only and cannot be uninstalled unless Office is completely uninstalled" and then their announcement to users of the product which contradicts this: "This update provides substantial security protection for Outlook and Microsoft encourages all Outlook 2000 and Outlook 98 users to install it." In short our advice is wait. Then you won't be among the users screaming about how MS broke their copy of Outlook :-) There MUST be a better patch than this coming along. Lee Drake, Moderator

You are not authorized to post a reply.

Forums > Viruswarning Forum > Viruswarning archive > Outlook security patch - wait - 5/31/2000

ActiveForums 3.6