April 6, 2001 9:35 AM PDT
Microsoft's virus antidote: Ban attachments
- Related Stories
Office XP test drive almost freeApril 2, 2001
Year of the WormMarch 15, 2001
New Microsoft Office faces dual obstaclesMarch 8, 2001
"Love" variant could spawn targeted attacksAugust 17, 2000
Microsoft criticized for lack of software securityMay 5, 2000
Philippine ISP cooperating with FBI in virus probeMay 4, 2000
Email virus spreading rapidlyMarch 26, 1999
Responding to the rash of e-mail viruses that started with Melissa and I Love You, the Redmond, Wash.-based company is clamping down on the types of file attachments that will work with the newest version of its Outlook e-mail software.
Outlook 2002, a new e-mail application included with Microsoft's forthcoming Office XP business software suite due later this spring, will by default reject more than 30 types of files sent as e-mail attachments, according to company executives.
The files, deemed by Microsoft as most likely to be used by hackers to transfer viruses, include some of the most common types, such as program execution files, batch files, Windows help files, and Java and Visual Basic scripting files. Also blocked are photo CD images, screensavers and HTML application files, according to a list supplied by Microsoft.
Opponents to the plan say Microsoft will make it much more difficult to share routine--and harmless--information via e-mail attachments.
Outlook 2002 doesn't block e-mail messages with appended restricted files, but it will refuse to open or download restricted file types. In a test conducted by CNET News.com, Outlook 2002 rejected an .exe file, Palm.exe, sent as an attachment to an e-mail message. An e-mail message displayed on the e-mail recipient's PC read: "Outlook blocked access to the following potentially unsafe attachments: palm.exe."
Outlook 2002 users can send the restricted files as attachments, but the program will display the message: "Recipients using Microsoft Outlook may not be able to open these attachments."
Microsoft's crackdown on e-mail attachments is not new. After the I Love You virus outbreak, the company posted an Outlook 97 and Outlook 2000 security update that restricted access to some e-mail attachments. Late last year, Microsoft also added the security update to the second Office 2000 service pack, which included a collection of bug fixes.
But in both cases, individuals and companies could choose whether to apply the restrictive update. With Outlook 2002, Microsoft will compel everyone to adopt the new security measure. The company also makes it nearly impossible for individuals and very difficult for corporations to disable the feature, which the company says is necessitated by the threat the attachments pose.
"We felt that in order to provide a level of protection many of our customers were asking for--as well as make sure that people became aware of good e-mail protocols--we needed to take a bit of a harsher step," said Lisa Gurry, Office XP product manager.
But in taking that "harsher step," Microsoft also made the feature difficult to turn off, offering the average user no simple or direct means of disabling the function.
Gurry said that with so few people downloading the updates, "unless we build something into the product, it's likely not going to protect them."
For companies offering tech support or for software developers--two groups that routinely send e-mail files Outlook 2002 won't accept--their jobs could get a lot harder. For everyone else, Microsoft insists e-mail will be safer to use.
But some people question Microsoft's approach of blocking file access from e-mail, arguing the company is not dealing with the real problem, which is how certain file types affect both Outlook and Windows.
Matt Bishop, a computer sciences professor with the University California at Davis, described Microsoft's solution as "a step in the right direction." But Jay Goodwin, an Office user from Irvine, Calif., isn't so sure.
"I do suspect this is a Band-Aid to a much larger problem Microsoft seems to have with regards to the security of their products," Goodwin said. "As a friend of mine commented recently, 'I think this hoof-and-mouth disease is the only virus that doesn't affect Outlook.'"
The problem has more to do with Windows than with Outlook, said Bill Jaeger, applied research director for MetaSes, an Atlanta-based security services firm and Meta Group affiliate.
"This is most certainly a Band-Aid for the greater security problems inherent in Windows," he said. "The appropriate solution is for Windows to not blindly run any content that looks like an executable."
Many Microsoft competitors do not take such a heavy-handed approach. Qualcomm's Eudora, for example, does not restrict file attachments the way Outlook 2002 will.
Scott Shuchart, a Eudora user from New Haven, Conn., believes "naive users probably need all the protection they can get. I really am all for limiting .exe forwarding so long as it doesn't break the product (more) for the clueful." That, he added, is what Microsoft appears to be doing with Outlook, which he described as "a hideous monstrosity."
Justified by the damage
The financial damage caused by viruses such as I Love You and Melissa warrants taking such aggressive action, even at the cost of the user's choice, Gurry said.
Companies with Outlook attached to a server running Microsoft Exchange would have some ability to adjust the default security settings, Gurry said. But she would not go into detail about how that might be done.
"For businesses or small businesses that don't have that server option, we're providing an additional option with Office XP you can choose to turn off the attachment support," Gurry said. "But that's something we don't recommend that people do."
In fact, Microsoft makes turning off the feature downright difficult. Office XP users must physically edit the Windows Registry--an internal database of Windows information--to turn off the attachment restriction function. Microsoft makes it fairly easy to adjust other security features in its products; for example, an easily accessible control can be used to adjust how Internet Explorer responds to potentially dangerous Web content.
Microsoft won't provide instructions on how to tweak the registry "until Office XP is broadly available," Gurry said. Office XP is due to reach store shelves May 31.
Security expert Richard Smith, who had a hand in uncovering the Melissa virus' origins, believes Microsoft is taking tough action where it is warranted.
"I'm very supportive of it," he said. "I think it's socially unacceptable to send executables around, even legitimate ones. This kind of enforces that rule, and we'll kind of have to get used to it."
Smith sees a simple solution for people absolutely needing to send executable file attachments: Compress the file using popular utilities like WinZip.
"Us programmers are going to have to get used to zipping things up first," he said. "It's called changing social behavior."
But Jaeger, in some ways, sees Microsoft's solution as dangerous.
"This doesn't solve the greater problem and simply leads to a false sense of security," he said. "It's time for Microsoft to start curing the problem, not treating the symptoms."
Bishop said he expects some controversy over Microsoft's handling of the matter but doubts there will ever be a consensus on the approach.
"I don't think you'll be able to get people to agree on whether it's too little or too much," he said.