Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Outlook ups security, but clunkily

From: InfoSec News <isn () C4I ORG>
Date: Mon, 19 Jun 2000 09:15:57 -0500
http://www.zdnet.com/eweek/stories/general/0,11011,2589425,00.html

By Michael Caton, eWEEK
June 18, 2000 9:00 PM PT

Microsoft Corp.s outlook update effectively blocks virus-based
exploitation of the security holes presented by the integration of
Outlook and other Office applications, but eWeek Labs found the
server-based solution cumbersome.

Released last week, the update includes a tool for setting Outlook
security globally through Microsoft's Exchange messaging server. The
patch that Microsoft released after the Love Letter attack provided
the same settings but only locally.

The update provides two security models: The first prevents users from
receiving executable and script-bearing file types; the second allows
users to receive files in ZIP format but prevents users from running
the files without first saving them on a hard drive.

The update includes a new Exchange tool that lets administrators
establish a security form in an Exchange public folder. However, the
tool requires managers to enter users individually, so creating
exceptions for select power users is time-consuming.

The update also includes a group policy profile that modifies the
registry of the client system so the security overrides take effect
for those users.

The kludginess of Microsoft's solution points to the harsh reality of
component-level integration in the Office suite. Policy-based
management and the ability to restrict security during installation
would be far more cost-effective. We would like to see Microsoft offer
its Office customers a more manageable approach to securing clients.

We recommend that sites concerned about the threat of macro and
executable viruses check out this update and evaluate their methods
for distributing Office.

Administrators must examine the security of Office, starting with
software distribution. Whether a site uses install scripts, software
image distribution or factory preinstalls, it must deliver the suite
with the most secure settings in place.

East Coast Technical Director Michael Caton can be contacted at
michael_caton () ziffdavis com

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: