MS Finally Addresses Email Hole

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/technology/0,1282,36353,00.html

3:35 p.m. May. 15, 2000 PDT

SEATTLE -- Microsoft said Monday it will issue a patch for its
corporate email software that will help defend customers against
computer viruses like the recent Love Bug that shut down many company
and government networks.

The patch, which is a small bit of programming code that fixes a
software bug or changes the way an application works, will stop users
of Microsoft's Outlook software from receiving certain types files
that hold the most common viruses.

"Given the fact that Love Bug was a global economic event, we need to
do our part ... and take pretty decisive steps here, and we think this
will eradicate this class of viruses," Tom Bailey, Microsoft's group
product manager for Office, said in an interview.

The Love Bug spread by making copies of itself and sending them out to
listings in a victim's email address book in Outlook, Microsoft's
scheduling and communications application for corporations and
institutions.

In the wake of the virus attack earlier this month, many analysts
pointed a finger at Microsoft, saying the software giant's products
were far too vulnerable to hackers and malicious software programs
like the Love Bug.

Microsoft's fix, which will be available here on May 22, will not let
users open files containing the suffix ".exe," ".bat," and others that
indicate the file is a program that performs certain functions, Bailey
said.

It will not affect picture, document, or Web page file types such as
".jpg," ".doc," or ".htm," because the software tools used to view
those files already contained strong security measures, Bailey said.

Outlook would also be updated so that if a program tried to access a
user's address book, a warning would pop up on screen asking whether
or not to let the program proceed.

"That (pop-up message) is trying to attack the malicious replication
and put users back in control," Bailey said.

Bailey said the pop-up could appear for other legitimate software,
such as that for personal digital assistants, that try to access the
address book. Information on what programs will be affected will be
posted on the Web page.

"We always try to strike a balance between the openness of the product
and security," Bailey said.

"We've tried to be reactive to this thing, like antivirus software
writers are. What we are trying to do going forward is to take a more
proactive response to this," he said.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".