More than a week after the "Love Bug" virus took down Outlook-based email systems around the world, Microsoft Corporation has attacked the cause of the problem with a patch that alters the way Outlook handles executable scripts. The company describes this patch as a "significant security enhancement," leading experts to ponder why this behavior wasn't built into the product to begin with. Dubbed the Outlook Email Security Update, this new "enhancement" actually limits functionality within Outlook to provide better security to its users. Microsoft will make it available for free download from the Office Update Web site next week, but Office users can also enable the Office AutoUpdate service to be automatically prompted to download the patch when it becomes available.
"Given the global impact of the \["Love Bug"\] virus and the growing threat of malicious hackers, we strongly believe we must take the unprecedented step of limiting certain popular functionality in Outlook to provide a significant, additional security option for our customers," says Steven Sinofsky, the senior VP of Microsoft Office. "While this new security enhancement won't eliminate the threat of viruses, we believe it can greatly help eradicate the damaging class of viruses that have resulted in the \["Love Bug"\] and Melissa viruses. We strongly recommend that customers download this update to help safeguard against these types of viruses."
Microsoft touts a number of security experts who are complimenting Microsoft on its timely action in fighting this problem, but I've received numerous messages from people who are upset that it took them this long to provide a fix. Indeed, by the time that the fix is available, the Love Bug virus will have been around for almost three weeks. Analysts are deridingly referring to this patch as "closing the barn door after the horses have been stolen." It's a good point, and in a day where so many people are questioning Microsoft's commitment to security, it's somewhat surprising that the company wouldn't take a stand on the issue more quickly. Instead, Microsoft has constructed a series of bullet points to answer press queries such as mine:
- Microsoft is taking a big step to improve security by introducing a major security enhancement to Outlook.
- The update will guard against viral attacks that travel via executables and other high-risk email attachments, and guard against worm attacks that replicate via Outlook's extensibility architecture.
- Microsoft strongly recommends that all users download this new enhancement to help safe guard themselves from potential viruses. Users should review the documentation on the Office Update Web site before installing.
- Office has made consistent investments in the Office security architecture over time to prevent viruses from spreading via Office.
- Office tries to strike the right balance between its extensibility, which is very popular and used by millions of customers, with the needs to provide effective security in the product.
- The Outlook Email Security Update represents a major shift in how we balance openness/flexibility and security with taking the unprecedented step of sacrificing popular functionality to make Office significantly more secure.
- Microsoft will bring ISVs to campus to determine the best long-term solution that provides the best balance between flexibility and security.
- While Microsoft believes the availability of this update will significantly help Outlook users protect themselves from certain viruses and will limit the spread of viruses through Outlook, viruses are an industry-wide problem that can affect any application on any platform. We'll continue to work very closely with the experts in this field, the anti-virus community, to fight viruses and to continue educating users on how they can protect themselves.