Microsoft's virus antidote: Ban attachments
By Joe Wilcox
Staff Writer, CNET
April 6, 2001, 9:35 a.m. PT

Is Microsoft making the cure worse than the sickness?

Responding to the rash of e-mail viruses that started with Melissa and I
Love You, the Redmond, Wash.-based company is clamping down on the types
of file attachments that will work with the newest version of its
Outlook e-mail software.

Outlook 2002, a new e-mail application included with Microsoft's
forthcoming Office XP business software suite due later this spring,
will by default reject more than 30 types of files sent as e-mail
attachments, according to company executives.

The files, deemed by Microsoft as most likely to be used by hackers to
transfer viruses, include some of the most common types, such as program
execution files, batch files, Windows help files, and Java and Visual
Basic scripting files. Also blocked are photo CD images, screensavers
and HTML application files, according to a list supplied by Microsoft.

Opponents to the plan say Microsoft will make it much more difficult to
share routine--and harmless--information via e-mail attachments.

Outlook 2002 doesn't block e-mail messages with appended restricted
files, but it will refuse to open or download restricted file types. In
a test conducted by CNET, Outlook 2002 rejected an .exe file,
Palm.exe, sent as an attachment to an e-mail message. An e-mail message
displayed on the e-mail recipient's PC read: "Outlook blocked access to
the following potentially unsafe attachments: palm.exe."

Outlook 2002 users can send the restricted files as attachments, but the
program will display the message: "Recipients using Microsoft Outlook
may not be able to open these attachments."

Microsoft's crackdown on e-mail attachments is not new. After the I Love
You virus outbreak, the company posted an Outlook 97 and Outlook 2000
security update that restricted access to some e-mail attachments. Late
last year, Microsoft also added the security update to the second Office
2000 service pack, which included a collection of bug fixes.

But in both cases, individuals and companies could choose whether to
apply the restrictive update. With Outlook 2002, Microsoft will compel
everyone to adopt the new security measure. The company also makes it
nearly impossible for individuals and very difficult for corporations to
disable the feature, which the company says is necessitated by the
threat the attachments pose.

"We felt that in order to provide a level of protection many of our
customers were asking for--as well as make sure that people became aware
of good e-mail protocols--we needed to take a bit of a harsher step,"
said Lisa Gurry, Office XP product manager.

But in taking that "harsher step," Microsoft also made the feature
difficult to turn off, offering the average user no simple or direct
means of disabling the function.

Gurry said that with so few people downloading the updates, "unless we
build something into the product, it's likely not going to protect

Band-Aid approach?

For companies offering tech support or for software developers--two
groups that routinely send e-mail files Outlook 2002 won't accept--their
jobs could get a lot harder. For everyone else, Microsoft insists e-mail
will be safer to use.

But some people question Microsoft's approach of blocking file access
from e-mail, arguing the company is not dealing with the real problem,
which is how certain file types affect both Outlook and Windows.

Matt Bishop, a computer sciences professor with the University
California at Davis, described Microsoft's solution as "a step in the
right direction." But Jay Goodwin, an Office user from Irvine, Calif.,
isn't so sure.

"I do suspect this is a Band-Aid to a much larger problem Microsoft
seems to have with regards to the security of their products," Goodwin
said. "As a friend of mine commented recently, 'I think this
hoof-and-mouth disease is the only virus that doesn't affect Outlook.'"

The problem has more to do with Windows than with Outlook, said Bill
Jaeger, applied research director for MetaSes, an Atlanta-based security
services firm and Meta Group affiliate.

"This is most certainly a Band-Aid for the greater security problems
inherent in Windows," he said. "The appropriate solution is for Windows
to not blindly run any content that looks like an executable."

Many Microsoft competitors do not take such a heavy-handed approach.
Qualcomm's Eudora, for example, does not restrict file attachments the
way Outlook 2002 will.

Scott Shuchart, a Eudora user from New Haven, Conn., believes "naive
users probably need all the protection they can get. I really am all for
limiting .exe forwarding so long as it doesn't break the product
(more) for the clueful." That, he added, is what Microsoft appears to be
doing with Outlook, which he described as "a hideous monstrosity."

Justified by the damage

The financial damage caused by viruses such as I Love You and Melissa
warrants taking such aggressive action, even at the cost of the user's
choice, Gurry said.

The original I Love You virus, which appeared in many mutations,
infected more than 600,000 computers and caused more than $2.5 billion
in damages.

Companies with Outlook attached to a server running Microsoft Exchange
would have some ability to adjust the default security settings, Gurry
said. But she would not go into detail about how that might be done.

"For businesses or small businesses that don't have that server option,
we're providing an additional option with Office XP you can choose to
turn off the attachment support," Gurry said. "But that's something we
don't recommend that people do."

In fact, Microsoft makes turning off the feature downright
difficult. Office XP users must physically edit the Windows Registry--an
internal database of Windows information--to turn off the attachment
restriction function. Microsoft makes it fairly easy to adjust other
security features in its products; for example, an easily accessible
control can be used to adjust how Internet Explorer responds to
potentially dangerous Web content.

Microsoft won't provide instructions on how to tweak the registry "until
Office XP is broadly available," Gurry said. Office XP is due to reach
store shelves May 31.

Security expert Richard Smith, who had a hand in uncovering the Melissa
virus' origins, believes Microsoft is taking tough action where it is

"I'm very supportive of it," he said. "I think it's socially
unacceptable to send executables around, even legitimate ones. This kind
of enforces that rule, and we'll kind of have to get used to it."

Smith sees a simple solution for people absolutely needing to send
executable file attachments: Compress the file using popular utilities
like WinZip.

"Us programmers are going to have to get used to zipping things up
first," he said. "It's called changing social behavior."

But Jaeger, in some ways, sees Microsoft's solution as dangerous.

"This doesn't solve the greater problem and simply leads to a false
sense of security," he said. "It's time for Microsoft to start curing
the problem, not treating the symptoms."

Bishop said he expects some controversy over Microsoft's handling of the
matter but doubts there will ever be a consensus on the approach.

"I don't think you'll be able to get people to agree on whether it's too
little or too much," he said.

||       | Stephen J. Cavrak, Jr.      [log in to unmask]
 |*     |  Assistant Director for
 |     /   Academic Computing Services Phone:  802-656-1483
 |    |    University of Vermont       Fax:    802-656-0872
 |   |     Burlington, Vermont 05405   North:  44o 28' 33"
 ----                                  West:   73o 12' 45"