Microsoft patches to fix Outlook’s virus vulnerability

Reacting to the global devastation caused by the Philippines-originated Love Bug virus, Microsoft plans to offer two new security features for its Outlook e-mail program to help prevent future virus attacks on computer networks. But critics said that one of the two solutions is so unrealistic that many companies won’t even bother activating it. Microsoft said it will offer a software patch next week that will alert computer users when an e-mail message attempts to send itself to other people listed in a user's e-mail address book. The Love Bug virus spread by sending copies of itself to other people in the user's e-mail address book, a document that is automatically compiled by the Outlook application. This feature contributed to the spread of the virus to some 45 million computers worldwide.

Analysts say that this patch would help reduce the spread of virus attacks. "It kills the No. 1 mechanism used by viruses today,'' said Carey Nachenberg, a researcher with anti-virus software maker Symantec which helped Microsoft develop the patch. The second fix from Microsoft, however, is not likely to be as readily accepted as it prevents Outlook from receiving e-mails that come with a piece of "executable code'' attached to the main message.

Many legitimate personal and business e-mail messages contain legitimate executable code. Analysts said they don’t like the fact that the system administrator won’t be able to decide which types of executable files should be allowed through. Also, once the patch is installed, users will have a hard time turning it off.

Industry experts said that while useful, the Microsoft patches would not safeguard computer users against other broad virus attacks as clever virus programmers are likely to find new ways of getting around the patches. To date, Microsoft has done very little to safeguard against virus attacks through Outlook. Outlook is designed in such a way that it requires very little specialized knowledge in scripting to modify it, leaving it wide open to the kind of attacks perpetrated by the Love Bug. Over the last two years, Explore.zip, Melissa and other viruses had wreaked havoc on the industry by using simple scripts that would cause a virus-infected message to send itself to e-mail addresses listed in the Outlook e-mail contact lists.

Analysts said Microsoft’s change of heart is more likely a reflection of the pressure and public scrutiny the company is facing now, especially in view of the antitrust case. "This has been happening for a while, and it shouldn't have required a major worldwide outage to get to them to respond,'' said industry analyst Rob Enderle.