In this article, we’ll discuss the new update for Microsoft Outlook, which provides extra security measures to protect e-mail clients from viruses such as ILOVEYOU and Melissa. However, the extra security that it provides comes with a price, as I’ll explain.

Added security features

The Outlook security update divides attachments into two levels: Level 1 (Unsafe) and Level 2. Any attached file in Level 1 is inaccessible if you use a version of Outlook that has the security patch applied to it. When you receive a Level 2 attachment, you are prompted to save it to a disk; you cannot open the attachment from within the message. By default, no file extensions are associated with this group, but you can add file extensions to the Level 2 list.

The extra security that the update provides is as follows:

• The update prevents users from accessing certain file types when they are sent as e-mail attachments. Executables, batch files, and other file types that contain executable code, such as .vbs, .bas, .js, .lnk, and .pif are included. Other file attachments must be saved to disk before they can be used.
• If you forward an e-mail message with an “unsafe” attachment, the attachment is not included in the forwarded message.
• If you send an e-mail message that contains an “unsafe” attachment, you receive a prompt that says other Outlook recipients will not be able to access the attachment that you are trying to send. You can either disregard the warning message and send the mail anyway, or you can choose not to send it.
• If you save an e-mail that contains an “unsafe” attachment, you receive a warning message that says you will not be able to access the attachment from Outlook. If you wish, you can override the warning message and save the mail.
• You cannot open “unsafe” files that have been directly stored in an Outlook or Exchange Server folder. Although these files are not attached to an Outlook item, they are still considered “unsafe.”
• A component called Object Model Guard prompts users with a dialog box when there is an attempt to access their Outlook Address Book or send e-mail on their behalf by an external program.
• This update also affects Internet Explorer by increasing the default security settings in the Internet security zone from Internet to Restricted Sites. Active scripting is also disabled.

Installation

You can download the update for free from the Microsoft site at http://www.microsoft.com/downloads. The name of the file, by default, will be Out2ksec.exe. Once the update is downloaded, the installation is pretty straightforward and should run for you without problems. Computers running Microsoft Office 2000 also require that SR1 for Office 2000 be installed prior to running the Outlook update.

Once you have installed the update, various Outlook features and programs that integrate with Outlook cause a prompt to appear that asks you to confirm the action. You must confirm each action for the feature to work. The update may also have an impact on the interaction of some third-party software programs with Office. Note that Microsoft does not provide uninstall functionality with the Security Update–the only way to remove it is to remove the entire Office suite and then reinstall.

Usage

For the most part, you will use Outlook the same way you always have. When you receive messages that contain attachments that cannot be accessed, your Inbox will display the paper clip in the attachment column letting you know that the message has an attachment. Upon opening the message, you will get a dialog box indicating that the attachment is unavailable. You will also lose the Save Attachments command and the View Attachments command from the File menu and shortcut menu.

A message with multiple attachments will only allow the safe attachments to be accessed; the unsafe messages will not be accessible. Any messages that are not affected by the update will appear as they always have.

Attachments that are considered safe will display the warning shown in Figure 1 when accessed. You will be allowed to save these attachments to disk and view them from outside of Outlook. If you send an e-mail with an attachment, the update will check it too. If the attachment’s file type is on the list of restricted files, you will receive a warning that other Outlook users may not be able to access the attachment. You will be prompted to choose whether you still wish to send the message. If you choose Yes, the message will be sent. If the recipient has the update installed on his system, the attachment will be inaccessible to him. Choosing No will prevent the message from being sent and will give you the opportunity to edit it.

Figure 1: Safe attachments display this warning.

To remove an “unsafe” attachment from an e-mail message so that the attachment does not use more storage space than necessary, you can forward the message to yourself. The forwarded message will not contain the attachment. Once you have received your message, you can delete the original to reclaim the storage space.

Customizing the update

If the security update is too restrictive for your environment, it is possible to disable almost all aspects of the update by re-enabling the disabled file extensions. An alternative to re-enabling extensions is to move file extensions from the Level 1 list to the Level 2 list; doing so will preserve the warnings for opening an executable file. Additional information about customizing the update can be found at Customizing the Outlook 98/2000 E-mail Security Update.

Preventing unauthorized sending of e-mail

One of the more devastating features of the ILOVEYOU virus was its denial of service. The virus was able to propagate so rapidly because it sent messages to everyone in the Address Book, thereby creating a load on the e-mail server that prevented it from processing official business. The Outlook update prevents programs from accessing your Address Book or Contacts list, and from sending messages on your behalf. Instead, Outlook will prompt you for your permission before distributing e-mail.

This feature works by opening a dialog box when it detects a program trying to access your Address Book. You can answer No to prevent the program from accessing your Address Book, or you can select the Allow Access For checkbox and specify an amount of time up to 10 minutes.

Whether or not you choose to install the update, it is important to have a good virus protection application in place, to keep the virus definitions up-to-date, and to make sure that your users are aware of the consequences of opening attachments. If your company has been hit hard by the recent rash of viruses, it may be worth your while to implement this update. Unless you are using a program that can distribute software, such as Microsoft’s Systems Management Server (SMS), you must go to each computer individually to install the update–which can take a lot of time. You must decide whether the investment of time now will be useful in the long run. //

Troy Thompson, MCSE+Internet, is a freelance consultant in the Louisville, Ky., area.