News -- Beware the Briar Patch: Outlook's Latest Security Updateby Tom Syroid
Beware the Briar Patch
On June 7th Microsoft released their latest security update for Outlook. Like everything stemming from Redmond of late, it was controversial before it even hit the streets. Developers and users who worked with the pre-release code cried long and loud that the patch broke more than it fixed, and its implementation was a disaster. So in an uncharacteristic move, engineers delayed final release and went back to the drawing board--or so they told us. Unfortunately, whatever they retooled did little to resolve the update's implementation, and nothing to resolve any inherent controversies.
This patch is targeted specifically at limiting the spread of, and damage caused by, the recent rash of worm viruses. (The Melissa and ILOVEYOU variants are the most notable to date. For a summary of what worm/script viruses do and how they work, see the TechNet link at the end of this article). The patch achieves this by:
Preventing the user from accessing specific types of file attachments.
Notifying the user when an external program attempts to access the Outlook Address Book.
Reconfiguring Outlook's default security settings.
The purpose of this four-part article is to guide you through the numerous complexities, contortions, and "gotchas" hidden under the covers of this update. In the final installment, I provide several recommendations gleaned from working with the patch on a daily basis, as well as feedback voiced by other testers who have come to similar conclusions.
There are two flavors of the latest Outlook Security Update: One for Outlook 2000, and one for Outlook 98. Make sure you get the right patch for the version you're running. If you are unsure, go to the the Help menu and select About Microsoft Outlook. The top line of the dialog displayed gives you the product version and build number. See the Online Resources section at the end of this article for links to the appropriate downloads and several sources of documentation.
In addition, each variant of the update has its own unique personality when it comes to installation dependencies. And as you'll discover shortly, depending on which version of Outlook you're using, uninstalling the patch can vary from three mouse clicks to removing and re-installing the entire Office package.
There is no security update available for Outlook 97. To update Outlook 97 you must first upgrade to Outlook 98 and then apply the Outlook 98 Security Update, providing you can find a copy of Outlook 98. Microsoft initially offered the Outlook 98 update as a free download. When Outlook 2000 was released, however, the Outlook 98 update was withdrawn. If you have a copy of Outlook 98 on your shelf, guard it with your life--it's a valuable commodity.
The Outlook 98 patch is just over 8.3 MB, and has no prerequisites. Download it, double-click the file, and it installs. It's a good practice to close all running programs before you do any type of program update. At the very least, you'll be forced to close Outlook before the setup routine proceeds.
Finally, there's Outlook 2000. Why Microsoft chose to make applying the patch to this version so horrendously convoluted is beyond me. Before you can install the security update to Outlook 2000, you must first have the Office SR-1 (or SR-1a) update installed, which can range from 23 to 60 MB, depending on the Office suite you have on your system. (Don't be misled by the 134 KB size displayed on the Office SR-1 download page; that's just an installer stub.)
You will also need to have your original Office CD on hand for both the Office SR-1 update and for the Outlook SR-1 update. Read that again--that means the same CD that you used to originally install Office must be inserted in your drive before you can install the Office SR-1 update. And you will need this same CD to later update Outlook. In other words, the product code on your original installation CD must match the product code on the installed version before either update can be applied.
Once applied to Outlook 2000, the security update cannot be uninstalled . The only way to remove the security update from Outlook 2000 is to completely uninstall and reinstall Office. No, not just Outlook--the whole Office package. We'll come back to the procedure for this little adventure later.
WARNING: If you have any messages stored in Outlook containing attachments you might need access to at a later date, save them to disk BEFORE installing the update. Once Outlook is patched, attachment security is enforced on all Outlook items--new and existing. That means if you have a file attached to an archived item, you will no longer have easy access to it. (There are workarounds which I'll get to shortly.) This includes Journal entries, Calendar items, Task items, and Contact records.
Don't miss parts 2 through 4 of Tom Syroid's series, "Beware the Briar Patch," which we'll publish over the next three days on oreilly.com.
In Part 2 Tom looks inside Outlook's new attachment security.
A good summary of what worm/script viruses do and how they work.
The Outlook 98 (SR-1) Security Update is available for download.
Information on customizing the Outlook 98/2000 Security Update (in an Exchange environment).
Tom Syroid lives in Saskatoon, Canada, and spends his days working as a systems consultant and freelance writer.