Outlook: stormy security Users, security experts focus on Microsoft in wake of latest virus attacks By Scott Berinato, Dennis Fisher and Roberta Holland May 15, 2000 8:44 AM ET

IT managers and security experts, increasingly cynical and sharply critical over virus assaults through Microsoft Corp.'s Outlook e-mail client, are questioning not only Microsoft's technology but also its reaction to the latest attacks.

The ILoveYou virus and its many derivatives, which numbered 29 by the end of last week, sent more than a warning about IT's need to update anti-virus software and educate users about attachments. Now, many administrators are focusing their discontent on Outlook's technical design and its tight integration with Office applications and Win dows, which ex poses code such as Visual Basic Script to hackers and users alike.

"If we didn't already have [Outlook] installed, I don't think I'd get it now," said an IT manager at a large East Coast publishing company who requested anonymity. "We had to shut down our Exchange server for an entire day, then go around to each individual PC and clean them up and bring them back online after hours."

"It really makes you think [about using] something that wouldn't be as affected [by viruses] as Outlook," said Adam Miller, network administrator for MyHelpdesk.com Inc., of Norwood, Mass. MyHelpdesk had to shut down e-mail servers during the latest virus outbreak.

For some, Microsoft's refusal to help defuse Outlook's ticking VBScript bomb is more disconcerting than the attacks.

"[Microsoft's] approach is to provide users with a lot of functionality, [but] the more functionality ... the more vulnerable it's going to be," said Randy Bachman, director of security for e-services provider Acuent Inc., in Parsippany, N.J. Bachman questioned the need for the type of Windows integration that exists in Outlook, when fewer than 1 percent of users would need VBScript, on which the virus preyed, he said.

Security experts said they believe Microsoft, of Redmond, Wash., should take more responsibility for the threat of VBScript-borne viruses. It had more than a year to react after last March's Melissa virus but did nothing to prevent the recent rash of similar viruses, they contend.

"They [Microsoft] have integration as a default, they have permissiveness as a default. The OS assumes that every application is trusted and gets complete control," Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., of San Jose, Calif., said in an interview at NetWorld+Interop in Las Vegas last week.

Shimon Gruper, executive vice president of the Internet security unit at Aladdin Knowledge Systems Inc., said the inherent vulnerabilities of the Microsoft technology likely mean that virus attacks such as ILoveYou will continue.

"The tools are very open for everybody to write new executable programs," Gruper said from his office in Haifa, Israel. "However, there is no security built in."

Just shutting off the scripting language may not be the simple answer. Because of tight integration, Gruper noted that if companies try to disable VBScript to avoid problems, users could have difficulty logging in to their corporate network.

Microsoft officials maintain that the scripting code is a feature users desire.

"Customers have asked Microsoft to include this functionality in its products because of the increased flexibility, customizability and extensibility scripting can provide," said Microsoft Office Product Manager Lisa Gurry via e-mail. "Every operating system is capable of running scripts, and viruses can be written for any application or platform."

Microsoft executives refused to ac knowledge that Outlook was the spe cific target of both Melissa and ILove You. Chairman and Chief Software Archi tect Bill Gates chose to make light of the situation in his N+I keynote. "Recently I've been getting a lot of mail that says 'I love you,'" Gates joked. But he made no further references to the virus while talking about the need for users to improve their security mea sures.

Still, a massive overhaul of e-mail clients is unlikely in the face of the Love bug, for a variety of reasons, including a need to retrain users and heavy financial investments in Microsoft products.

"[Outlook] is definitely susceptible [to attacks], but I don't think this was a big enough scare to have a company meeting and say we need a change," MyHelpdesk.com's Miller said.

http://www.zdnet.com/eweek/stories/general/0,11011,2568965,00.html

-- Martin Thompson (mthom1927@aol.com), May 15, 2000