Microsoft Criticized for Outlook Love Bug Patch; Changes Tune

Microsoft should include with Exchange Server the functionality to filter out certain file types at the Internet Mail Connector. This could be strengthened further by delivering the message to an alternate mailbox and sending a message to the intended recipient stating that an e-mail was sent to you that contains a file that is a possible security threat to the company network. Please see your administrator for further information.
By diverting that message to another mailbox, the company could create a policy that would force the administrator to virus check the mailbox, and also access it from a PC that has no network rights and the PC is a worthless computer so that no data could be damaged. Furthermore whatever user id logs on to that mailbox where the possible virus is stored, that users permission should only have the ability read messages and not send messages so that the virus could not be spread through e-mail.
I am sure Microsoft is doing something like this internally because I called them and their tech support said they were, but I had to call their per incident support and pay $250 to find out how.

1) "Microsoft now plans to include the ability to modify the list of restricted files."

This ability will be there, but only as an administrative tool. Individual Windows NT and Windows 2000 users will not be able to remove file types from the list of restricted files.

2) "Many users send Visual Basic (VB) scripts, executables, batch files, and hyperlinks as part of their daily traffic."

Hyperlinks, yes. Executables, maybe. Scripts and batch files as part of the daily traffic of many users, hardly.

3) "An IDC analyst pointed out that the patch would have killed many basic functions of Microsoft Internet Explorer, including JavaScript and VB script execution, and ActiveX calls."

Simply not true. The Outlook patch was never designed to have any effect whatsoever on any functionality of Internet Explorer itself.

4) The author (along with many other writers, to be fair) completely misses the most important feature of the revised patch. From the Microsoft Office Update page at http://officeupdate.microsoft.com/2000/articles/Out2ksecOrg.htm

"Organizations using server-based security can customize certain components of the update to meet their specific security needs. For example, administrators can add or remove file types from the attachment lists (the
Level 1 and Level 2 security file lists), the Outlook Object Model warning notifications, and the user or group security levels for all components of this update."

Being able to modify the restricted file type list is trivial compared with being able to alter the behavior of the Object Model Guard. In the patch as originally announced, the object model restrictions would have guaranteed that a large percentage of third-party and in-house Outlook applications would either stop working completely or have their functionality severely impaired. The changes announced mean that administrators can decide whether to allow unrestricted access to certain automation functions that their Outlook-dependent applications require. In other words, those applications won't be crippled by the patch if administrators decide to allow access to certain object model features.

Being in the military and running a NT LAN that contains two Exchange Servers 5.5, this article was helpful. I always look forward to reading and keeping up with Exchange Server articles and FAQ's. I did hear several people in the Military's Information Systems Department discussing this patch. However, the appeared to rely on the first type of information released is the best and most reliable for their Military sites, without doing extensive research that requires planning and testing before the deployment. This particular article allows myself to discuss the information with my superiors and will allow them to provide adequate answers to their superiors. Thanks for the article and look forward to hear about the June release of this patch.

I'd agree with comments related to installation of this fix. It also seems to be very radical. Maybe allowing users to select which options to enable/disable would be a more natural approach. On the other side, most users know very little about computers and Outlook itself and would find these options too much. They just want their "thing" to work.
I think the answer lies more in educating and instructing users on what and how to do things.
Microsoft has gone a long way to create such a powerfull tool. A lot of things users freaquently do seem to happen so easily in Outlook. Why take that away? Teach them what viruses do and how to defend themselves from it. That's much better fix than any.
In my opinion, Outlook is target of malicious attacks these days only because it's so user friendly and so popular. Other applications of this sort should actually be worried that "geniousis" didn't make virus version for their applications as well.

Thank you.