Outlook Email Security Update Now Available

REDMOND, Wash., June 8, 2000 — As many computer users were recently reminded, the information superhighway that has increased job productivity and improved global communications still contains a few potholes. Viruses, such as the so-called
“I Love You”
virus that infected computers worldwide in May, has renewed many users’ interest in computer security and how they can protect themselves from malicious viruses.

Shortly after the
“I Love You”
virus affected Outlook users, Microsoft furthered its commitment to computer security with the announcement of a significant security update to its Outlook email program that will help protect users from many malicious viruses. Today, that update is available via Microsoft’s Office Update Web site, and Microsoft strongly recommends that Outlook users install this update ( http://www.officeupdate.com/ ). During the development of the update, Microsoft incorporated feedback from customers, partners, and security industry experts to add customization features to the update.

Steven Sinofsky, senior vice president of Microsoft Office, spoke with PressPass about the update, how it works, and the challenge of protecting Office users against computer viruses.

The new update will not prevent malicious hackers from creating viruses, Sinofsky said, but it provides
“an unprecedented degree of security for computer users.”

“With this update,”
he told PressPass,
“Outlook will be a substantially more secure email application.”

PressPass: What types of viruses will Microsoft’s new Outlook Email Security Update prevent?

Steven Sinofsky: It will help thwart the spread and impact of many computer viruses that are sent through email, such as the
“Melissa”
and
“I Love You”
viruses. The update will prevent most viruses that are spread by executables – or programs that run automatically – that are sent as email attachments. The update will also greatly decrease the spread of
“worm”
viruses, which spread by entering an email application’s address book and mailing themselves to address book recipients.

PressPass: How does the update work?

Sinofsky: The update provides four key benefits for Outlook users. First, it prevents users from accessing potentially unsafe email attachments, such as those that can run executable content. Virus writers have become very sophisticated and have made it very difficult for users to know if an email attachment is safe. This feature takes the guesswork out of knowing whether an attachment is safe or not.

Two other features should greatly diminish the spread of worm viruses by warning users before they unknowingly spread a virus via email. If a program tries to access your Outlook Address Book, you will be notified by a dialog warning box and given the choice to let it access your Outlook Address Book.
“No”
will be the default option. Owners of Pocket PCs and other personal digital assistants such as Palm Pilots, or who have other legitimate uses, will be able to select
“Yes.”
The update also warns you by a dialog warning box if a program is trying to send email on your behalf. You will have the option to let the program send email on your behalf, because there are legitimate business scenarios where this is useful, but the default answer is
“No”
. This will help curb the spread of certain viruses by putting users in control of their desktop. With worm viruses, people usually don’t know they are sending an infected email to 500 of their closest friends. This update puts customers in control of their address books and of programs that attempt to send mail on their behalf.

The fourth feature increases Outlook security protections by changing your Internet security setting within Outlook from
“Internet”
to
“Restricted”
zone. This disables most automatic scripting and ActiveX controls. Active scripting will also be disabled in the Restricted Zone by default.

The features within the security update will reduce some functionality and ease of use within Office, but in exchange will provide extra security – a step that we believe is necessary to help further protect our users. Our Office Update Web site has screenshots that show how this update works ( http://www.officeupdate.com/ ).

PressPass: When and how will the update be available?

Sinofsky: The update is available today and can be downloaded free of charge from Microsoft’s Office Update Web site.

PressPass: This seems like a big step for Microsoft to take. How did you decide to provide higher security at the expense of functionality?

Sinofsky: By design, Outlook is a flexible and extensible product that millions of customers rely on every day. In today’s growing environment of cyber terrorism, all software products must carefully balance security and functionality, and we believe that we should now provide stronger security options for our customers.

PressPass: What type of functionality is limited by this update?

Sinofsky: The update limits some of the flexibility and functionality of Outlook, but provides a powerful security safeguard for our customers. Anyone who commonly sends potentially unsafe email attachments will no longer be able to send these attachments via email. However, there are options for sharing these types of attachments, such as file shares, Intranets, the Internet, or online hard drives. Customers who rely on automated solutions or custom applications may also be affected. Some third-party applications, like synchronization software, may also be impacted. Most of the impact to the customer will be related to changes in behavior – such as having to answer
“Yes”
or
“No”
to the warning dialog boxes. We have a detailed list of impacted functionality on our Web site at http://www.officeupdate.com/ . It is important to understand that our goal was to ensure that customers remain in full control over access to their email functionality.

PressPass: What about perceptions that Outlook is more vulnerable to viruses than other email applications. Is that true?

Sinofsky: No. Viruses can be written to run on any email application on any platform. However, Outlook has been a target of past viruses, because virus writers are intent on affecting the greatest number of users. Because of Outlook’s popularity, Microsoft has taken unprecedented steps to ensure it is a very safe email application. With this update, Outlook will be substantially more secure.

PressPass: If Microsoft can create an update now to help prevent further vulnerability to viruses, why weren’t these security measures built into Outlook in the first place?

Sinofsky: We face the same challenge as the anti-virus software vendors. We never know what product or platform virus writers will attack next. Just as anti-virus makers can’t create virus updates before a virus hits, it is difficult for software makers to provide an update for our products until we know what the hacker community is targeting.

We have been building new security measures in Office over time to help protect customers’ data: Office 97 provided users the ability to disable macros; Office 2000 allowed for automatic disabling of unsigned macros, digital security signatures for macros, increased email encryption protections, and security settings in Outlook, which restricted how certain attachments were run; and the Outlook 2000 Email Attachment Security Update warned users explicitly about opening attachments as well as forcing users to save the attachments to their hard drives before opening.

We’ve learned from the recent damaging virus attacks that we need to offer even stronger security safeguards, which is why we’ve taken such a significant step with the Outlook Email Security Update. Even though it will limit some functionality in Outlook, we believe it’s necessary to provide additional security options to help our customers protect their data. It’s an unprecedented step for us to reduce functionality, but we feel that it’s the right thing to do for our customers.

PressPass: What type of customizations did you make to the update since you originally announced it?

Sinofsky: We have added administrative options to the update for organizations that rely on server-based security settings, thus enabling customization without sacrificing a high level of security. Administrators will be able to choose which attachments cannot be accessed or must be saved to a hard drive before opening. They will also be able to choose when and if the warning dialog boxes appear.

PressPass: Why did you choose to make these customizations?

Sinofsky: Our goal with this update was to provide a very significant security update that would help guard against virus attacks. Since we announced this update, we’ve been working very closely with customers, partners, and industry experts to gather feedback on the update to ensure we provide the best implementation of security and functionality with Outlook. We’ve listened to our customers and partners and are providing additional functionality for specific organizational needs without compromising security.

PressPass: By offering these customizations, are you opening the door for potential hackers?

Sinofsky: The administrative options rely on the security settings of servers, enabling customization without sacrificing a high level of security. If server-side security is not available, the update cannot be customized.

PressPass: So, end-users cannot customize the update?

Sinofsky: Correct. Only organizations with server-side security can customize the update. This is the only way we can ensure the appropriate level of security.

PressPass: It seems computer viruses are getting more destructive and spreading more quickly? Why?

Sinofsky: Hackers are getting more sophisticated and making it very difficult for you to tell if an email message contains a virus. Increased use of computers and the Internet also increases the potential number of victims and the damage viruses can inflict.

PressPass: Who is to blame for computer viruses: hackers, software makers, or computer users?

Sinofsky: Hackers. By definition, their intent is to create malicious viruses that inflict harm on computer users. But software companies, anti-virus vendors and customers must work closely together to prevent the spread of viruses and to fight the hacker community. Microsoft continues to provide updates for its products to make it much harder for viruses to spread through Outlook and Office. With each version of Office we’ve provided additional security for users, and this new update provides an unprecedented level of security for computer users.

PressPass: Bill Gates recently called on members of the high-tech industry to work together to enhance computer security. Is this problem one that can only be solved by an industry-wide effort?

Sinofsky: It definitely requires an industry-wide effort among the anti-virus vendors, computer software makers, like Microsoft, and also computer users, who must stay educated, keep their products updated and follow safe computing practices.

PressPass: How do your partners and customers feel about this update?

Sinofsky: We’ve worked really closely with our partners and customers to develop this update and incorporated a lot of their feedback. While this update will require modifications from some of our partners and customers, overall, they’re very pleased that we’re taking such a strong stance for security. Like us, they want to help ensure their data and their customers’ data is secure.

PressPass : What directions will Microsoft take in the future to enable both extensibility and security?

Sinofsky : We must continue to balance Office’s openness, flexibility, and extensibility with the increasing need for security. Some have criticized the extensibility in Office, but the extensibility in Office is used by millions of people to provide a wide range of customizations for everyone from students and teachers, to small business owners, to large corporations, and for tasks ranging from managing student grades, writing a screenplay, financial models and conversions, to large scale automated business processes. In addition, this extensibility is used by hundreds of ISVs to support a wide range of functionality from document management, to wireless email, to virus checking, or for universal design or customization for power users. It is our intent to continue to improve the extensibility model in Office to provide customers and ISVs with the continued support for customizing and enhancing Office, while doing so in a much more secure manner.

PressPass: How important is customer education to preventing viruses?

Sinofsky: Very important. If folks hadn’t opened up the attachment for the
“I Love You”
virus, it wouldn’t have spread. Many of these viruses rely on users to open an attachment. We’re helping to make this an easier process by taking the guesswork out of email attachments and notifying you when a program is trying to access your Outlook Address Book or send email on your behalf.

PressPass: What tips would you give to computer users to prevent viruses?

Sinofsky: Always make sure you have anti-virus software running and that it is up to date. Ensure you have the latest product updates, such as the Outlook Email Security Update that is available today. We encourage you to sign up for the Auto Update Email Notification service on our Office Update Web site, so you can be notified when we post future updates. You should also practice safe computing practices, such as being very careful when opening email attachments.

PressPass: Will there be a day when computer viruses are eradicated or impossible to transmit?

Sinofsky : Likely not. It’s a social phenomenon, like any other type of crime. Malicious hackers intent on causing harm to people will always look to exploit technology to inflict damage. Just as people have learned to lock their doors at night, users must learn how to protect their computers and their data. We must consider viruses a new form of terrorism – one that occurs in cyberspace – and work together to fight it.