Feeds

MS Love Bug patch catches flak

Upgrades all round before you can run it

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Microsoft's Love Bug patch for Outlook has already been criticised for being too drastic a solution, but now it's coming under fire from Gartner for both this and for the complexity involved in deploying it. After years of being abused for taking a cavalier attitude to security, now Microsoft is taking flak for getting the fix wrong.

Attacks like the Love Bug and Melissa used an attachment to replicate themselves by sending messages to all entries in the Outlook address book of the infected machine. The Microsoft patch, which will be generally available shortly, requires manual authorisation if any external application attempts to use the address book, and filters out a wide range of executables and shortcuts. This in itself seriously maims the intended functionality of Outlook (although you might think that's a good thing), but it seems that getting the fix to users could be troublesome.

For Office 2000 users, you'll first need to install Service Release 1, which is currently downloadable (and vast), but which isn't yet readily available on CD. If you're running Outlook 97 you have to upgrade to Outlook 98 first, which could also involve a lengthy download. So although it might sound like it's a trivial matter of running a patch, for network managers rolling it out will likely be a major upgrade headache.

Nor is the patch necessarily a good idea in the longer term. The default security settings block some of that nice functionality in IE, and although you can add file types to be blocked, you can't currently remove the types Microsoft has decided to block. Developers using ActiveX and JavaScript, not just Visual Basic, will be seriously inconvenienced by the patch, and PDA synchronisation (external access to address book, natch) will be messed up.

So don't install the patch? With developers and large customers already raging at Microsoft about it, it seems inevitable that a few months down the line, it'll be quietly buried and replaced by something more subtle. ®

Website security in corporate America

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.