Exchange Messaging Outlook
|
|
Today's highlights:
Regular features:
Most dangerous variant of VBS/Loveletter yet A new variant of the VBS/Loveletter virus is loose today. Officially dubbed VBS.NewLove.A or VBS.Loveletter.FW.A, this virus disables Windows systems by replacing all files not in use. Like Loveletter, it propagates through Microsoft Outlook, but only if an unwitting user runs the VBScript .vbs file payload. It uses randomly chosen attachment names and subject lines to try to disguise itself in the e-mail messages it sends. These pages from anti-virus tool vendors have more information:
Anti-virus tool vendors should have updates available. You may also want to review our Outlook anti-virus protection recommendations at http://www.slipstick.com/outlook/antivirus.htm. Outlook Email Security Update Microsoft plans to release a patch for Outlook 98 and Outlook 2000 (with the Office Service Release 1 update) next week that will disable many of the features that allowed the VBS/Loveletter (aka ILOVEYOU) virus to spread so quickly. The new patch will make it impossible to open program files in Outlook -- including executable .exe files and VBScript .vbs files like those that spread Loveletter. The optional patch is also aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. However, this "Object Model Guard" feature, as described on Microsoft's web pages, will break some Outlook functions. In other cases, a user will need to authorize access by outside programs, including tools for synchronizing with PDAs with as the Palm or Windows CE devices. Microsoft has posted extensive information on this patch for users, administrators and developers, starting at http://officeupdate.microsoft.com/2000/articles/Out2ksecarticle.htm. Our own page on the patch at http://www.slipstick.com/outlook/esecup.htm offers additional information and will include details on what utilities are affected by the patch. Should you install this patch? We urge a very cautious approach, particularly if you depend on applications that automate Outlook. There will be no removal process for the Outlook Email Security Update, and no way to invoke only a subset of its security features. If you install it and find that it cripples essential features or other critical applications, the only way to remove the update is to remove and reinstall Office.For normal standalone Outlook users who don't automate Outlook with code, this patch may be a good tradeoff between additional security and the inconvenience you might suffer in having to click the warning when you synchronize with a PDA or web storage site.Power users who automate Outlook with code or use various Outlook add-ins should not install this patch until you evaluate its possible effects on your add-ins and code. If you depend on Outlook Net Folders to share information, this update apparently will break that feature. Corporate administrators must carefully evaluate whether to roll out this patch. It could potentially affect both mission-critical Outlook add-ins and ad hoc, undocumented applications created by individual users. You will also want to make sure the help desk is prepared to handle calls from users wondering what happened to file attachments in existing items, since the update hides these, too, not just attachments in new messages. Microsoft should have divided this update into two installations -- one to provide the long overdue improvements in attachment and scripting security (none of which are rocket science), leaving the Object Model Guard in a separate patch. Given the increased attachment and scripting security, the Object Model Guard is overkill in many instances. It's too restrictive. The end result may be that many organizations that could benefit from the attachment and scripting security features will not install this update, because they cannot afford to cripple their Outlook-based applications or hurt user productivity by forcing users to click repeatedly through dialogs popped up by the Object Model Guard. Is this update enough? One of the features of the Outlook Email Security Update is to move Outlook security to the Restricted Sites zone. Also, in Outlook 2000, it disables all scripting in HTML mail, even though you won't see anything in Outlook to confirm that (other than scripts in mail messages not running). In Outlook 98, however, you may need to apply certain updates to Internet Explorer or customize the security settings to disable all scripting. Otherwise, you may be vulnerable to malicious code that takes advantage of ActiveX controls that are mistakenly marked "safed for scripting." See http://www.slipstick.com/outlook/antivirus.htm and http://www.slipstick.com/outlook/htmlmail.htm for details.The latest HTML mail vulnerability patch affects only Outlook 2000. See http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm for details and the download link.Furthermore, you may want to extend the protection afforded by the Outlook Email Security Update to other types of files. Restricted files (classified as Level 1) -- such as .exe or .vbs files -- are not visible in Outlook at all. For Level 2 files -- such as .zip files -- Outlook does not allow you to open them directly; you must first save these files to disk. You cannot remove file types from either the Level 1 or Level 2 list. However, you can add file types to either list with a registry entry. For example, you might want to add Word .doc or Excel .xls files to the Level 2 list so that these files must be saved to disk before you can open them. These pages provide details on the file types subject to either Level 1 or Level 2 restrictions and how to restrict access to other file types:
Developer resources for the update The Object Model Guard feature affects applications that use the Outlook object model or the Simple MAPI API to send mail or work with addresses. Many such applications may no longer function at all. Programs based on Extended MAPI should not be affected. Also, VBScript code on unpublished Outlook custom forms will not run. If the form is not published, users will no longer see an Enable/Disable Macros prompt. Instead, the form will simply open without the code behind it running.See http://officeupdate.microsoft.com/2000/articles/EmailSecOM.htm for a summary of the object model changes. Microsoft is providing a beta version of the patch to developers so that they can test their applications against the update. Independent software vendors (ISV s) are urged to register with Microsoft, which is maintaining a list of links to ISV home pages to make it easier for users and administrators to get information on program capability. See http://officeupdate.microsoft.com/2000/articles/o2ksecISV.htm to download the beta update and register.Also, we would like to urge developers to contact us at Slipstick Systems so that we can update your application listings in our Utilities section to provide information on compatibility with this patch. Contact us at mailto:olpatch@slipstick.com.Protecting Outlook 97 Microsoft will offer the Outlook Email Security Patch only for Outlook 98 and Outlook 2000 SR1a. According to Microsoft, no patch is available for Outlook 97 because Outlook 98 was offered as a free download and many previous Outlook 97 users have already upgraded to Outlook 98 or Outlook 2000.If you're using Outlook 97, see http://www.slipstick.com/outlook/antivirus.htm for our recommendations on what you should do to protect your machine from Outlook-related viruses.Outlook 2000 Attachment Security Patch installation errorWe've discovered that the earlier Outlook 2000 Attachment Security Patch, released several months ago, does not always install properly, yet does not display any error message if it fails to install. To make sure it installs, have the Outlook/Office 2000 CD in your CD drive when you run the patch setup (or have access to your network if you installed Outlook from a network drive). Check the version number after installing the patch. If it is at least 9.0.0.3011, you are protected from being able to run certain types of files from within Outlook. For more information, see http://www.slipstick.com/addins/utilities/attsecup.htm.Office 2000 Service Release 1a Office 2000 Service Release 1 (SR1) includes an updated version of the attachment security patch that adds VBScript .vbs files to the protected list. Microsoft has posted an updated version of SR1 to resolve problems encountered on computers that had been upgraded from Windows NT to Windows 2000. If you already have SR1 installed and did not perform such an operating system upgrade on your system, you do not need to download SR1a. See http://officeupdate.microsoft.com/2000/downloadDetails/O2kSR1DDL.htm for more details.If you've been waiting for this fix before installing SR1, you may want to check our review of how it affects Outlook at http://www.slipstick.com/outlook/ol2000sr1.htm. The U.K.'s Big Number revisited We received a lot of mail about our piece in EMO last month about the changeover of dialing codes in the U.K. and what that means to Outlook users. As a result of the lively discussion, we've posted a new page at http://www.slipstick.com/config/ukbignumber.htm with more details and some thoughts on the differences between the way people in the U.K. view phone numbers and the way Outlook prefers to handle them. |
|||
 |
|||
New Utilities |
AVG Anti-Virus System http://www.grisoft.com/html/us_index.cfm Scans system files and Outlook e-mail messages and attachments for viruses. Can also append a signature to mark that an outgoing message has been scanned for viruses and found clean. Free edition available. EmU http://www.emutech.com.au/ Content filtering tool that works with Exchange Server or any SMTP server. Web site also has valuable information on implementing an e-mail policy at your company. ESTOS ProCall http://www.estos.com/outltel/index.htm Make calls to Outlook contacts and record incoming calls in the Outlook Journal. Displays caller names for incoming calls. Supports English, German and Italian. Office 2000 UA Control Update http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm Eliminates a security risk related to an ActiveX control that ships with Office 2000 and leaves web pages and HTML mail messages open to malicious code. Office Email Merge http://www.bnsgroup.com/bnsgroup/default.asp?region=US Create personalized e-mail using Outlook contacts exported to Access. Supports HTML format mailings. OutBack Plus http://www.silverlaketech.com/products-outbackplus.asp Utility to back up Outlook Personal Folders files, stationery, rules, signatures, Outlook bar settings, toolbar and menu customizations, etc. Professional Quest http://www.dipolar.com.au/index.htm Generate survey forms for paper, disk, web or e-mail delivery and link results back to Outlook contacts ProWrite for Microsoft Word http://www.nereosoft.com/pwportal.htm Create letters, faxes, envelopes and labels in Word using Outlook Contact and other address book data. Supports workgroup templates, multiple languages and reusable distribution groups. |
||
|
|
|||
Updated Utilities |
Decision Support Panel http://www.dspanel.com/ Version 2.0 of data warehouse client that makes it easy to perform OLAP analyses from within Outlook and send them as messages. GroupShield http://www.mcafeeb2b.com/ Version 4.5 of this anti-virus tool for Exchange Server adds attachment filtering. It can also scan Personal Folders and offline folders files. Office 2000 Service Release 1a http://officeupdate.microsoft.com/2000/downloadDetails/O2kSR1DDL.htm Updated version of SR-1 adding the Microsoft Office 2000-Windows 2000 Registry Repair Utility for users who upgraded from Windows NT 4 to Windows 2000. |
||
|
|
|||
More Information |
ISSN 1523-7990 |
||
Updated Jul 15 2008
|
|||
|
Home
| What's New | Exchange
Server | Outlook | Utilities
| Bookstore |
|||