If you have been waiting anxiously for the Outlook Email Security Update, there's good news -- it's not ready yet. Yes, that's good news, because Microsoft has delayed it to add features that will allow administrators in server-based environments to control which security options each user or group of users needs. Based on the preliminary information available, I think this will make the update useable -- with caution -- in such environments. We still do not recommend it for standalone Outlook power users or those on peer-to-peer networks.

When the update does become available -- expected some time this week -- our http://www.slipstick.com/outlook/esecup.htm page will have full coverage and recommendations.

Have you been getting fewer messages lately? If so, you might want to ask your mail server administrator whether they've increased filtering and caused some messages not to get through to you. I've seen examples of companies filtering out all messages with attachments, messages that mention the Loveletter virus in the text, messages in Microsoft Outlook Rich Text Format, and so on. Is this level of paranoia really necessary? I think not. It also tends to foster a false sense of security: You may have cut down on messages with VBScript attachments and updated your anti-virus software with the latest signatures, but what if the next virus uses a completely new method of attack? If you don't have a solid, understandable, enforceable user policy on attachments and suspected viruses in your organization, you remain at risk, regardless of how often you tweak the servers.

Was the Memorial Day weekend in the United States just a slow news weekend? Or was there good reason for virus hysteria to hit the air waves? I was sitting in my apartment in Moscow all that weekend listening to many news broadcasts -- CNN and BBC in particular -- that maintained warnings about the Resume virus at the top of the headlines. Resume, as you probably know, is a virus of the Melissa type, which was first seen last year. The payload is a macro in a Word document that propagates itself through Microsoft Outlook. The Resume virus did not cause the mass destruction that the warnings seemed to predict. Again, basic precautions -- such as turning on macro security in Word and educating users not to open unsolicited attachments -- took care of most of the problems, and updates to anti-virus software added a bit more protection on top of that.

Part of the blame for the hysteria falls on the shoulders of the National Infrastructure Protection Center operated by the U.S. Federal Bureau of Investigation. Friday night before the three-day American holiday weekend, the NIPC issued an alert at http://www.nipc.gov/alert00-045.htm that was picked up by many news agencies, which repeated its assertions almost verbatim, despite the fact that the alert contained several inaccuracies. Specifically:

1) "The virus spreads by mailing itself to everyone in a users address book once opened."

What is being "opened" here? It is critical in discussing viruses to be quite specific about the mode of transmission. In this case, as with most recent viruses, the virus spreads only if the user opens the attached file. Opening the e-mail message does not trigger the virus payload.

2) "Deactivate your executive summary feature in Microsoft Outlook, and only then delete the e-mail without opening."

Outlook has no "executive summary feature"! I wrote the NIPC at mailto:nipc.watch@fbi.gov to notify them of these two errors and ask what they meant "executive summary," but have not received a reply. If they meant the AutoPreview, preview pane or Outlook Today feature, none of these has the capacity to open an attached file automatically. Outlook, like all mail programs that I know of, never opens any attachments automatically. Opening the Resume message will do the user no harm whatsoever. The user must make a conscious effort to open the file.

Days later, worried users were still asking the newsgroups how to disable the "executive summary feature." If an organization entrusted with monitoring infrastructure threats can't get its facts straight on something as simple as this, why should we believe any other alerts they issue? I'm also concerned that some technology newsletters -- not just the mass media -- parroted the NIPC's advice about the "executive summary" feature, apparently without doing any research on their own.

Microsoft released the second release candidate for Exchange 2000 last week. Visit http://www.microsoft.com/exchange/productinfo/OrderKit.htm to download RC2 or order it on CD.

The RC2 SDK and other developer information should be available soon at http://msdn.microsoft.com/downloads/sdks/exchange/beta.asp. (The links for downloading the files were not working yet when I checked them this morning.) You'll also be able to download a preview of the Workflow Designer for Exchange 2000.

Microsoft has announced that a new version of Office 2000 Developer will be available in July, containing:

• Microsoft Office 2000 Service Release 1 
• Office 2000 Developer Service Release 1 
• Workflow Designer for Exchange Server 2000 
• Exchange 2000 Server Developer Edition 
• Workflow Designer for SQL Server 
• SQL Server 7.0 Developer Edition

The page at http://www.microsoft.com/office/developer/OffDev1_5.htm indicates that this is a free update for registered Office 2000 Developer users. Also, if you have ordered Office 2000 Developer SR1 or Workflow Designer for SQL Server (formerly Access Workflow Designer for SQL Server), Microsoft will automatically send you Office 2000 Developer 1.5.

Registration has begun for this year's Microsoft Exchange Conference, Oct. 9-13, in Dallas, Texas. I definitely plan to be there. Discounts apply if you register before August 31.

MEC dates for Europe and Asia are also set:

• Nice, France -- October 24-26 
• Tokyo -- November 9-10 
• Singapore -- November 14-15