Information Security News mailing list archives
Outlook ups security, but clunkily
From: InfoSec News <isn () C4I ORG>
Date: Mon, 19 Jun 2000 09:15:57 -0500
http://www.zdnet.com/eweek/stories/general/0,11011,2589425,00.html By Michael Caton, eWEEK June 18, 2000 9:00 PM PT Microsoft Corp.s outlook update effectively blocks virus-based exploitation of the security holes presented by the integration of Outlook and other Office applications, but eWeek Labs found the server-based solution cumbersome. Released last week, the update includes a tool for setting Outlook security globally through Microsoft's Exchange messaging server. The patch that Microsoft released after the Love Letter attack provided the same settings but only locally. The update provides two security models: The first prevents users from receiving executable and script-bearing file types; the second allows users to receive files in ZIP format but prevents users from running the files without first saving them on a hard drive. The update includes a new Exchange tool that lets administrators establish a security form in an Exchange public folder. However, the tool requires managers to enter users individually, so creating exceptions for select power users is time-consuming. The update also includes a group policy profile that modifies the registry of the client system so the security overrides take effect for those users. The kludginess of Microsoft's solution points to the harsh reality of component-level integration in the Office suite. Policy-based management and the ability to restrict security during installation would be far more cost-effective. We would like to see Microsoft offer its Office customers a more manageable approach to securing clients. We recommend that sites concerned about the threat of macro and executable viruses check out this update and evaluate their methods for distributing Office. Administrators must examine the security of Office, starting with software distribution. Whether a site uses install scripts, software image distribution or factory preinstalls, it must deliver the suite with the most secure settings in place. East Coast Technical Director Michael Caton can be contacted at michael_caton () ziffdavis com ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Outlook ups security, but clunkily InfoSec News (Jun 20)