The Trouble with SP2 for Microsoft Office 2000

Welcome to the client side of Exchange and Outlook UPDATE, the updated name for the Exchange Administrator UPDATE. If you're an Exchange administrator, you already know how important client support is to the overall success of your Exchange installation. I'm very excited about joining Jerry Cochran and the rest of the UPDATE staff in this expansion. You can expect my weekly commentaries to cover the 32-bit Outlook client, Outlook Web Access (OWA), the Outlook client for Macintosh, and the growing list of wireless Exchange clients.

Last week marked a watershed moment for the 32-bit Outlook client as Microsoft released Service Pack 2 (SP2) for Office 2000. SP2 is the first major version of Outlook 2000 to include the Outlook Email Security Update. Released last June in the aftermath of the Loveletter virus, this update does something rare in the history of Microsoft patches—it removes key functionality from a shipping product.

The security update's purpose was to halt the spread of mail-borne viruses, such as Loveletter and Melissa. One mechanism it uses to accomplish this goal is removing access to many file attachments. I was surprised by how many people are exchanging .exe and .mdb files in the course of business. After these folks installed the security update, they had to scramble to alert correspondents to send files as .zip archives or use some other scheme to get around the update's attachment block. Such strategies include using OWA and Outlook Express (OE), neither of which has such a block. (Why does Microsoft find .exe attachments opened via OWA or OE less dangerous?)

Given the workarounds, the attachment block is an annoying, but moderately useful, safeguard. It protects careless users who tend to open every LookAtThisCutePic.exe file sent their way.

The other primary piece of the security update, the object model guard, threatens the very future of the 32-bit Outlook client. This feature puts a dialog box on the screen whenever a program tries to access the address book or send a message through Outlook. Yes, this approach halts Loveletter's propagation scheme dead in its tracks—assuming the user answers "No" to the prompt—but it reneges on the implicit promise in all Microsoft programming interfaces: If you program to the interface that Microsoft provides, your programs will run unhindered. This object model guard affects even programs that you selected yourself, such as a PDA sync utility, or that might be part of your corporate desktop, such as a customer relationship management (CRM) application, because the update provides no way to distinguish between "good" and "bad" programs.

The problem with SP2 is that it includes the attachment blocking and object model guard with the other security update features and all the bug fixes. If you want the fixes, you must take the security update, too. It's an all-or-nothing proposition. To Microsoft's credit, the page for SP2 on the Microsoft Office Update site clearly notes that SP2 includes the security update and provides a link to more information. No doubt, however, many users who want to have the latest and greatest version will install SP2 without reading the fine print and will be aghast to discover what's happened to their .exe attachments and programs built on Outlook's programming interface.

If you're an administrator, Office 2000 SP2 involves some hard choices. Do you deploy it because of the many fixes and run the risk that the Vice President of Sales won't be able to read the reports that his managers send in as .mdb files? Maybe it's time to consider installing the administrative tools for the security update that allow customization in an Exchange Server environment through a special form and a public folder. You can download these tools from Microsoft's Web site.

Looking ahead, SP2 sets the stage for the next version of Outlook, which Microsoft has already said will include the security update features. Outlook has differed from other email clients because of the ease with which developers can enhance it with new features—either for personal productivity or to meet corporate goals. Perhaps companies who deploy SP2 will step up and provide some strong feedback on whether the security update is offering real protection or causing more support problems than it solves and eliminating the opportunity to use Outlook as an applications platform.

Write me at [email protected] to let me know what Outlook issues are on your mind. I'm particularly interested in your experiences in deploying the administrative tools for the Outlook Email Security Update.