AddThis Social Bookmark Button

Listen Print

Beware the Briar Patch: Outlook's Latest Security Update -- Part 4

by Tom Syroid
07/01/2000

Part 1  |   Part 2  |   Part 3  |   Part 4

As Tom explains in Part 1 of his series, Microsoft's recent Outlook security update, designed to limit the damage caused by the recent rash of worm viruses, was controversial before it hit the streets. Those who worked with the pre-release code complained that the patch broke more than it fixed and its implementation was a disaster.

In this series of articles, Tom guides you through the numerous complexities, contortions, and "gotchas" hidden under the covers of this update. In this final part, Tom deals with "Uninstalling the Update" and closes the series with his "Conclusions and Recommendations."

Uninstalling the Update

Uninstalling the Outlook 98 version of the security patch is a snap: Go to the Windows Control Panel -> Add/Remove Programs applet, locate the requisite entry, and click Uninstall. After a system reboot (under Windows 98 and NT; not required under Windows 2000), Outlook is returned to its former state with no side effects.

Getting Outlook 2000 pried loose from the update is not so easy. First, unlike the Outlook 98 patch, there is no uninstall routine. Second, as noted in Part 1 of this article, you cannot uninstall Outlook alone--you must uninstall the complete Office 2000 package and then reinstall. When the update is applied to Outlook 2000, it does not just update and fiddle with Outlook's code; it replaces several pieces of core code in other Office applications as well.

If it's any consolation, it is possible to simply uninstall and reinstall Office without losing your configurationsettings and data. This information is not deleted when Office is removed, and a new installation automatically adopts them again without user intervention. However, I do not recommend trusting your data to Microsoft (or anyone else for that matter). Always perform a full backup before changing anything on your system, and that includes uninstalling a program.

Unfortunately, uninstalling Outlook 2000 gets even more complicated (as if the uninstall/reinstall fiasco described above weren't complicated enough) for some installations. Several users have reported that after uninstalling and reinstalling Office, Outlook 2000 blithely reapplies the patch.

Here is why this happens: All updates and patches applied to Office are stored in a hidden system folder \\Windows\Installer (or \\WINNT\Installer in the case of NT and Windows 2000). And guess what? Office doesn't always clean up after itself when it is removed from a system. If the uninstall process leaves any previously installed updates behind, when Office is reinstalled it reapplies anything it finds in the hidden system folder automatically (including the Office SR-1 update). If you decide to remove the Outlook security patch and want to be assured of a "clean" reinstallation, follow these steps:

  1. Uninstall Office.

  2. Open Windows Explorer, select Tools -> Folder Options.

  3. Click the View tab, select the option "Show hidden files and folders" and deselect the option "Hide protected operating system files."

  4. Expand the \\Windows or \\WINNT tree and locate the Installer folder.

  5. The Outlook update file is not named Outlook SR-1 (or anything obvious). Instead, look for a file approximately 1.6MB in size (there should be only one) with a name like 66a5fd6.msp. Delete or move it to another folder. If you want to remove the Office SR-1 update, look for a similarly named file approximately 20MB to 30MB in size; again, there should be only one in this range.

  6. Now reinstall Office.

Isn't computing fun?

Conclusions and Recommendations

Microsoft clearly dropped the ball on this latest Outlook security update. Instead of providing users with the means to determine how much security they need, Microsoft let media frenzy over the latest slew of email viruses dictate their solution. The end result was a half-baked patch rushed to market. This approach left several problems in its wake. In particular:

  • Distribution: Ideally, the update should have been distributed in at least two, if not three, components: a file attachment update, an Object Model update, and a Security Zone update. Alternatively, the update could have been distributed in one piece but with setup options allowing users a choice of which components to install.

  • Documentation: Microsoft's website documentation disregards many important issues, and in some cases is flat wrong. Users should be clearly warned that downloading the patch may cause some applications to break. In addition, the patch is labeled "Critical Update," a misleading tag that resulted in many people rushing to download and apply it without reading the fine print.

    And speaking of fine print, why should anyone have to scour at least a half-dozen Knowledge Base articles to get even a passing sense of what the update involves and how it is implemented?

  • User preferences: Once again, the folks at Redmond seem to have forgotten whose sandbox they're playing in. The phrase "It's my bar, and my boat" immediately springs to mind. Why, as a home user, can I not specify which files I deem to be of Level 1 importance?

  • Superfluous steps: The contortions necessary to remove the update from an Office/Outlook 2000 installation are inexcusable.

Wake up Redmond. The average user simply does not have the time or inclination to jump through all these hoops.

This is not to imply the update is completely without merit in some situations. If you are considering installing the patch, carefully weigh the cost of security (in both real and abstract terms) against the loss of convenience. Then factor in how Outlook is used, in what environment, and with which external applications. In particular, if you sync your handheld with Outlook, be sure to read everything you can on how your brand of synchronization software interacts with the Object Model Guard. If you rely on Outlook and Word to perform large mail merges, steer clear of this update until you can predict how your system will react to the task.

For what might be termed the "typical IMO user" (Outlook used predominantly as a email client) it is probably a good idea to install the update, especially if you have one computer that is shared by numerous other "unsavvy" members of the household.

Exchange Administrators will want to have a long hard look at the Outlook SR-1 update. In many ways, the patch was targeted for use in a small- to medium-size Exchange environment. At least in this environment provisions exist to modify the default behaviors for file attachment security to suit corporate needs. Be sure to consider any scalability issues before you deploy the update, and if at all possible, thoroughly test its consequences in a non-production setting before unleashing it on the masses.

If you are a power user who relies on third-party add-ins or code to automate Outlook, steer clear of this update until you are well aware of the consequences it may have on other applications.

After reading this article you may find your system setup doesn't quite fit any of the scenarios presented. The best advice I can offer is to read everything available on the update before you open Pandora's Box. While it is not impossible to reverse directions and uninstall the patch, many users will find the complexities of doing so beyond their comfort level.

In closing, it's important to understand something about this security update, in particular, and Outlook, in general. Your experience easily could be different than what's described in this article. I went to great lengths to test and confirm all the information provided. But Outlook is a complex piece of software. Program behavior is dependent on the installation mode, the Information Stores in use, the mail transports in use, and all too often, your relative position to the Big Dipper. Therefore, it's impossible to anticipate everyone's experience. This is not intended as a cop-out. Unfortunately, unpredictable mannerisms are becoming standard fare with the increasing interdependencies in software today. The price you pay for power and flexibility is all too often complexity and inconsistency.

Tom Syroid lives in Saskatoon, Canada, and spends his days working as a systems consultant and freelance writer.