This article summarizes how the Microsoft Outlook E-mail Security Update affects Outlook. For more information about other types of issues when you apply the Outlook E-mail Security Update, see the "References" section.
The Microsoft Outlook E-mail Security Update significantly changes the way Outlook handles attachments. It also changes the way that Outlook handles requests for programmatic access. Because of the new design, any feature or program that uses any of the following features may behave differently after you install the security update:
- The Outlook object model
- Simple Messaging Application Programming Interface, or Simple MAPI
For additional information about the Microsoft Outlook E-mail Security Update, click the article number below to view the article in the Microsoft Knowledge Base:
OL2000: Information About the Outlook E-mail Security Update
For additional information about how the update affects developers and custom solutions, click the article number below to view the article in the Microsoft Knowledge Base:
OL2000: Developer Information About the Outlook E-mail Security Update
After you apply the Outlook E-mail Security Update, various Outlook features and programs that integrate with Outlook cause a warning message to appear that asks you to confirm the action. You must confirm the action for the feature to work. Unless an administrator has overridden these default settings for you, you cannot alter this behavior. In some situations, the prompts may cause a feature to take longer to complete because you must approve the action repeatedly.
To prevent worm viruses, such as the ILOVEYOU virus, from quickly spreading, Microsoft has restricted features that can potentially be used to write virus in Outlook. Microsoft is evaluating the security features in Outlook and other general messaging functionality for future versions of Microsoft products.
Various mail merge features generate address book warning messages if you are merging with Outlook contact information. You can allow access to the address book information for up to 10 minutes, and you do not receive address book warning messages again for that period of time.
Mail Merge to E-mail or Fax
When you create a mail merge to e-mail or fax by using your Contacts folder, you must eventually use Microsoft Word to complete the mail merge. After you start the actual merge, you receive a warning message which indicates that a program is trying to access your address book. You can allow access for up to 10 minutes, and you do not receive address book warning messages again for that period of time. However, a separate warning message for each e-mail message that you send appears and you must wait five seconds before you can confirm the send process. For example, if you generate a mail merge to e-mail that is being sent to 100 people, it takes over eight minutes and you must approve each of the e-mail messages every five seconds. This is a limitation of the current design and improvements are being evaluated for the next version of Microsoft Office.
Outlook Team Folders use the Outlook object model for various tasks. You are prompted to confirm access in various tasks that you do by using Team Folders, including setting permission to information, sending e-mail messages, and creating the Team Folder. If you confirm access to your address book and confirm to send e-mail messages, the Team Folders features work as expected. If you deny access, you may receive a script error message.
Digital Dashboards typically have script in their Hypertext Markup Language (HTML) pages. If the script references parts of the Outlook object model that are restricted by the security update, you receive prompts to confirm access when you use the dashboard. If you click No
in the confirmation dialog boxes, the Digital Dashboard pages do not work because they do not have error handling for this new behavior.
Net Folder Invitations
You may receive an address book warning message when you send a new subscription. Other users also receive an address book warning message when they receive a new subscription request. Although you may receive a warning message, the Net Folder feature works correctly.
Space Takes the Place of an Attachment
If you use e-mail messages in Outlook Rich Text format, attachments are included within the text of the message. When Outlook blocks an attachment, a space is left in its place.
"Unsafe" Attachment Forwarding
If you forward a message with an "unsafe" or Level 1 attachment, the attachment is not included with the forwarded message. This is by design.
How To Remove "Unsafe" Attachments
To remove an "unsafe" attachment from an e-mail message so that the attachment does not use more storage space than necessary, forward the message to yourself. The forwarded message does not contain the attachment, and you may then delete the original message to reclaim the storage space.
Journal Items and Custom Forms
You cannot see warning messages at the top of journal items or custom Outlook forms. For this reason, you do not see a visual notice that Outlook has blocked access to the attachment.
Information at the Top of the Message Is Limited to Four Lines
When you open an e-mail message, if the e-mail message includes more than four settings that are displayed at the top of the e-mail message, and the e-mail message contains an "unsafe" attachment, you do not see an information message at the top of the e-mail message.
Meeting and Task Request Limitations
If you are using either meeting requests or task requests and the task or appointment contains an "unsafe" attachment, Outlook does update the warning message at the top of the item to indicate that access to the attachment has been blocked. This behavior is a known limitation that specifically relates to meeting request and task request forms. In addition, you may see inconsistent behavior with attachments, whether or not an "unsafe" attachment is blocked in various circumstances when you use meeting requests and task requests. These limitations are caused by the architecture of Outlook and the request forms.
The Setup "Run From" Location Changes
If you have Outlook installed to run locally, apply the security update, and then click Run from Server
to change Outlook to run from your server, the security update feature set is not available, and you cannot reapply the update on that computer. You must change the "Run From" setting back to "Locally" by using Office or Outlook Setup.
VBScript No Longer Runs in Template (.oft) Files
If you open an Outlook item template (.oft) file, and it has script in it, the script is disabled and you do not receive the enable or disable macro warning message. This is a feature of the security update. To make this functionality work again, an administrator must configure your computer so that you are prompted to run the script or not to run the script.
Quick View Behavior
Regardless of the file types that you add to the Level 2 list, you are able to use the Windows Quick View feature to see the contents of attachments. However, you cannot open attachments in this way.
Simple MAPI, Outlook, and CDO Do Not Share Time Settings
Because these three object models, or APIs, run in separate processes, they all maintain independent settings when users are prompted to allow access for a specific amount of time. For example, if a custom Outlook form contains Visual Basic Scripting Edition (VBScript) that uses both the Outlook and CDO object models, the user is prompted twice to specify the amount of time that the object model can be used; the user is prompted once for each object model.
Security Prompts Are Reset When You Restart Outlook
If you quit and then restart Outlook, you receive another prompt to allow access if another program requests access to the Outlook object model. When you allow access to the Outlook object model your computer does not store this information, so you are prompted again to allow access when you restart Outlook and a program requests access to the object model.
Collaborative Data Objects (CDO)
CDO is another object model that people who write viruses can use to send mail. The Microsoft Outlook 98 update removes CDO from your system to take away this risk, but the Outlook 2000 update cannot remove CDO. Microsoft recommends that you manually uninstall CDO by using the Add-Remove tool in Outlook or Office Setup.
Administrator Can Not Re-Enable the Send Button
The update restricts the use of the CommandBars object so that the object cannot programmatically click the Send
button. There is no administrative option to remove this restriction. As a work around, you can change the appropriate options for programmatically sending mail by using the Send
Using Distribution List in the Outlook Security Form
If you type distribution lists in the Members
box of the Outlook Security Form, security settings are not applied to each user in the distribution list. You must add users individually for the security settings to work.
Object Model Timer Applies to the Yes and No Buttons
If a program tries to access your address book, and you click to select the check box to allow access for 10 minutes, and then click No
in the dialog box, access to your information is not allowed for 10 minutes. The timer applies if you click either the Yes
button or the No
button in the dialog box.
Information at the Top of the E-mail Message Does Not Display the File Name
After you attach an "unsafe" attachment to an e-mail message, you can change the properties of the attachment before you send it. This changes the file name that is displayed in the e-mail message, although it does not actually rename the attachment itself. When another user receives the item, the attachment is not available. However, the information message at the top of the e-mail message does not display the attachment's real file name; it displays the name of the file as it was set by the sender.