OL2000: Developer Information About the Outlook E-mail Security Update
OverviewThe Outlook E-mail Security Update provides Outlook with additional levels of protection against malicious e-mail messages. The update directly affects the way that many Outlook features function, and it may adversely affect solutions that you built by using developer features that are included in Outlook and other messaging technologies or Application Programming Interfaces (APIs). If you have created any type of solution by using Microsoft messaging technologies, Microsoft recommends that you become familiar with the changes that the security update makes to Outlook and how those changes may affect your solution. In some cases, solutions do not function at all; in other cases, solutions may result in a warning message that interrupts your solution when you try to run it.
The security update changes Outlook and general messaging functionality in the following areas:
- General attachment behavior (from the end-user perspective)
- The Outlook object model
- Other areas in Outlook that are related to security
- The Collaboration Data Objects (CDO) object model
- Simple Messaging Application Programming Interface, or Simple MAPI
- Outlook custom forms that are published to any folder or forms library, including the Organizational Forms Library.
- Outlook COM Add-ins.
- Outlook Visual Basic for Applications.
- Any other type of development project that uses the Outlook object model or Simple MAPI.
Outlook Object Model Design Changes
AttachmentsAttachments with Level 1, or "unsafe," file extensions are not accessible in the Outlook object model, specifically:
- The Attachments collection in the object model is unaware of unsafe attachments.
- If you try to send mail programmatically with one of these attachments, the mail is not sent. If the program is written in the C or C++ programming languages, you receive the MAPI_E_CANCELLED return code.
- If you attempt to open an "unsafe" file system object (or "freedoc" file) by using the Outlook object model, you receive the E_FAIL return code in the C or C++ programming languages. Before you install the update, you can open an "unsafe" file system object by using the Display method in the Outlook object model.
Item.SendWhen you run a program that uses the Outlook object model to call the Send method, you receive a warning message. This warning message tells you that a program is trying to send mail on your behalf and asks if you want to allow the message to be sent. The warning message contains both a Yes and a No button, however, the Yes button is not available until five seconds have passed since the warning message appeared. You can dismiss the warning message immediately if you click No. When you click No, the Send method returns an E_FAIL error in the C or C++ programming languages.
Accessing Address Books and RecipientsIf a program tries to reference any type of recipient information by using the Outlook object model, a dialog box is displayed that asks you to confirm access to this information. You can allow access to the address book or recipient information for up to ten minutes after you receive the dialog box. This allows features, such as mobile device synchronization, to be completed. If you decide not to allow access to your address book or recipient information, you receive the E_FAIL return code for all of these messages in the C or C++ programming languages.
You receive the confirmation dialog box when a solution tries to programmatically access the following features of the Outlook object model:
- The AddressEntries collection or any AddressEntry object.
- The Recipients collection or any Recipient object.
- The following properties of a ContactItem object:Email1.Address
- The following properties of a MailItem object:SentOnBehalfOfName
- The following properties of a AppointmentItem object:Organizer
- The following properties of a TaskItem object:ContactNames
- The GetMember method of a DistListItem object.
- The ContactNames property of a JournalItem object.
- The SenderName property of a MeetingItem object.
- The SenderName property of a PostItem object.
- The GetRecipientFromID property of a Namespace object.
- The Execute method of an Action object.
- The Formula property of a UserProperty object.
Item.SaveAsWhen you use the SaveAs method to save items to the file system, you receive an "address book" warning message. This includes all types of items whether or not the items have attachments or active content. This change has been made so that you cannot programmatically save items to a file and then parse the file to retrieve e-mail addresses.
Send CommandBar ButtonIt is no longer possible to use the Execute method to programmatically click the Send button on the Outlook toolbar. Although this is not commonly done in Outlook solutions, this change has been made to prevent malicious intent. You receive the E_FAIL return code for all of these messages in the C or C++ programming languages.
SendKeysOutlook does not allow access to certain dialog boxes by using the Visual Basic or Visual Basic for Applications SendKeys command. This prevents malicious programs from automatically dismissing the warning messages and circumventing the new security features.
VBScript in Unpublished Forms No Longer RunsWhen you create a custom Outlook form, you can choose to directly embed Visual Basic Scripting Edition (VBScript) within an item. You may do this if other users cannot gain access to a published form. These types of forms are called "one-off" forms.
For additional information about one-off forms, click the article number below to view the article in the Microsoft Knowledge Base:
Office Applications Are Reset to High SecurityTo help protect against harmful macro viruses that may be in Microsoft Office documents, the security update puts the following list of Office programs into "high security" mode.
NOTE: For the typical Microsoft Office 97 program, you are asked if you want to run macros. For the typical Microsoft Office 2000 program, macros cannot run unless they are signed and trusted. If the macros are signed and trusted, you are not asked if you want to run the macros.
- Microsoft Outlook 2000 only. Visual Basic for Applications was not included with Outlook 98.
- Microsoft Word 2000 and Microsoft Word 97. By default, Word is in high security mode in Office 2000.
- Microsoft Excel 2000 and Microsoft Excel 97.
- Microsoft PowerPoint 2000 and Microsoft PowerPoint 97.
Outlook and HTML MailThe security update puts Outlook into the "restricted zone" by default. If you open an e-mail message that is in Hypertext Markup Language (HTML) format, and the HTML contains script, the script runs within the context of the Internet security settings.
NOTE: This is one difference between Outlook 98 and Outlook 2000. When you use Outlook 98, active content runs as long as security settings are set adequately low. With the Outlook E-mail Security Update installed, Outlook 2000 completely disables script in HTML e-mail messages, regardless of the Internet security settings.
Simple MAPI Design ChangesWhen Outlook is installed on a computer as the default Simple MAPI client, Outlook processes requests that are made by using Simple MAPI calls. Therefore, when you install the Outlook E-mail Security Update, changes are made to the way that Simple MAPI calls are handled. By default, if you use many Simple MAPI functions you receive a warning message that says a program is trying to either access recipient information or send mail on your behalf.
The following list describes how Outlook responds to Simple MAPI calls.
Simple MAPI call Behavior if handled by Outlook----------------------------------------------------------------MAPIAddress OKMAPIDeleteMail OKMAPIDetails OKMAPIFindNext OKMAPIFreeBuffer OKMAPILogoff OKMAPILogon OKMAPIReadMail PromptMAPIResolveName PromptMAPISaveMail OKMAPISendDocuments OKMAPISendMail OK with the MAPI_DIALOG argument, otherwise prompt
CDO Design ChangesThe Outlook 2000 E-mail Security Update does not remove the CDO object model if it has been previously installed on the computer. This differs from the Outlook 98 E-mail Security Update, which does remove the CDO object model from the computer.
The CDO 1.21 object model has been changed to reflect the changes made to the Outlook object model and Simple MAPI. For additional information about the CDO changes, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Common Messaging Calls Are No Longer SupportedAfter you install the Outlook E-mail Security Update, Common Messaging Calls (CMC) no longer function. The CMC interface is a set of ten functions that enable you to quickly add simple messaging capabilities to your custom program. For example, your program can send a message with a single CMC function call and receive a message with two CMC function calls.
For additional information about CMC, see the following Microsoft Web site:
Designing Solutions With the Security UpdateThere is no direct, programmatic way to determine which security update features a user has enabled. However, depending on your solution, you may be able to use one or more of the following approaches to determine if the security update has been installed.
Determine the Outlook Build NumberYou can programmatically determine the version of Outlook to see if the security update has been applied to Outlook. However, this does not directly tell you whether an administrator has granted the user any "override" capabilities. The following Outlook Visual Basic for Applications code sample illustrates how you can determine which version of Outlook is installed on a computer:
Sub CheckForVersion() MsgBox UpdateAppliedEnd SubFunction UpdateApplied() Set ol = CreateObject("Outlook.Application") iBuild = Int(Right(ol.Version, 4)) ' NOTE: The version number format changed between Outlook 98 and 2000 If iBuild >= 4201 Then UpdateApplied = True Else UpdateApplied = False End If Set ol = NothingEnd Function
Determine the Mail Delivery LocationYou may want to check if Outlook is delivering mail to a Personal Folders file (.pst). If mail is being delivered to a Personal Folders file, all of the security update features are in effect. The following Outlook automation code sample illustrates how you can determine if a user's mail is delivered to a mailbox or Personal Folders file.
Sub CheckForPST() MsgBox UsingPSTEnd SubFunction UsingPST() Set ol = CreateObject("Outlook.Application") Set oInbox = ol.Session.GetDefaultFolder(6) ' 6 = olFolderInbox If InStr(oInbox.Parent.Name, "Mailbox - ") Then UsingPST = False Else UsingPST = True End If Set oInbox = Nothing Set ol = NothingEnd Function
Article ID: 262701 - Last Review: 12/05/2015 20:13:50 - Revision: 7.2
- kbnosurvey kbarchive kbdownload kbinfo KB262701