Important This article describes security features in Outlook 2002, in Outlook 2002 Service Pack 1, and in Outlook 2002 Service Pack 2. Additional features were added to Outlook 2002 Service Pack 3.
For more information about those changes, click the following article number to view the article in the Microsoft Knowledge Base:
OverviewImportant In addition to the information in this article, you should be familiar with the general Outlook 2002 e-mail security features. Information about the Outlook e-mail security features is provided in Help. On the Help menu, click Microsoft Outlook Help. In the contents, click Security and Encryption.
For more information about how the security features affect end-users, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about how to override these restrictions, click the following article number to view the article in the Microsoft Knowledge Base:
The security features change Outlook and general messaging functionality in the following areas:
- General attachment behavior
- The Outlook object model
- The Collaboration Data Objects (CDO) 1.21s object model
- Simple Messaging Application Programming Interface, or Simple MAPI
- Other areas in Outlook that are related to security, such as code embedded in HTML-based mail messages
Outlook object model security features
AttachmentsAttachments with Level 1, or "unsafe," file extensions are not accessible in the Outlook object model, specifically:
- The Attachments collection in the object model is unaware of unsafe attachments.
- If you try to send mail programmatically with one of these attachments, the mail is not sent. If the program is written in the C or C++ programming languages, you receive the MAPI_E_CANCELLED return code.
- If you attempt to open an "unsafe" file system object (or "freedoc" file) by using the Outlook object model, you receive the E_FAIL return code in the C or C++ programming languages. In previous versions of Outlook, you could open an "unsafe" file system object by using the Display method in the Outlook object model.
Item.SendWhen you run a program that uses the Outlook object model to call the Send method, you receive a warning message. This warning message tells you that a program is trying to send mail on your behalf and asks if you want to allow the message to be sent. The warning message contains both a Yes and a No button; however, the Yes button is not available until five seconds have passed since the warning message appeared. You can dismiss the warning message immediately if you click No. When you click No, the Send method returns an E_FAIL error in the C or C++ programming languages.
Accessing address books and recipientsIf a program tries to reference any type of recipient information by using the Outlook object model, a dialog box is displayed that asks you to confirm access to this information. You can allow access to the Address Book or recipient information for up to ten minutes after you receive the dialog box. This allows features, such as mobile device synchronization, to be completed. If you decide not to allow access to your Address Book or recipient information, you receive the E_FAIL return code for all of these messages in the C or C++ programming languages.
You receive the confirmation dialog box when a solution tries to programmatically access the following features of the Outlook object model:
- The AddressEntries collection or any AddressEntry object.
- The Recipients collection or any Recipient object.
- The following properties of a ContactItem object:Email1.Address
- The following properties of a MailItem object:SentOnBehalfOfName
- The following properties of a AppointmentItem object:Organizer
- The following properties of a TaskItem object:ContactNames
- The GetMember method of a DistListItem object.
- The ContactNames property of a JournalItem object.
- The SenderName property of a MeetingItem object.
- The SenderName property of a PostItem object.
- The GetRecipientFromID property of a Namespace object.
- The Execute method of an Action object.
- The Formula property of a UserProperty object.
Item.SaveAsWhen you use the SaveAs method to save items to the file system, you receive an "address book" warning message. This includes all types of items whether or not the items have attachments or active content. This change has been made so that someone cannot programmatically save items to a file, and then parse the file to retrieve e-mail addresses.
Send CommandBar buttonIt is no longer possible to use the Execute method to programmatically click the Send button on the Outlook toolbar. Although this is not commonly done in Outlook solutions, this change has been made to prevent malicious intent. You receive the E_FAIL return code for all of these messages in the C or C++ programming languages.
SendKeysOutlook does not allow access to certain dialog boxes by using the Microsoft Visual Basic or Microsoft Visual Basic for Applications SendKeys command. This prevents malicious programs from automatically dismissing the warning messages and circumventing the new security features.
VBScript in unpublished forms no longer runsWhen you create a custom Outlook form, you can choose to directly embed Visual Basic Scripting Edition (VBScript) within an item. You may do this if other users cannot access a published form. These types of forms are called "one-off" forms.
For more information about one-off forms, click the following article number to view the article in the Microsoft Knowledge Base:
CDO 1.21s security featuresThe CDO 1.21 object model has been changed to reflect the changes made to the Outlook object model and Simple MAPI. The version number of CDO has been updated to 1.21s to reflect these security features.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Simple MAPI security featuresWhen Outlook is installed on a computer as the default Simple MAPI client, Outlook processes requests that are made by using Simple MAPI calls. Therefore, when you install Outlook 2002, Simple MAPI calls are handled by Outlook and those calls provide the same level of protection as the Outlook object model. By default, if you use many Simple MAPI functions, you receive a warning message that says a program is trying to either access recipient information or send mail on your behalf.
The following list describes how Outlook responds to Simple MAPI calls.
Simple MAPI call Behavior if handled by Outlook
MAPISendMail OK with the MAPI_DIALOG argument, otherwise prompt
Office applications are reset to high securityTo help protect against harmful macro viruses that may be in Microsoft Office documents, Office XP defaults to putting programs in "high security" mode. This includes all Office XP programs that support Visual Basic for Applications, except Microsoft Access, because Microsoft Access has no equivalent settings for macro security. As a result, all Access document types are included in the list of unsafe file extensions that cannot be accessed.
Outlook and HTML mailThe following information is an excerpt from the Microsoft Outlook Help:
Avoiding the security featuresThe e-mail security features affect all custom solutions that use the Outlook object model, CDO, or Simple MAPI, even if they are digitally signed. This includes the following:
- Outlook custom forms that are published to any folder or forms library, including the Organizational Forms Library
- Outlook COM Add-ins
- Outlook Visual Basic for Applications
- Any other type of development project that uses the Outlook object model, CDO or Simple MAPI
- Outlook custom forms: Publish forms so that they are not one-off forms, or use the administrator features to enable VBScript code in one-off forms to run.
- Outlook Visual Basic for Applications: Use the administrator features to disable object model restrictions, or convert your Visual Basic for Applications code to a COM Add-in, and then register it by using the administrator form.
- COM add-ins: COM add-ins can be trusted if an administrator registers them by using the administrator form. However, when you are using a COM add-in, only the Outlook object model is exempted; the CDO object model will still generate warnings.
You cannot trust COM add-ins in Outlook 2000. This was a feature that was added to the Outlook 2002 version of the administrator form.
- Automating the Outlook or CDO object models: Use the administrator features to disable object model restrictions.
You may also want to consider using a different messaging API or library:
- Collaboration Data Objects for Windows 2000 (CDOSYS) This library is available with Microsoft Windows 2000 (Professional and Server editions) and Microsoft Windows XP (Professional Edition). CDOSYS is installed by the Internet Information Services (IIS) component of Windows, so you must install IIS in order to use CDOSYS.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:286430 How to send HTML formatted mail using CDO for Windows 2000 and the local pickup directoryFor additional information about CDOSYS, visit the following Microsoft Developer Network (MSDN) Web site:
- Extended MAPI You must write your code in C/C++. For additional information, visit the following Microsoft Developer Network (MSDN) Web site:
ID do Artigo: 290500 - Última Revisão: 23/03/2009 - Revisão: 1