|
|
The Outlook Email Security Update for Outlook 98 and Outlook 2000
disables many of the features that allow viruses to spread
quickly. The security update is also integrated into Office 2000
Service Pack 2. Newer versions of Outlook have the features built in, with one major change
-- users can modify the list of blocked attachments.
To find out whether your copy of Outlook includes the security
update, you can check the version number with the Help | About
Microsoft Outlook command and compare it with this chart, which
lists the versions with the security update:
| Outlook 97 |
Not applicable, since the security update is not available for
Outlook 97 |
| Outlook 98 |
Version 8.5.7806 and later |
| Outlook 2000 |
Version 9.0.0.4201 and later |
| Outlook 2002 |
All versions (10.0.x.x) |
| Outlook 2003 |
All versions (11.0.x.x) |
| Outlook 2007 |
All versions (12.0.x.x) |
|
|
The update makes it difficult, if not impossible, to open program files in
Outlook -- including VBScript .vbs files like those that spread
Loveletter. It is also aimed at making it more difficult for
a virus to use Outlook to transmit itself via e-mail. This aspect of
the patch, however, means that some Outlook features will no longer
function at all. In other cases, a user may need to authorize
access by outside programs, such as bulk mail applications.
Microsoft has provided two ways to customize the security
settings:
In Microsoft Exchange Server environments,
administrators can customize
the security settings by installing a
special Outlook custom form in a public folder and configuring
security options for individuals and groups.
In
Outlook 2002, end users can
allow access to particular file attachment types that the
security features normally block. However, administrators can block this customization with
the new security form for Outlook 2002.
Basic
Facts and Download | Should you install this patch?
| Removing the Patch | Attachment Security |
Automation Security | Outlook Forms Security |
Outlook Security Zone | Other Changes |
Known Problems | More Information |
Basic Facts and Download
|
Outlook
2000 E-mail Security Update White Paper (Word doc, 555kb)
Administrative Options for the Microsoft Outlook E-mail Security Patch
OL2000
Known Setup Issues with the Outlook E-mail Security Update
Outlook 2002
Nothing to download -- the security features are built in.
End users can
allow access to particular file attachment types that the
security features normally block.
Outlook 2000
Note that you must install the Office Service
Release 1 update before installing the securitiy update.
Outlook 2000 SR-1 Update E-mail Security
(download page) -- Updated August 2001 to resolve a security
vulnerability with file attachments that use a CLSID (unique
identifier) as the file extension.
OL2000: Information About the Outlook E-mail Security Update
OL2000- Known Issues with the Outlook E-Mail Security Update
Microsoft Outlook 2000 Service Pack 2
includes the E-mail Security Update and CDO Update.
Office 2000 Resource Kit Toolbox - administrative version for
mass deployment
OL2000 You
Receive an Error Message After You Install Outlook 2000 SR-1
Extended E-mail Security Update on Some Localized Versions of
Outlook
Related Updates for Outlook 2000 SR-1
Word 2000 SR-1 Update Mail Command Security
to block possible unauthorized sending of messages through the
plain text or HTML WordMail or "Office envelope"
feature
Microsoft Outlook CDO Security Update
to apply the same level of security to the Collaboration Data
Objects programming interface
Outlook 98
Outlook 98 Update E-mail Security
(download page)
OL98- Information About the Outlook E-mail Security Update
OL98- Known Issues with the Outlook E-Mail Security Update
|
 |
|
Should you install this patch?
|
Proceed with caution. Removing
the patch on Outlook 2000 is no easy matter.
| Normal standalone users |
If you don't automate Outlook with code, this
patch may be a good tradeoff between additional security and
the inconvenience you might suffer in having to click the
warning when you synchronize with a PDA. If you use
Outlook 98 and various Outlook add-ins, check with your add-in
vendor to find out whether you should Install the Outlook 98 Email Security Update with CDO
in order to keep the CDO (Collaboration Data Objects)
component. |
| Power users |
If you automate Outlook
with code or use various Outlook add-ins, you will not want to
install this patch until you evaluate its possible effects on
your add-ins and code. See Applications Affected by the
Outlook Email Security Update. |
| Net Folders users |
If you depend on Outlook Net Folders to share
information, this patch may make that slightly feature less convenient
to use, because it pops up a dialog when you share a new
folder. However, contrary to the initial information from
Microsoft, the notes for the release version indicate that the Net
Folders feature should continue to work. Therefore, you
can generally follow the recommendations for normal and power
users above. |
| Exchange Server and HP
OpenMail administrators in Outlook environments |
The administrative features
will make this patch acceptable in some cases. However, we
still recommend that you carefully evaluate whether to
roll out this patch. It could potentially affect both
mission-critical Outlook add-ins and ad hoc, undocumented
applications created by individual users. While you can
relax some or all of the patch's restrictions for individuals
or groups of users (see Customizing
the Outlook 98/2000 E-mail Security Update), you will
want to plan your security groups and settings very carefully.
Also, you may want to consider Installing the Outlook 98 Email Security Update with CDO
in order to keep the CDO (Collaboration Data Objects)
component that many in-house Outlook forms and applications
use.
|
| Other corporate mail administrators |
We do not recommend installing the patch in
non-Exchange Server corporate mail environments until you
evaluate its possible effects on mission-critical Outlook add-ins and ad hoc, undocumented
applications created by individual users. Microsoft has
provided information to Lotus and Novell
Groupwise so that they can develop administrative tools
comparable to those provided by Microsoft for Exchange Server
and HP OpenMail. |
|
 |
|
Removing the Patch
|
Outlook 2002
Removal is not possible. All the security features are
integrated into the program, but end users can
modify the list of blocked
attachments.
Outlook 2000
You must remove Outlook and perform a complete reinstall. If
you installed Outlook as part of Office 2000, you must remove
Office 2000 completely -- not just the Outlook components -- and reinstall
Office. See
OFF2000 How to Completely Remove Office CD1 on Windows 2000
and
OFF2000 Utility to Completely Remove Remaining Office CD1 Files
and Registry Entries.Interestingly, several people on the newsgroups have reported
good results from just replacing two Outlook application files
with the corresponding files from the original Office CD or
Office 2000 SR-1. (SR-1 probably would be better -- you could copy
them before you run the SP2 update.) The
two files are Outllib.dll from the Office folder and
Outllibr.dll from the Office\1033 folder. This is an unsupported
method and probably does not fix all the aspects of the patch,
however. It may also cause other problems on your system. Implement at your own risk.
Outlook 98
Use Control Panel | Add/Remove Programs to remove the
patch and automatically reinstall the necessary original Outlook 98
components. If you installed Outlook 98 from CD, it's a quick,
painless process. If you installed Outlook 98 via the web, you
may have to connect to the Internet to complete the reinstallation
process.
|
 |
|
Attachment Security
|
Systems with the security update for Outlook 2000 and 98 or with Outlook 2002 will no longer be able to open or save the files
listed below if they are attached to an Outlook message. The attachments will still
be in the messages, and other programs or Outlook add-ins may be able to access
them, but they will be invisible to Outlook itself.
In addition to these "Level 1" attachments, as Microsoft calls them,
the patch also supports a "Level 2" list, which warns users when they try to open a file attached to a
message. End users with Outlook 2002 or
Office 2000 SP3 can
demote a file type from Level 1 to Level 2. Only administrators in an Exchange Server environment can customize
the Level 2 list.
If you don't have Outlook 2002 or Office 2000 SP3, there are many ways to open these "dangerous" files. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.
Users will also see a warning if they try to send an e-mail message that
contains any Level 1 file attachment. However, the attachment is not
actually stripped.
If the receiving user is not running Outlook with the security patch, they will
see the attachment as they normally do.
If you try to forward a message containing one of these files, even if
Outlook has been customized to consider it as a Level 2 attachment (save before
opening), Outlook strips
the attachment from the forwarded copy.
TIP: If you need to send a file from this list and want to avoid problems with
recipients who may have installed the patch, you can simply change the file name
before attaching the file -- for example, rename an .exe file to a .ex_ file --
and include instructions on how to save it and rename it in the body of your
message. Or use a zip utility to compress the file. Many Compression Tools
are available to work automatically from within Outlook, though probably not all
will be able to grab the .exe file, given the security surrounding attachments.
| File
extension |
File
type |
| .ade |
Microsoft
Access project extension |
| .adp |
Microsoft
Access project |
| app |
Microsoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and
Outlook 2000 SP-3) |
| .asp |
Active server page. (Blocked in Outlook 2002 SP3 and higher) |
| .asx |
Windows Media Audio or Video shortcut (blocked only in Outlook 2002
builds earlier than 10.0.3005.x) |
| .bas |
Visual
Basic class module |
| .bat |
Batch
file |
| .cer |
(blocked only in Outlook 2003 and later) |
| .chm |
Compiled
HTML Help file |
| .cmd |
Windows
NT Command script |
| .com |
MS-DOS
program |
| .cpl |
Control
Panel extension |
| .crt |
Security
certificate |
| .csh |
KornShell script file (blocked only in Outlook 2002 SP-2 and
Outlook 2000 SP-3 and later) |
| .exe |
Program |
| fxp |
Microsoft Visual FoxPro compiled program (blocked only in Outlook 2002
SP-2 and Outlook 2000 SP-3 and later) |
| .hlp |
Help
file |
| .hta |
HTML program |
| .inf |
Setup Information |
| .ins |
Internet
Naming Service |
| .isp |
Internet
Communication settings |
| .js |
JScript
Script file |
| .jse |
Jscript
Encoded Script file |
| .ksh |
KornShell script file (blocked only in Outlook 2002 SP-2 and
Outlook 2000 SP-3 and later) |
| .lnk |
Shortcut |
| .mda |
Microsoft Access add-in program (blocked only in Outlook 2002 and a
patched version of Outlook 2000) |
| .mdb |
Microsoft
Access program |
| .mdt |
Microsoft
Access workgroup information (blocked only in Outlook 2002 SP-1 and
Outlook 2000 SP-3 and later) |
| .mdw |
Microsoft
Access workgroup information (blocked only in Outlook 2002 SP-1 and
Outlook 2000 SP-3 and later) |
| .mde |
Microsoft
Access MDE database |
| .mdz |
Microsoft Access wizard program (blocked only in Outlook 2002 and a
patched version of Outlook 2000) |
| .msc |
Microsoft
Common Console document |
| .msi |
Windows
Installer package |
| .msp |
Windows
Installer patch |
| .mst |
Visual
Test source files |
| .ops |
Office
XP settings (blocked only in Outlook 2002 SP-1 and and Outlook 2000
SP-3 later) |
| .pcd |
Photo
CD image |
| .pif |
Shortcut
to MS-DOS program |
| .prf |
Microsoft Outlook profile settings (blocked only in Outlook 2002) |
| .prg |
Microsoft Visual FoxPro program (blocked only in Outlook 2002 SP-2
and Outlook 2000 SP-3) |
| .pst |
Microsoft
Outlook Personal Folders file (blocked only in Outlook 2000 SP-3) |
| .reg |
Registration
entries |
| .scf |
Windows Explorer command (blocked only in Outlook 2002) |
| .scr |
Screen
saver |
| .sct |
Windows
Script Component |
| .shb |
Shell Scrap Object |
| .shs |
Shell Scrap Object |
| .tmp |
Temporary file. (Blocked in Outlook 2002 SP3 and higher) |
| .url |
Internet
shortcut |
| .vb |
VBScript
file |
| .vbe |
VBScript
encoded script file |
| .vbs |
Visual
Basic Script file |
| .vsmacros |
Visual Studio .NET macro project file. (Blocked in Outlook 2002 SP3
and higher) |
| .vss |
Visio shapes and Visio stencils (Blocked in Outlook 2002 SP3 and
higher) |
| .vst |
Visio template (Blocked in Outlook 2002 SP3 and higher) |
| .vsw |
Visio workspace (Blocked in Outlook 2002 SP3 and higher) |
| .ws |
Windows script file (Blocked in Outlook 2002 SP3 and higher) |
| .wsc |
Windows
Script Component |
| .wsf |
Windows
Script file |
| .wsh |
Windows
Script Host Settings file |
|
 |
|
Automation Security
|
The "object model guard" feature of the patch imposes two extreme restrictions on automating Outlook
from add-ins that use either the Outlook object model or Simple
MAPI:
If an add-in tries to send an Outlook message, the user gets
a notification pop-up and must explicitly authorize or deny each
attempt to send. The user must wait 5 seconds before the
Yes button becomes available to click.
If an add-in tries to access address information in an
Outlook item or the
address book or to save an Outlook item as a file, the user gets a notification pop-up and can deny
access, authorize a one-time access or extend access for a
period of several minutes. PDA sync utilities are an
example of the kind of application that will be affected by this
restriction.
The object model guard applies even if your code is digitally
signed or running from a published Outlook form. The only way to
turn it off is via the
administrative options. Because of these restrictions, some Outlook features
become virtually unusable, because of the number of times the user
has to confirm the dialog boxes:
Sequential routing from Word
Mail merge to e-mail in Word
Automated mailing programs that use the Outlook Send method
See:
Applications Affected by the Outlook Email Security Update
OL2000: Known Issues with the Outlook E-mail Security Update
OL2000: Developer Information About the Outlook E-mail Security Update
INFO Developer Information About the
CDO E-mail Security Update
To avoid the prompts in applications that you
develop, you can use one of these
programming interfaces:
|
Extended MAPI |
Language for programming Outlook/Exchange
with C++ or Delphi only. |
|
Outlook
Redemption |
Provides a COM interface to Outlook
objects that avoids the "object model guard" of the Outlook
E-mail Security Update and exposes properties and methods not
available through the Outlook model, such as sender address and
Internet message headers. Several security features protect it
from being used by malicious programs to send Outlook mail. For
the redistributable version, it adds a Profman.dll component
with the ability to enumerate, add, delete, and modify Outlook
profiles using VB or VBScript.
Is
Redemption a security risk? Redemption's author, Outlook MVP
Dmitry Streblechenko, responded in the outlook-dev discussion
list to the topic
In My World Redemption Is A Security Risk. |
Visit Outlookcode.com
for assistance with programming issues.
Also see
Reinforcing Dialog-Based Security, a paper by two U.S. Air Force
Academy professors that demonstrates how to get around the object
model guard prompts using VBScript code and the SendKeys method to,
in effect, click the buttons on the prompts. For utilities that
takes a similar approach, see:
|
Advanced Security for Outlook |
Use Advanced Security for Outlook to learn what
programs are trying to access Outlook and permanently allow or
deny access to the program and the next time it requests access,
the action you choose will be automatically executed and Outlook
Security will not annoy you with messages about trying to access
e-mail addresses you have stored in Outlook. Freeware, available
in
English, German and Russian. Version 1. |
|
Dkms's
XP File splitter |
Source code included. The SetAddressingPermissions procedure
shows how to use SendKeys with Outlook security prompts.
|
|
Express
ClickYes |
Clicks the security dialog buttons automatically, but can be
set to start in a suspended state. Developers can activate
and suspend automatic clicking of the security dialogs
programmatically. (HINT: Use &H2 instead of WM_CLOSE) Free. |
If
you get the security prompt constantly in a Defense Messaging System
environment, see
OL DMS 3.0 Users Receive Security Prompt When Using Outlook 2000 SR1
or Outlook 2002. |
 |
|
Outlook Forms Security
|
With the patch applied, script on unpublished or
one-off Outlook forms will not
run. Users will no longer see an Enable/Disable Macros prompt.
With the security patch in place or with Outlook 2002, this means
that you should never check the Send form definition with item
box on the Properties page of a message form, since this will cause
the form to one-off. Instead, you should make sure that the
recipient has access to the published form.
|
 |
|
Outlook Security Zone
|
The patch puts Outlook into the Restricted Sites security zone and
disables scripting for the Restricted Sites zone. (The
original default setting for both Outlook 98 and Outlook 2000 is the
Internet zone.) For more information, see:
OL2000: Security Zones in Outlook 2000
Description of Internet Explorer Security Zones Registry Entries
|
 |
|
Other Changes
|
The patch changes the setting for macro security for Word, Excel and
PowerPoint to High. See:
XL2000: Changed Macro Behavior with Excel Files
The Outlook 98 version of the patch removes the CDO
(Collaboration Data Objects) component, which is often used by
Outlook-related applications.
You
won't be able to edit embedded objects that you receive in rich-text
format messages. However, you may be able click Forward and edit the
embedded object in the copy to be forwarded. See
OL2002 Can't Edit an Embedded Object in Rich Text Message. |
 |
|
Affected Applications
|
Applications Affected by the Outlook Email Security Update
E-mail
Security Update Could Hinder Accessibility Aids
|
 |
|
Known Problems
|
The main problem is, of course, that users decide they need the
blocked attachments after they've applied the patch. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.
These other problems are fixed in Office 2000 SP-2:
OL2000 Long Name Attachment Causes Outlook to Stop Responding
Outlook Does Not Exit After You Open an Embedded Object
|
 |
|
More Information
|
Administrative Options for the Microsoft Outlook E-mail Security Patch
Protecting Microsoft Outlook against Viruses
Attachment Security Update for Microsoft Outlook
-- If you want less intrusive protection from potentially
harmful attachments OL97 The Outlook E-mail Security Update Is Not Available for Outlook 97
OL2000 Administrator Information About the Outlook E-mail Security Update
OL98:
Administrator Information About the Outlook E-mail
Security Update
Customizing
the Outlook 98/2000 E-mail Security Update
OL2002 Cannot Access Attachments
Outlook Security Patch Installation Guide (ZDNet)
Outlook
98 and Outlook 2000 E-mail Security Update (Support WebCast)
How to Apply the Outlook E-Mail Security Update to an Administrative Installation Image
Outlook E-mail Security Update (Exchange Administrator)
If you want to provide feedback on the security update, you can
write
Microsoft. |
This page is printer friendly Updated
Mar 09 2008
|
|
Copyright Slipstick Systems. All rights reserved.
Send comments using our Feedback page
|
|
Home
| What's New | Exchange
Server | Outlook | Utilities
| Bookstore
About Slipstick | Feedback
| Privacy Policy | Site Map
| Archived Pages
| Link to Us |
Advertise
|