The Outlook E-mail Security Update provides additional
levels of protection against malicious e-mail messages. The update changes the
way that attachments are handled by Outlook, and the way that Outlook can be
controlled programmatically.
For more information about the update
and how it may affect the functionality of Outlook, this article includes links
to a known issues list, information for developers, information for
administrators, and other information to consider before you apply the update.
History of the Outlook Security Updates
This Outlook E-mail Security Update is the third
attachment-handling update for Outlook.
The first security attachment
update, the Outlook E-mail Attachment Security Update, requires that you save
certain file types to a disk.
For additional information about the first security
attachment update, click the article number below to view the article in the
Microsoft Knowledge Base:
235309 Outlook E-mail Attachment Security Update
The second update is available in Microsoft Outlook
2000 SR-1. While this update provides the same functionality as the previous
update, when you install this update, you can modify the list of file types
that must be saved to the file system or to a disk.
For additional information about attachment security
features that were added to Outlook 2000 SR-1, click the article number below
to view the article in the Microsoft Knowledge Base:
259228 OL2000: Attachment Security Features Included In SR-1/SR-1a
The Outlook E-mail Security Update changes and
extends attachment handling. For general information about this update, and to
download the update, please see the following Microsoft Web site:
Customizing the Behavior of the Security Update
If you are not running Outlook in an Exchange Server environment,
or your mail is delivered to a local Personal Folders file (.pst), you cannot
configure the settings for the update and you must use the full feature set of
the update.
If you run Outlook in a Microsoft Exchange Server
environment and your e-mail messages are delivered to a server-based mailbox,
your administrator can control specific features that are included with the
update. However, if your mail is delivered to a Personal Folders file (.pst),
then you cannot configure the settings for the update.
New Attachment Behavior
Attachments are divided into three groups based on their file
extension, or type. Outlook handles each group in a specific way:
Level 1 ("Unsafe")
The "unsafe" category represents any extension that may have
script or code associated with it. Any attachment with an "unsafe" file
extension is inaccessible if you use a version of Outlook that has the security
patch applied to it. The following list contains attachments that are
considered unsafe.
File extension File type
---------------------------------------------------
.ade Microsoft Access project extension
.adp Microsoft Access project
.bas Microsoft Visual Basic class module
.bat Batch file
.chm Compiled HTML Help file
.cmd Microsoft Windows NT Command script
.com Microsoft MS-DOS program
.cpl Control Panel extension
.crt Security certificate
.exe Program
.hlp Help file
.hta HTML program
.inf Setup Information
.ins Internet Naming Service
.isp Internet Communication settings
.js JScript file
.jse Jscript Encoded Script file
.lnk Shortcut
.mdb Microsoft Access program
.mde Microsoft Access MDE database
.msc Microsoft Common Console document
.msi Microsoft Windows Installer package
.msp Microsoft Windows Installer patch
.mst Microsoft Visual Test source files
.pcd Photo CD image, Microsoft Visual compiled script
.pif Shortcut to MS-DOS program
.reg Registration entries
.scr Screen saver
.sct Windows Script Component
.shb Shell Scrap object
.shs Shell Scrap object
.url Internet shortcut
.vb VBScript file
.vbe VBScript Encoded script file
.vbs VBScript file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file
After you install Office 2000 Service Pack 3, the
following file types are also considered Level 1 ("unsafe"):
| File extension | File type |
|---|
| .app | Visual FoxPro Application |
| .fxp | Visual FoxPro Compiled Program |
| .prg | Visual FoxPro Program |
| .mdw | Microsoft Access Workgroup Information |
| .mdt | Microsoft Access Workgroup Information |
| .ops | Office XP settings |
| .ksh | Unix shell extension |
| .csh | Unix shell extension |
For additional information about how to
download and install the Office 2000 Service Pack 3 (SP-3), click the following
article number to view the article in the Microsoft Knowledge Base:
326585
OFF2000: Overview of the Office 2000 Service Pack 3
NOTE: The list of files that are included in the Level 1 category can
only be changed if you are using Outlook in a Microsoft Exchange Server
environment and your mail is being delivered to an Exchange Server mailbox.
These changes must be made by an administrator.
The following list
describes how Outlook functions when you receive an "unsafe" file attachment:
- Any "unsafe" attachment is not accessible after you install
the update. You cannot save, delete, open, print, or otherwise manipulate
"unsafe" files. The top of the e-mail message indicates that Outlook has
blocked access to the "unsafe" attachment; the attachment is not accessible
from Outlook, however, the attachment is not actually removed from the e-mail
message.
- If you forward an e-mail message with an "unsafe"
attachment, the attachment is not included in the forwarded e-mail
message.
- If you send an e-mail message that contains an "unsafe"
attachment, you receive a warning message that says other Outlook recipients
may not be able to access the attachment that you are trying to send. You can
either disregard the warning message and send the e-mail message, or you can
choose to not send the e-mail message.
- If you save an e-mail message that contains an "unsafe"
attachment, you receive a warning message that says you may not be able to
access the attachment from Outlook. You can override the warning message and
save the e-mail message.
- You cannot open objects that are inserted into Outlook Rich
Text messages by using the Insert Object command. You do see a visual representation of the object, but
you cannot open or activate the object in the e-mail message.
- You cannot open "unsafe" files that have been directly
stored in an Outlook or Exchange Server folder. Although these files are not
attached to an Outlook item, they are still considered "unsafe."
Level 2
Level 2 files are not "unsafe" but they do require more security
than other attachments. When you receive a Level 2 attachment, you are prompted
to save the attachment to a disk; you cannot open the attachment from within
the message. By default, no file extensions are associated with this group,
however, you can add file extensions to the Level 2 list.
NOTE: The list of files that are included in the Level 2 category can
only be changed if you are using Outlook in a Microsoft Exchange Server
environment and your mail is being delivered to an Exchange Server mailbox.
These changes must be made by an administrator.
Other Attachments
When you try to open an attachment other than those in the
"unsafe" or Level 2 lists, you are prompted to either open the file directly or
to save it to a disk. You can turn off future prompts for that extension if you
click to clear the
Always ask before opening this type of file check box.
NOTE: If a program associates itself with a new file extension, that
file extension is treated as an "other" attachment until you add the file
extension to the "unsafe" list. For example, if you install a program on your
computer that uses files with an .xyz file extension, whenever you open an
attachment that has an .xyz file extension, the new program opens and runs the
attachment. By default, the .xyz file extension is not on the "unsafe" or Level
2 list, so it is treated as an "other" file extension. If you want attachments
with the .xyz file extension to be treated as "unsafe," you must add the .xyz
file extension to the list of "unsafe" file extensions.
New Programmability Behavior
When you install the update, programmatic access to Outlook is
restricted. If other applications try to use Outlook on your behalf, you
receive a warning message and you are prompted to confirm what the other
application is doing. You receive warning messages when another application
tries to do anything in the following list:
- Send mail on your behalf
- Access your address book
- Access e-mail names from your messages
- Access e-mail information from your contacts or other types
of items
- Save your messages to the file system
- Search your messages for content
- Use Simple Messaging Application Programming Interface,
Simple MAPI, to send messages without your consent
The update may affect how other applications interact with
Outlook by changing the default security zone settings from "Internet" to
"restricted," and by automatically disabling script in Hypertext Markup
Language (HTML) e-mail messages and unpublished custom Outlook forms.
For additional information about
developer-related updates and how they may impact third-party products and
custom Outlook solutions, click the article number below to view the article in
the Microsoft Knowledge Base:
262701 OL2000: Developer Information About the E-mail Security Update
Known Issues
For additional information about
known issues for the Outlook E-mail Security Update, click the article numbers
below to view the articles in the Microsoft Knowledge Base:
262634 OL2000: Known Issues with the Outlook E-mail Security Update
264128 OL2000: Known Interoperability Issues with the Outlook E-mail Security Update
264130 OL2000: Known Third-Party Issues with the Outlook E-mail Security Update
Installation Considerations
Before you install the Outlook E-mail Security Update, Microsoft
recommends that you understand how the update will affect the way that Outlook
handles attachments and other applications:
- Several Outlook features no longer work. For a detailed
list of issues, refer to the "Known Issues" section in this article.
- Any process or program that you use to automate Outlook may
function differently and the process or program may not work. This includes
synchronization utilities for handheld devices and any program that has
mail-based features or features based on attachments.
- If you use Outlook in Internet Mail Only mode, or if your
e-mail messages are delivered to a Personal Folders file (.pst), you cannot
disable any of the features that are included with this update. If you decide
to install the update, you will receive all of the new features.
- If you have "unsafe" attachments with file extensions that
are on the "unsafe" list in any of your existing Outlook items (e-mail
messages, contact, tasks, and so on), the items are not accessible. Before you
install the update, Microsoft recommends that you save all of the items with
file names that are on the "unsafe" list to ensure that you can access the
files after you install the update.
- You must have Outlook 2000 SR-1 installed on your computer
to install the update.
- The update is an integral part of the Outlook installation.
If you want to uninstall the update, you must completely uninstall the software
that Outlook was installed from. For example, if Outlook was installed as part
of Microsoft Office Premium Edition, you must uninstall and then reinstall
Microsoft Office Premium Edition to uninstall the update; you cannot just
uninstall and then reinstall Outlook.
- The original attachment security update, the Outlook E-mail
Attachment Security Update, and the Outlook 2000 SR-1 enhancements are
available. For more information about how to obtain a previous version of the
attachment security update, see the "History of the Outlook Security Updates"
section in this article.
File Attributes
After the fix is installed, the English-language version of this
fix will have the file attributes (or later) that are listed in the following
table. The dates and times for these files are listed in coordinated universal
time (UTC). When you view the file information, it is converted to local time.
To find the difference between UTC and local time, use the
Time Zone tab in the "Date and Time" tool in Control Panel.
Date Time Version Size File Name
--------------------------------------------------------------
14-Jun-2000 14:11 1.0.3.27 41,472 Bjablr32.dll
14-Jun-2000 14:12 3.2.0.27 61,952 Bjlog32.dll
08-Jan-2001 18:37 1.0.3.28 98,304 Bjsrch32.dll
19-Jun-2000 15:12 5.5.2652.65 808,720 Cdo.dll
16-Nov-2000 05:25 9.0.0.4715 122,931 Contab32.dll
14-Jun-2000 14:14 1.0.3.27 183,808 Emablt32.dll
31-Aug-2000 16:43 5.5.3142.0 154,112 Emsabp32.dll
25-May-2001 23:56 5.5.3158.0 594,192 Emsmdb32.dll
01-Jun-2001 22:15 5.5.3159.0 131,344 Emsui32.dll
02-Jun-2000 07:45 9.0.0.4201 86,067 Envelope.dll
10-May-2001 02:35 5.5.3156.0 540,944 Exsec32.dll
05-Apr-2000 16:02 9.0.0.4005 192,561 Mimedir.dll
21-May-2001 15:20 5.5.3157.0 792,576 Msmapi32.dll
03-Aug-2000 12:39 9.0.0.4402 5,595,185 Mso9.dll
08-Jul-2000 00:07 5.5.3138.0 602,384 Mspst32.dll
31-Jan-2000 22:56 9.0.0.3731 196,661 Oladd.fae
30-May-2000 15:53 26,643 Olsec9.chm
08-Feb-2001 14:21 5.5.3153.0 548,352 Omint.dll
01-Jun-2001 22:15 8.30.3157.0 782,608 Outex.dll
15-Jun-2001 03:30 9.0.0.5414 5,328,946 Outllib.dll
15-Jun-2001 03:31 9.0.0.5414 1,675,315 Outllibr.dll
25-May-2001 23:50 9.0.5324.0 368,691 Pstprx32.dll
07-Jul-2000 15:41 9.0.0.4307 73,772 Rm.dll
02-Jun-2000 08:30 9.0.0.4201 65,586 Sendto9.dll