The Microsoft Outlook E-mail Security Update significantly
changes the way Outlook handles attachments. It also changes the way that
Outlook handles requests for programmatic access. Because of the new design,
any feature or program that uses any of the following features may behave
differently after you install the security update:
- Attachments
- The Outlook object model
- Simple Messaging Application Programming Interface, or
Simple MAPI
For additional information about the Microsoft Outlook E-mail
Security Update, click the article number below to view the article in the
Microsoft Knowledge Base:
262631 OL2000: Information About the Outlook E-mail Security Update
For additional information about how the update affects
developers and custom solutions, click the article number below to view the
article in the Microsoft Knowledge Base:
262701 OL2000: Developer Information About the Outlook E-mail Security Update
After you apply the Outlook E-mail Security Update,
various Outlook features and programs that integrate with Outlook cause a
warning message to appear that asks you to confirm the action. You must confirm
the action for the feature to work. Unless an administrator has overridden
these default settings for you, you cannot alter this behavior. In some
situations, the prompts may cause a feature to take longer to complete because
you must approve the action repeatedly.
To prevent worm viruses, such
as the ILOVEYOU virus, from quickly spreading, Microsoft has restricted
features that can potentially be used to write virus in Outlook. Microsoft is
evaluating the security features in Outlook and other general messaging
functionality for future versions of Microsoft products.
Mail Merge
Various mail merge features generate address book warning
messages if you are merging with Outlook contact information. You can allow
access to the address book information for up to 10 minutes, and you do not
receive address book warning messages again for that period of time.
Mail Merge to E-mail or Fax
When you create a mail merge to e-mail or fax by using your
Contacts folder, you must eventually use Microsoft Word to complete the mail
merge. After you start the actual merge, you receive a warning message which
indicates that a program is trying to access your address book. You can allow
access for up to 10 minutes, and you do not receive address book warning
messages again for that period of time. However, a separate warning message for
each e-mail message that you send appears and you must wait five seconds before
you can confirm the send process. For example, if you generate a mail merge to
e-mail that is being sent to 100 people, it takes over eight minutes and you
must approve each of the e-mail messages every five seconds. This is a
limitation of the current design and improvements are being evaluated for the
next version of Microsoft Office.
Team Folders
Outlook Team Folders use the Outlook object model for various
tasks. You are prompted to confirm access in various tasks that you do by using
Team Folders, including setting permission to information, sending e-mail
messages, and creating the Team Folder. If you confirm access to your address
book and confirm to send e-mail messages, the Team Folders features work as
expected. If you deny access, you may receive a script error message.
Digital Dashboards
Digital Dashboards typically have script in their Hypertext
Markup Language (HTML) pages. If the script references parts of the Outlook
object model that are restricted by the security update, you receive prompts to
confirm access when you use the dashboard. If you click
No in the confirmation dialog boxes, the Digital Dashboard pages do
not work because they do not have error handling for this new behavior.
Net Folder Invitations
You may receive an address book warning message when you send a
new subscription. Other users also receive an address book warning message when
they receive a new subscription request. Although you may receive a warning
message, the Net Folder feature works correctly.
Space Takes the Place of an Attachment
If you use e-mail messages in Outlook Rich Text format,
attachments are included within the text of the message. When Outlook blocks an
attachment, a space is left in its place.
"Unsafe" Attachment Forwarding
If you forward a message with an "unsafe" or Level 1 attachment,
the attachment is not included with the forwarded message. This is by design.
How To Remove "Unsafe" Attachments
To remove an "unsafe" attachment from an e-mail message so that
the attachment does not use more storage space than necessary, forward the
message to yourself. The forwarded message does not contain the attachment, and
you may then delete the original message to reclaim the storage space.
Journal Items and Custom Forms
You cannot see warning messages at the top of journal items or
custom Outlook forms. For this reason, you do not see a visual notice that
Outlook has blocked access to the attachment.
Information at the Top of the Message Is Limited to Four Lines
When you open an e-mail message, if the e-mail message includes
more than four settings that are displayed at the top of the e-mail message,
and the e-mail message contains an "unsafe" attachment, you do not see an
information message at the top of the e-mail message.
Meeting and Task Request Limitations
If you are using either meeting requests or task requests and the
task or appointment contains an "unsafe" attachment, Outlook does update the
warning message at the top of the item to indicate that access to the
attachment has been blocked. This behavior is a known limitation that
specifically relates to meeting request and task request forms. In addition,
you may see inconsistent behavior with attachments, whether or not an "unsafe"
attachment is blocked in various circumstances when you use meeting requests
and task requests. These limitations are caused by the architecture of Outlook
and the request forms.
The Setup "Run From" Location Changes
If you have Outlook installed to run locally, apply the security
update, and then click
Run from Server to change Outlook to
run from your server, the security update feature set is not available, and you
cannot reapply the update on that computer. You must change the "Run From"
setting back to "Locally" by using Office or Outlook Setup.
VBScript No Longer Runs in Template (.oft) Files
If you open an Outlook item template (.oft) file, and it has
script in it, the script is disabled and you do not receive the enable or
disable macro warning message. This is a feature of the security update. To
make this functionality work again, an administrator must configure your
computer so that you are prompted to run the script or not to run the script.
Quick View Behavior
Regardless of the file types that you add to the Level 2 list,
you are able to use the Windows Quick View feature to see the contents of
attachments. However, you cannot open attachments in this way.
Simple MAPI, Outlook, and CDO Do Not Share Time Settings
Because these three object models, or APIs, run in separate
processes, they all maintain independent settings when users are prompted to
allow access for a specific amount of time. For example, if a custom Outlook
form contains Visual Basic Scripting Edition (VBScript) that uses both the
Outlook and CDO object models, the user is prompted twice to specify the amount
of time that the object model can be used; the user is prompted once for each
object model.
Security Prompts Are Reset When You Restart Outlook
If you quit and then restart Outlook, you receive another prompt
to allow access if another program requests access to the Outlook object model.
When you allow access to the Outlook object model your computer does not store
this information, so you are prompted again to allow access when you restart
Outlook and a program requests access to the object model.
Collaborative Data Objects (CDO)
CDO is another object model that people who write viruses can use
to send mail. The Microsoft Outlook 98 update removes CDO from your system to
take away this risk, but the Outlook 2000 update cannot remove CDO. Microsoft
recommends that you manually uninstall CDO by using the Add-Remove tool in
Outlook or Office Setup.
Administrator Can Not Re-Enable the Send Button
The update restricts the use of the CommandBars object so that
the object cannot programmatically click the
Send button. There is no administrative option to remove this
restriction. As a work around, you can change the appropriate options for
programmatically sending mail by using the
Send method.
Using Distribution List in the Outlook Security Form
If you type distribution lists in the
Members box of the Outlook Security Form, security settings are not
applied to each user in the distribution list. You must add users individually
for the security settings to work.
Object Model Timer Applies to the Yes and No Buttons
If a program tries to access your address book, and you click to
select the check box to allow access for 10 minutes, and then click
No in the dialog box, access to your information is not allowed for
10 minutes. The timer applies if you click either the
Yes button or the
No button in the dialog box.
Information at the Top of the E-mail Message Does Not Display the File Name
After you attach an "unsafe" attachment to an e-mail message, you
can change the properties of the attachment before you send it. This changes
the file name that is displayed in the e-mail message, although it does not
actually rename the attachment itself. When another user receives the item, the
attachment is not available. However, the information message at the top of the
e-mail message does not display the attachment's real file name; it displays
the name of the file as it was set by the sender.