: Microsoft recommends that you are familiar with the basic
features of the Outlook E-mail Security Update before you read this article.
General information about the Outlook E-mail Security Update is provided at the
following Microsoft Web site:
For additional information about the
Outlook E-mail Security Update, click the article number below to view the
article in the Microsoft Knowledge Base:
OL98: Information About the Outlook E-mail Security Update
This article describes the behavior of Outlook
after you apply the security update. Administrators can configure client
computers so that they do not contain all of these restrictions. As a
developer, you need to be familiar with the administrative options that are
available with this security update.
For additional information
about how to override the restrictions imposed by the security update, click
the article number below to view the article in the Microsoft Knowledge Base:
OL98: Administrator Information About the Outlook E-mail Security Update
The Outlook E-mail Security Update provides Outlook with
additional levels of protection against malicious e-mail messages. The update
directly affects the way that many Outlook features function, and it may
adversely affect solutions that you built by using developer features that are
included in Outlook and other messaging technologies or Application Programming
Interfaces (APIs). If you have created any type of solution by using Microsoft
messaging technologies, Microsoft recommends that you become familiar with the
changes that the security update makes to Outlook and how those changes may
affect your solution. In some cases, solutions do not function at all; in other
cases, solutions may result in a warning message that interrupts your solution
when you try to run it.
The security update changes Outlook and
general messaging functionality in the following areas:
- General attachment behavior (from the end-user
- The Outlook object model
- Other areas in Outlook that are related to
- The Collaboration Data Objects (CDO) object
- Simple Messaging Application Programming Interface, or
Simple Messaging Application Programming Interface (MAPI)
: This security update affects all custom solutions that use the
Outlook object model and Simple MAPI. This includes the following:
- Outlook custom forms that are published to any folder or
forms library, including the Organizational Forms Library.
- Any other type of development project that uses the Outlook
object model or Simple MAPI, even if the project is digitally
Outlook Object Model Design Changes
Attachments with Level 1, or "unsafe," file extensions are not
accessible in the Outlook object model, specifically:
- The Attachments collection in the object model is unaware of unsafe
- If you try to send mail programmatically with one of these
attachments, the mail is not sent. If the program is written in the C or C++
programming languages, you receive the MAPI_E_CANCELLED return code.
- If you attempt to open an unsafe file system object (or
"freedoc" file) by using the Outlook object model, you receive the E_FAIL
return code in the C or C++ programming languages. Previously, you could open
an unsafe file system object by using the Display method in the Outlook object model.
When you run a program that uses the Outlook object model to call
the Send method, you receive a warning message. This warning message tells you
that a program is trying to send mail on your behalf and asks if you want to
allow the message to be sent. The warning message contains both a Yes
and a No
button, however, the Yes
button is not available until five seconds have passed since the
warning message appeared. The warning message can be dismissed immediately if
you click No
. When you click No
, the Send
method returns an E_FAIL error in the C or C++ programming
Accessing Address Books and Recipients
If a program tries to reference any type of recipient information
by using the Outlook object model, a dialog box is displayed that asks you to
confirm access to this information. You can allow access to the address book or
recipient information for up to ten minutes after you receive the dialog box.
This allows features, such as mobile device synchronization, to be completed.
If you decide not to allow access to your address book or recipient
information, you receive the E_FAIL return code for all of these messages in
the C or C++ programming languages.
You receive the confirmation
dialog box when a solution tries to programmatically access the following
features of the Outlook object model:
- The AddressEntries collection or any AddressEntry object.
- The Recipients collection or any Recipient object.
- The following properties of a ContactItem object:
- The following properties of a MailItem object:
- The following properties of a AppointmentItem object:
- The following properties of a TaskItem object:
- The GetMember method of a DistListItem object.
- The ContactNames property of a JournalItem object.
- The SenderName property of a MeetingItem object.
- The SenderName property of a PostItem object.
- The GetRecipientFromID property of a Namespace object.
- The Execute method of an Action object.
- The Formula property of a UserProperty object.
When you use the SaveAs
method to save items to the file system, you receive an "address
book" warning message. This includes all types of items whether or not the
items have attachments or active content. This change has been made so that you
cannot programmatically save items to a file and then parse the file to
retrieve e-mail addresses.
Send CommandBar Button
It is no longer possible to use the Execute
method to programmatically click the Send
button on the Outlook toolbar. Although this is not commonly done
in Outlook solutions, this change has been made to prevent malicious intent.
You receive the E_FAIL return code for all of these messages in the C or C++
Outlook does not allow access to certain dialog boxes by using
the Visual Basic or Visual Basic for Applications SendKeys
command. This prevents malicious programs from automatically
dismissing the warning messages and circumventing the new security features.
VBScript in Unpublished Forms No Longer Runs
When you create a custom Outlook form, you can choose to directly
embed Visual Basic Scripting Edition (VBScript) within an item. You may do this
if other users cannot get access to a published form. These types of forms are
called "one-off" forms.
information about one-off forms, click the article number below to view the
article in the Microsoft Knowledge Base:
OL98: Working with Form Definitions and One-Off Forms
When you open one of these items in a version of
Outlook that does not have the update applied to it, Outlook displays a
security warning message that asks if you want to enable or disable the code in
the form. When you use a version of Outlook that has the update applied to it,
Outlook disables the code and you cannot activate it. If you want to use a
script written in VBScript in a custom form, the custom form must be published
to the Organizational Forms Library or to a public folder on a Microsoft
Exchange Server computer. You can also distribute the custom form and install
it in a local forms library on individual client computers.
Office Applications Are Reset to High Security
To help protect against harmful macro viruses that may be in
Microsoft Office documents, the security update puts the following list of
Office programs into "high security" mode.NOTE
: For the typical Microsoft Office 97 program, you are asked if
you want to run macros. For the typical Microsoft Office 2000 program, macros
cannot run unless they are signed and trusted. If the macros are signed and
trusted, you are not asked if you want to run the macros.
- Microsoft Outlook 2000 only. Visual Basic for Applications
was not included with Outlook 98.
- Microsoft Word 97 and Microsoft Word 2000. By default, Word
is in high security mode in Office 2000.
- Microsoft Excel 97 and Microsoft Excel 2000.
- Microsoft PowerPoint 97 and Microsoft PowerPoint
: Microsoft Access has no equivalent settings for macro security
and is therefore not affected. As a result, all Access document types are
included in the list of unsafe file extensions that cannot be accessed.
Outlook and HTML Mail
The security update puts Outlook into the "restricted zone" by
default. If you open an e-mail message that is in Hypertext Markup Language
(HTML) format, and the HTML contains script, the script runs within the context
of the Internet security settings.NOTE
: This is one difference between Outlook 98 and Outlook 2000. When
you use Outlook 98, active content runs as long as security settings are set
adequately low. With the Outlook E-mail Security Update installed, Outlook 2000
completely disables script in HTML e-mail messages, regardless of the Internet
Simple MAPI Design Changes
When Outlook is installed on a computer as the default Simple
MAPI client, Outlook processes requests that are made by using Simple MAPI
calls. Therefore, when you install the Outlook E-mail Security Update, changes
are made to the way that Simple MAPI calls are handled. By default, if you use
many Simple MAPI functions you receive a warning message that says a program is
trying to either access recipient information or send mail on your
The following list describes how Outlook responds to Simple
Simple MAPI call Behavior if handled by Outlook
MAPISendMail OK with the MAPI_DIALOG argument, otherwise prompt
For more information about the Simple MAPI calls,
see the following article on the Microsoft Web site:
CDO Design Changes
The Outlook 98 E-mail Security Update removes the CDO object
model if it has been previously installed on the Outlook 98 computer. This
differs from the Outlook 2000 E-mail Security Update, which does not remove the
CDO object model from the computer.
A CDO E-mail Security Update has
been released for Outlook 98.
For additional information about the CDO
update, click the article number below to view the article in the Microsoft
OL98: Information About the CDO E-mail Security Update
Common Messaging Calls No Longer Supported
After you install the Outlook E-mail Security Update, Common
Messaging Calls (CMC) no longer function. The CMC interface is a set of ten
functions that enables you to add simple messaging capabilities to your custom
program quickly. For example, your program can send a message with a single CMC
function call and receive a message with two CMC function calls.
additional information about CMC, see the following Microsoft Web site:
Microsoft does not intend to re-implement this functionality and
therefore recommends that you do not use CMC in messaging solutions.
Designing Solutions With the Security Update
There is no direct, programmatic way to determine which security
update features a user has enabled. However, depending on your solution, you
may be able to use one or more of the following approaches to determine if the
security update has been installed.
Determine the Outlook Build Number
You can programmatically determine the version of Outlook to see
if the security update has been applied to Outlook. However, this does not
directly tell you whether an administrator has granted the user any "override"
capabilities. The following Outlook Visual Basic for Applications code example
illustrates how you can determine the version of Outlook that is installed.
Set ol = CreateObject("Outlook.Application")
iBuild = Int(Mid(ol.Version, 5, 4))
' NOTE: The version number format changed between Outlook 98 and 2000
If iBuild >= 7806 Then
UpdateApplied = True
UpdateApplied = False
Set ol = Nothing
: This code does not function in Microsoft Outlook 97 because that
version did not contain a Version
property in the object model.
Determine the Mail Delivery Location
You may want to verify that Outlook is delivering mail to a
Personal Folders file (.pst). If mail is being delivered to a Personal Folders
file, all of the security update features are in effect. The following Outlook
automation code sample illustrates how you can determine if a user's mail is
delivered to a mailbox or Personal Folders file.
Set ol = CreateObject("Outlook.Application")
Set oInbox = ol.Session.GetDefaultFolder(6) ' 6 = olFolderInbox
If InStr(oInbox.Parent.Name, "Mailbox - ") Then
UsingPST = False
UsingPST = True
Set oInbox = Nothing
Set ol = Nothing