MORE INFORMATION

The Microsoft Outlook E-mail Security Update significantly changes the way Outlook handles attachments. It also changes the way that Outlook handles requests for programmatic access. Because of the new design, any feature or program that uses any of the following features may behave differently after you install the security update:

• Attachments
• The Outlook object model
• Simple Messaging Application Programming Interface, or Simple MAPI

For additional information about the Microsoft Outlook E-mail Security Update, click the article number below to view the article in the Microsoft Knowledge Base:

For additional information about how the update affects developers and custom solutions, click the article number below to view the article in the Microsoft Knowledge Base:

After you apply the Outlook E-mail Security Update, various Outlook features and programs that integrate with Outlook cause a warning message to appear that asks you to confirm the action. You must confirm the action for the feature to work. Unless an administrator has overridden these default settings for you, you cannot alter this behavior. In some situations, the prompts may cause a feature to take longer to complete because you must approve the action repeatedly.

To prevent worm viruses, such as the ILOVEYOU virus, from quickly spreading, Microsoft has restricted features that can potentially be used to write virus in Outlook. Microsoft is evaluating the security features in Outlook and other general messaging functionality for future versions of Microsoft products.

Mail Merge

Various mail merge features generate address book warning messages if you are merging with Outlook contact information. You can allow access to the address book information for up to 10 minutes, and you do not receive address book warning messages again for that period of time.

Mail Merge to E-mail or Fax

When you create a mail merge to e-mail or fax by using your Contacts folder, you must eventually use Microsoft Word to complete the mail merge. After you start the actual merge, you receive a warning message which indicates that a program is trying to access your address book. You can allow access for up to 10 minutes, and you do not receive address book warning messages again for that period of time. However, a separate warning message for each e-mail message that you send appears and you must wait five seconds before you can confirm the send process. For example, if you generate a mail merge to e-mail that is being sent to 100 people, it takes over eight minutes and you must approve each of the e-mail messages every five seconds. This is a limitation of the current design and improvements are being evaluated for the next version of Microsoft Office.

Net Folder Invitations

You may receive an address book warning message when you send a new subscription. Other users also receive an address book warning message when they receive a new subscription request. Although you may receive a warning message, the Net Folder feature works correctly.

Space Takes the Place of an Attachment

If you use e-mail messages in Outlook Rich Text format, attachments are included within the text of the message. When Outlook blocks an attachment, a space is left in its place.

"Unsafe" Attachment Forwarding

If you forward a message with an "unsafe" or Level 1 attachment, the attachment is not included with the forwarded message. This is by design.

How To Remove "Unsafe" Attachments

To remove an "unsafe" attachment from an e-mail message so that the attachment does not use more storage space than necessary, forward the message to yourself. The forwarded message does not contain the attachment, and you may then delete the original message to reclaim the storage space.

Journal Items and Custom Forms

You cannot see warning messages at the top of journal items or custom Outlook forms. For this reason, you do not see a visual notice that Outlook has blocked access to the attachment.

Information at the Top of the Message Is Limited to Four Lines

When you open an e-mail message, if the e-mail message includes more than four settings that are displayed at the top of the e-mail message, and the e-mail message contains an "unsafe" attachment, you do not see an information message at the top of the e-mail message.

Meeting and Task Request Limitations

If you are using either meeting requests or task requests and the task or appointment contains an "unsafe" attachment, Outlook does update the warning message at the top of the item to indicate that access to the attachment has been blocked. This behavior is a known limitation that specifically relates to meeting request and task request forms. In addition, you may see inconsistent behavior with attachments, whether or not an "unsafe" attachment is blocked in various circumstances when you use meeting requests and task requests. These limitations are caused by the architecture of Outlook and the request forms.

VBScript No Longer Runs in Template (.oft) Files

If you open an Outlook item template (.oft) file and it has script in it, the script is disabled and you do not receive the enable or disable macro warning message. This is a feature of the security update. To make this functionality work again, an Exchange Administrator should refer to Microsoft Knowledge Base article Q263296 listed in the References section of this article.

Quick View Behavior

Regardless of the file types that you add to the Level 2 list, you are able to use the Windows Quick View feature to see the contents of attachments. However, you cannot open attachments in this way.

Simple MAPI, Outlook, and CDO Do Not Share Time Settings

Because these three object models, or APIs, run in separate processes, they all maintain independent settings when users are prompted to allow access for a specific amount of time. For example, if a custom Outlook form contains Visual Basic Scripting Edition (VBScript) that uses both the Outlook and CDO object models, the user is prompted twice to specify the amount of time that the object model can be used; the user is prompted once for each object model.

Security Prompts Are Reset When You Restart Outlook

If you quit and then restart Outlook, you receive another prompt to allow access if another program requests access to the Outlook object model. When you allow access to the Outlook object model your computer does not store this information, so you are prompted again to allow access when you restart Outlook and a program requests access to the object model.

Collaborative Data Objects (CDO)

CDO is another object model that people who write viruses can use to send mail. The Microsoft Outlook 98 update removes CDO from your system to take away this risk, but the Outlook 2000 update cannot remove CDO.

Administrator Can Not Re-Enable the Send Button

The update restricts the use of the CommandBars object so that the object cannot programmatically click the Send button. There is no administrative option to remove this restriction. As a work around, you can change the appropriate options for programmatically sending mail by using the Send method.

Using Distribution List in the Outlook Security Form

If you type distribution lists in the Members box of the Outlook Security Form, security settings are not applied to each user in the distribution list. You must add users individually for the security settings to work.

Object Model Timer Applies to the Yes and No Buttons

If a program tries to access your address book, and you click to select the check box to allow access for 10 minutes, and then click No in the dialog box, access to your information is not allowed for 10 minutes. The timer applies if you click either the Yes button or the No button in the dialog box.

Information at the Top of the E-mail Message Does Not Display the File Name

After you attach an "unsafe" attachment to an e-mail message, you can change the properties of the attachment before you send it. This changes the file name that is displayed in the e-mail message, although it does not actually rename the attachment itself. When another user receives the item, the attachment is not available. However, the information message at the top of the e-mail message does not display the attachment's real file name; it displays the name of the file as it was set by the sender.