MORE INFORMATION

The Microsoft Outlook E-mail Security Update significantly changes the way Outlook handles attachments. It also changes the way that Outlook handles requests for programmatic access. Because of the new design, any feature or program that uses any of the following features may behave differently after you install the security update:

• Attachments
• The Outlook object model
• Simple Messaging Application Programming Interface, or Simple MAPI

For additional information about the Microsoft Outlook E-mail Security Update, click the article number below to view the article in the Microsoft Knowledge Base:

For additional information about how the update affects developers and custom solutions, click the article number below to view the article in the Microsoft Knowledge Base:

After you apply the Outlook E-mail Security Update, various Outlook features and programs that integrate with Outlook cause a warning message to appear that asks you to confirm the action. You must confirm the action for the feature to work. Unless an administrator has overridden these default settings for you, you cannot alter this behavior. In some situations, the prompts may cause a feature to take longer to complete because you must approve the action repeatedly.

To prevent worm viruses, such as the ILOVEYOU virus, from quickly spreading, Microsoft has restricted features that can potentially be used to write virus in Outlook. Microsoft is evaluating the security features in Outlook and other general messaging functionality for future versions of Microsoft products.

Mail Merge

Various mail merge features generate address book warning messages if you are merging with Outlook contact information. You can allow access to the address book information for up to 10 minutes, and you do not receive address book warning messages again for that period of time.

Mail Merge to E-mail or Fax

When you create a mail merge to e-mail or fax by using your Contacts folder, you must eventually use Microsoft Word to complete the mail merge. After you start the actual merge, you receive a warning message which indicates that a program is trying to access your address book. You can allow access for up to 10 minutes, and you do not receive address book warning messages again for that period of time. However, a separate warning message for each e-mail message that you send appears and you must wait five seconds before you can confirm the send process. For example, if you generate a mail merge to e-mail that is being sent to 100 people, it takes over eight minutes and you must approve each of the e-mail messages every five seconds. This is a limitation of the current design and improvements are being evaluated for the next version of Microsoft Office.

Team Folders

Outlook Team Folders use the Outlook object model for various tasks. You are prompted to confirm access in various tasks that you do by using Team Folders, including setting permission to information, sending e-mail messages, and creating the Team Folder. If you confirm access to your address book and confirm to send e-mail messages, the Team Folders features work as expected. If you deny access, you may receive a script error message.

Digital Dashboards

Digital Dashboards typically have script in their Hypertext Markup Language (HTML) pages. If the script references parts of the Outlook object model that are restricted by the security update, you receive prompts to confirm access when you use the dashboard. If you click No in the confirmation dialog boxes, the Digital Dashboard pages do not work because they do not have error handling for this new behavior.

Net Folder Invitations

You may receive an address book warning message when you send a new subscription. Other users also receive an address book warning message when they receive a new subscription request. Although you may receive a warning message, the Net Folder feature works correctly.

Space Takes the Place of an Attachment

If you use e-mail messages in Outlook Rich Text format, attachments are included within the text of the message. When Outlook blocks an attachment, a space is left in its place.

"Unsafe" Attachment Forwarding

If you forward a message with an "unsafe" or Level 1 attachment, the attachment is not included with the forwarded message. This is by design.

How To Remove "Unsafe" Attachments

To remove an "unsafe" attachment from an e-mail message so that the attachment does not use more storage space than necessary, forward the message to yourself. The forwarded message does not contain the attachment, and you may then delete the original message to reclaim the storage space.

Journal Items and Custom Forms

You cannot see warning messages at the top of journal items or custom Outlook forms. For this reason, you do not see a visual notice that Outlook has blocked access to the attachment.

Information at the Top of the Message Is Limited to Four Lines

When you open an e-mail message, if the e-mail message includes more than four settings that are displayed at the top of the e-mail message, and the e-mail message contains an "unsafe" attachment, you do not see an information message at the top of the e-mail message.

Meeting and Task Request Limitations

If you are using either meeting requests or task requests and the task or appointment contains an "unsafe" attachment, Outlook does update the warning message at the top of the item to indicate that access to the attachment has been blocked. This behavior is a known limitation that specifically relates to meeting request and task request forms. In addition, you may see inconsistent behavior with attachments, whether or not an "unsafe" attachment is blocked in various circumstances when you use meeting requests and task requests. These limitations are caused by the architecture of Outlook and the request forms.

The Setup "Run From" Location Changes

If you have Outlook installed to run locally, apply the security update, and then click Run from Server to change Outlook to run from your server, the security update feature set is not available, and you cannot reapply the update on that computer. You must change the "Run From" setting back to "Locally" by using Office or Outlook Setup.

VBScript No Longer Runs in Template (.oft) Files

If you open an Outlook item template (.oft) file, and it has script in it, the script is disabled and you do not receive the enable or disable macro warning message. This is a feature of the security update. To make this functionality work again, an administrator must configure your computer so that you are prompted to run the script or not to run the script.

Quick View Behavior

Regardless of the file types that you add to the Level 2 list, you are able to use the Windows Quick View feature to see the contents of attachments. However, you cannot open attachments in this way.

Simple MAPI, Outlook, and CDO Do Not Share Time Settings

Because these three object models, or APIs, run in separate processes, they all maintain independent settings when users are prompted to allow access for a specific amount of time. For example, if a custom Outlook form contains Visual Basic Scripting Edition (VBScript) that uses both the Outlook and CDO object models, the user is prompted twice to specify the amount of time that the object model can be used; the user is prompted once for each object model.

Security Prompts Are Reset When You Restart Outlook

If you quit and then restart Outlook, you receive another prompt to allow access if another program requests access to the Outlook object model. When you allow access to the Outlook object model your computer does not store this information, so you are prompted again to allow access when you restart Outlook and a program requests access to the object model.

Collaborative Data Objects (CDO)

CDO is another object model that people who write viruses can use to send mail. The Microsoft Outlook 98 update removes CDO from your system to take away this risk, but the Outlook 2000 update cannot remove CDO. Microsoft recommends that you manually uninstall CDO by using the Add-Remove tool in Outlook or Office Setup.

Administrator Can Not Re-Enable the Send Button

The update restricts the use of the CommandBars object so that the object cannot programmatically click the Send button. There is no administrative option to remove this restriction. As a work around, you can change the appropriate options for programmatically sending mail by using the Send method.

Using Distribution List in the Outlook Security Form

If you type distribution lists in the Members box of the Outlook Security Form, security settings are not applied to each user in the distribution list. You must add users individually for the security settings to work.

Object Model Timer Applies to the Yes and No Buttons

If a program tries to access your address book, and you click to select the check box to allow access for 10 minutes, and then click No in the dialog box, access to your information is not allowed for 10 minutes. The timer applies if you click either the Yes button or the No button in the dialog box.

Information at the Top of the E-mail Message Does Not Display the File Name

After you attach an "unsafe" attachment to an e-mail message, you can change the properties of the attachment before you send it. This changes the file name that is displayed in the e-mail message, although it does not actually rename the attachment itself. When another user receives the item, the attachment is not available. However, the information message at the top of the e-mail message does not display the attachment's real file name; it displays the name of the file as it was set by the sender.