Exchange Messaging Outlook 15 Jun 2000

What's New

Outlook Issues
Exchange Server
Utilities and Add-ins
Video Tutorials
Product Reviews

Subscribe to EMO
Previous Issues Index

Exchange Messaging Outlook
Volume 5, Number 4

Today's highlights:

Outlook E-mail Security Update
Reading .exe files when the update blocks them
Customizing the update in an Exchange Server environment
Other administrator resources for the update
What about CDO?
Uninstalling the update
My main complaints about the update

Regular features:

New Slipstick site features
Other new resources
New utilities
Updated utilities

Outlook Email Security Update

As expected, last week Microsoft released a patch for Outlook 98 and Outlook 2000 (with Office 2000 Service Release 1/1a) that disables many of the features that allowed VBS/Loveletter and similar viruses to spread so quickly. Our page at http://www.slipstick.com/outlook/esecup.htm lists the different types of protection included, the files affected and all the resources you need to evaluate whether this update is right for you.

The new patch makes it impossible to open, save or forward program files in Outlook -- including .exe files and VBScript .vbs files like those that spread Loveletter. This optional patch is also aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. The "object model guard" (as Microsoft calls it) feature of the patch means that some Outlook features will no longer function at all. In other cases, a user will need to authorize access by outside programs, including tools for synchronizing with PDAs such as the Palm or Windows CE devices or with web sites. We are maintaining a list of affected applications at http://www.slipstick.com/outlook/esecup/apps.htm and welcome your comments or additions to the list. You can click here to send us your information.

Should you install this update? Never install any patch without reading all the information available about it. This goes double for this update, which has the potential to cripple Outlook add-ins and radically change normal Outlook functions. Our general recommendations:

If you are a normal standalone user and don't automate Outlook with code, this patch may be a good tradeoff between additional security and the inconvenience you might suffer in having to click the warning when you synchronize with a PDA.
If you are a power user who automates Outlook with code or installs various Outlook add-ins, do not install this patch until you evaluate its possible effects on your add-ins and code. Chances are that the protection is not worth the annoyance. Instead, you may want to follow our general recommendations on protecting Microsoft Outlook against viruses at http://www.slipstick.com/outlook/antivirus.htm.
If you are responsible for administering Outlook in an Exchange Server environment, take a look at the customization features described below. They are extensive and flexible, but may not scale well.
If you are responsible for administering Outlook for use with other enterprise mail systems, wait a while. Microsoft has provided information to Lotus, HP and Novell Groupwise that they can develop administrative tools comparable to those provided by Microsoft for Exchange Server.

Reading .exe files when the update blocks them

Many people use self-extracting .exe files to send various types of documents or program updates. Even with the Outlook E-mail Security Update installed and making these files invisible in Outlook, there are several ways to access them:

Copy the message to a different Outlook folder, then use Outlook Express to import the items from that folder. Outlook Express does not have a security patch like Outlook’s … yet.
In an Exchange Server environment, you may be able to open the message with Outlook Web Access. OWA does not block access to such attachments.
Use Chilton Preview from http://www.slipstick.com/addins/gallery/index.htm#preview. This is a free, alternative preview pane that works with all versions of Outlook and allows you to see and open all attachments.
Use CaSaveAtt or ExLife from http://www.ornic.com. CaSaveAtt is a custom action that works with the Outlook Rules Wizard. It allows you to create rules to save attachments to disk. With Outlook 2000, you can create a rule to save attachments, then run it on demand as needed. (Earlier versions of Outlook do not support running rules on demand.) ExLife is a full Rules Wizard replacement that also allows you to run rules on demand.

Customizing the update in an Exchange Server environment

In Microsoft Exchange Server environments, administrators can customize the Outlook 98/2000 E-mail Security Update by installing a special Outlook custom form in an Outlook Security Settings public folder, using that form to configure security options for individuals and groups, and setting a registry entry on client workstations. Download the Admpack.exe file from http://www.microsoft.com/office/ork/2000/appndx/toolbox.htm#secupd to get a self-extracting file with the form, detailed instructions, and a new policy file for Outlook 2000. Additional details are available at http://www.microsoft.com/Office/ORK/2000/journ/outsecupdate.htm.

In our tests, this technique worked very well, even for offline users. After installing the Outlook E-mail Security Update and updating the registry, offline users simply need to synchronize twice. They do not need to start Outlook in a full online session with the server. This, by the way, is a brilliant deployment strategy that we'd like to see extended so that administrators can make any public folder available to offline users without the need for a full online session.

Keep in mind that there are some potential limitations to this customization technique:

It may not scale well. Microsoft specifically says that it is not suitable for managing large numbers of users.
You cannot use distribution lists to manage security groups. You must enter individual mailboxes on the forms. In fact, you must type the names in, since the custom form does not offer a button to display the Address Book. TIP: Open a regular Outlook message, and use its To button to select mailboxes from the GAL. Then copy and paste the list of mailboxes into the Outlook Security form.
If you include a mailbox in more than one security group, Outlook will use the settings from the group that was modified most recently. It does not check all items in the Outlook Security Settings folder and try to resolve any discrepancies between the settings for two different groups. This means that you must plan your security groups very carefully.

Other administrator resources for the update

Microsoft has provided extensive documentation on how to deploy and administer the update. See:

Deploying the Outlook 98/2000 E-mail Security Update
http://www.microsoft.com/Office/ORK/2000/journ/outsdep.htm

Customizing the Outlook 98/2000 E-mail Security Update
http://www.microsoft.com/Office/ORK/2000/journ/outsecupdate.htm

OL2000: Administrator Information About the Outlook E-mail Security Update
http://support.microsoft.com/support/kb/articles/Q263/2/97.asp

OL98: Administrator Information About the Outlook E-mail Security Update
http://support.microsoft.com/support/kb/articles/Q263/2/96.asp

Do not deploy this update without running tests against any Outlook-related applications used in your organization.

What about CDO?

CDO, or Collaboration Data Objects, is other programming model that allows applications to create and send e-mail messages. Outlook 98 includes it by default. It is an optional component in Outlook 2000. Microsoft is developing a security update specifically for CDO. However, since CDO is not affected by the Outlook E-mail Security Update, Microsoft decided to simply remove CDO from Outlook 98 installations when you install the Outlook 98 E-mail Security Update. This is noted in the Microsoft Knowledgebase articles on the Outlook 98, but not on the main download page for the Outlook 98 version of the update.

The problem here is that many Outlook custom forms and applications use CDO, because CDO can do things that the Outlook programming model cannot -- such as retrieving the e-mail address of the person who sent a message or popping up a dialog where you can choose recipients from the Address Book.

If you have custom applications that you know use CDO, you may want to modify the installation of the Outlook 98 version of the Outlook E-mail Security Update to keep CDO on the system. We've posted the key steps at http://www.slipstick.com/outlook/esecup/ol98cdo.htm.

If you have already installed the patch on Outlook 98 and need to restore CDO, you should be able to copy the Cdo.dll file from a system that has not been patched, then run Regsvr32.exe to register the .dll.

Uninstalling the update

Removing the Outlook 98 version of the update is easy. Just go to Control Panel | Add/Remove Programs and remove the update. This will roll Outlook back to your previous Outlook 98 installation. You do not need to have an Outlook 98 CD handy.

For Outloook 2000, installation is much more complicated. You must remove Outlook 2000, if you installed it as a standalone program, or Office 2000, if you installed Outlook as part of the Office suite, and then reinstall either Outlook or Office. We have seen a few cases in the Outlook newsgroups where reinstalling Office also reinstalled the security update. So far, we don't have a precise handle on why that might occur in some instances, but it is an issue we will be watching closely. Check our page at http://www.slipstick.com/outlook/esecup.htm for more information, as it becomes available.

My main complaints about the update

My main complaints are not that Microsoft delivered a patch of this magnitude -- there were clearly marketing and PR pressures that had to be met in some fashion, many of the issues having been simmering for years -- but in the way it has been packaged. My ideal update would have been provided the attachment security and object model guard as two separate, removable components.

Microsoft provides a strong recommendation that users install this update, but does not couple that with an equally strong advisory about how it affects the way Outlook works. Yes, the effects are documented on the download page and in the many MSKB articles. I think we can assume, though, that the average user does not take the time to read all that fine print.

Instead, what do you think might happen if the setup program required the user to respond Yes to a series of questions like these:

Do you understand that, after you install this update, Outlook will protect you from .exe files and other "dangerous" files by not allowing you to open, save or forward them from within Outlook?
Do you understand that, after you install this update, you will probably need to click an extra dialog box button every time you need to synchronize with your PDA?
Do you understand that this update disables routing of Word documents?
Do you understand that this update increases macro security in Word, Excel and PowerPoint so that only signed macros will run?
Do you understand that, after you install this update, you will need to click an extra dialog box button for every message that a merge to e-mail or any other e-mail automation program tries to send?

Given that the Outlook 2000 update cannot be easily uninstalled, providing specific information like this in the setup program would have gone a long way toward educating users on the spot and avoiding some of the anger now being directed at Microsoft by users who installed the patch, only to find that the effects were far too intrusive. Maybe it's time to start making software updates self-documenting in their installation programs, rather than relying on users to read web pages or find the Readme.txt file on a CD before installing.

My other complaint is that, with the release of the Outlook E-mail Security Update, Microsoft has withdrawn the Outlook 98 and Outlook 2000 versions of the attachment security patches that were released last year. These force Outlook users to save certain file types to disk before opening them (see http://www.slipstick.com/addins/utilities/attsecup.htm). I don't have a problem with Microsoft's removal of the Outlook 2000 version, because Office Service Release 1/1a provides an update for the attachment security component that makes it customizable via the Windows registry. This is a great enhancement and another good reason to install SR1/1a.

But Outlook 98 users are left out in the cold. Check your Outlook 98 version number by clicking Help | About Microsoft. If it is not 8.5.6604 or later, you do not have the attachment security update in place. And you have no way to get it, since Microsoft has pulled that patch. Your only choices are to continue with less attachment security in Outlook 98 than Microsoft feels you should have, install the much more restrictive Outlook 98 E-mail Security Update, or upgrade to Outlook 2000 and install SR1/1a. (FYI, the new Pocket PC units from Casio, Compaq and HP all will include a free copy of Outlook 2000.)

New Slipstick Site Features

Installing the Outlook 98 E-mail Security Update with CDO
http://www.slipstick.com/outlook/esecup/ol98cdo.htm
How to modify the setup for the Outlook 98 E-mail Security Update so that the CDO (Collaboration Data Objects) component is not removed.

Other New Resources

Digital Dashboard Resource Kit 2.0
http://www.microsoft.com/solutions/km/DDRK.htm
Second-generation toolkit for building digital dashboards that operate as portals inside Outlook 2000. Includes more samples and pre-built "Web Parts," plus easy customization for end users. See http://www.microsoft.com/solutions/km/WhatsNew.htm for what's new.

Exchange 2000 RC2 Preview SDK and Developer Tools
http://msdn.microsoft.com/downloads/sdks/exchange/beta.asp

Workflow Designer for Exchange 2000 RC2 Preview
http://msdn.microsoft.com/downloads/sdks/exchange/workflow.asp

Exchange 2000 Web Storage Systems Forms Support
http://msdn.microsoft.com/downloads/sdks/exchange/webstorage.asp

New Utilities

eTrust Content Inspection PE
http://www.cai.com/solutions/enterprise/etrust/content_inspection/personal/cipe.htm
Blocks .vbs, .exe and other executable files from being launched from inside Outlook or other e-mail programs. You can still save the attachment and launch it from the file system. Free.

eTrust Mail Watcher
http://www.cai.com/solutions/enterprise/etrust/content_inspection/personal/mailwatcher.htm
Reduces the risk of a virus spreading via e-mail by monitoring all attempts by external programs to generate mail. Free.

Mail Notifier for Microsoft Exchange Server
http://www.ezos.com/soft/mailnotifier/mailnotifier.asp
Get notification of new messages in your Exchange Server mailbox, even when Outlook or the Exchange client is not running. [No longer available as of 8/2002]

Updated Utilities

Franklin Planner for Microsoft Outlook
http://www.franklincovey.com/fpo/index.html
Version 1.3 resolves all major incompatibility issues with Outlook.

Nemx Power Tools for MS Exchange Server
http://www.nemx.com/products/powerpac/
Version 2.3 enhances the Content Manager and Spam Blocker "message actioning" options, allowing extended quarantine, replies to originators, and other options. Operates as a true Exchange Server add-on, not as a proxy gateway.

Open Plan
http://www.welcom.com/products/opp/index.html
Enterprise-wide project management software in several editions, with some Outlook integration in its E-mail Advisor feature. This application has been updated for the Outlook E-mail Security Update; see http://www.welcom.com/library/press/oulookupdate.html.

Outlook E-mail Security Update
http://www.slipstick.com/outlook/esecup.htm
Extensive update for Outlook 2000 and Outlook 98 to lock down many parts of Outlook that make it possible for a virus to use Outlook to propagate. Install with great caution, since it will change the behavior of some Outlook features and most add-ins.

More Information

Click here to subscribe to the Exchange Messaging Outlook newsletter.
Exchange Messaging Outlook Newsletter back issues

Updated Jul 15 2008

Exchange Messaging Outlook Volume 5, Number 4