• CDO Security Update
• Other Office security updates
• More on handheld synchronization
• Exchange 2000 delayed + Small Business Server 2000

• New utilities
• Updated utilities

As promised in the documentation for the original Outlook E-mail Security Update, Microsoft has now posted a patch for Collaboration Data Objects (CDO) for Outlook 2000 users. This update has the same effect on applications using CDO as the Outlook E-mail Security Update has on applications using the Outlook object model. It blocks these functions:

• Saving .exe, .com, .mdb and other types of file attachments that Microsoft considers dangerous
• Accessing address information
• Sending messages programmatically

Any program that tries to use CDO to get to address information or send a message will pop up a prompt that the user must respond to before the program can continue its work. A system running this patch will not be able to save "dangerous" attachments with CDO code.

As with the Outlook E-mail Security Update, administrators can customize the effects of the CDO patch with the security settings form. See http://www.microsoft.com/Office/ORK/2000/journ/outsecupdate.htm. This is the only way to override the security settings in the update. Standalone users and users in other mail environments cannot customize the features of the update in any way.

You can download this update from http://officeupdate.microsoft.com/2000/downloadDetails/Cdo2k.htm, but first read the detailed information at http://support.microsoft.com/support/kb/articles/q268/2/79.asp. This patch applies only to Outlook 2000 and requires both Office Service Release 1/1a and the Outlook E-mail Security Update. The readme.txt file included with the update implies that it can be used with Outlook 98, but this is not correct. There also is no version for Outlook 97.

Most people don't need this patch, because CDO is not installed with Outlook 2000 by default. If the Cdo.dll file is not on your system, the patch will say that it installs successfully, but it won't actually do anything to your system.

Under no circumstances should you install the CDO update on a server! This is strictly a client update. If you successfully install it on a server, your Exchange Server scripts, Outlook Web Access and any other ASP pages that use CDO may stop working.

For more information on the CDO Security Update, including removal instructions, see http://www.slipstick.com/outlook/esecup/ol2000cdo.htm.

Microsoft has closed a potential security hole in the WordMail feature of Outlook 2000 and Word 2000 by issuing the Word 2000 SR-1 Mail Command Security Update. The loophole theoretically could let an external program send a plain text or HTML format message created with Outlook using Word as the editor. You can download this update from http://officeupdate.microsoft.com/2000/downloaddetails/wd2ksec.htm. It requires both Office 2000 Service Release 1/1a and the Outlook E-mail Security Update. For more information, see the MSKB article at http://support.microsoft.com/support/kb/articles/q265/0/31.asp.

Another update plugs holes in HTML mail (and web pages) that could allow unsafe scripts to be run using Excel 2000 and PowerPoint 2000. See these pages for more details:

• http://officeupdate.microsoft.com/2000/downloadDetails/Addinsec.htm (download page)
• http://support.microsoft.com/support/kb/articles/q268/3/65.asp

One more update applies a similar fix to PowerPoint 97:

• http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm (download page)
• http://support.microsoft.com/support/kb/articles/Q268/4/77.asp

In the last issue of EMO, I asked for your input on what issues are at the top of your list when it comes to synchronizing Outlook data with a handheld device -- whether it's a Palm, a Pocket PC or some other tool. The responses were very interesting.

One thing I learned is that synchronizing custom items or public folders may be a minor issue compared with such things as handling repeating appointments. Outlook stores a recurring appointment as a single item and just displays the individual instances as needed. But your PDA might not be able to handle repeating appointments that way. It might need to store each instance separately. So what happens when you sync back to Outlook? The sync software might create a new item in Outlook for each appointment instance in the PDA.

Phone numbers are another issue. As discussed in previous EMO issues, Outlook defaults to storing phone numbers in a format that makes it possible to distinguish the country, area/city code and local number. This allows Windows dialing location properties to govern exactly how a number is dialed. However, the parentheses and other punctuation that Outlook users makes for a longer number than some PDA users (and devices) may want to store.

Another EMO reader points out that there are a number of web-based solutions that support synchronizing between Outlook and a handheld device, with the web site's storage in the middle. See http://www.slipstick.com/outlook/sync.htm#web for at least a partial list. These services often offer some very useful features such as automatically upgrading you to the latest version of their software and storing a copy of your contacts and other Outlook data so that you can get to it via any browser.

I don't want to get into the debate over which PDA is best, but a couple of readers wrote about their favorites. Toward the low end of the scale is the Casio (http://www.casio.com) Pocket Viewer line and the free Enterprise Harmony 99 synchronization software that works with the PV-100, PV-200, PV-200A and PV-200A .

I've also heard many good things about the BlackBerry unit (http://www.rim.net), especially from people who install the server component on their Exchange Server. Solutions like BlackBerry get into a whole different level of synchronization. Instead of running software on a PC, the user connects the handheld device directly with the server. We've been taking notes on this kind of application, but have not had a chance yet to do any feature-by-feature comparisons. Here are some of the products we've found:

Extended Systems XTNDConnect Server
http://www.extendedsystems.com/products/serversync/

Mobile Office
http://www.entellectsolutions.com/products/MobileOffice/moboffice.asp

ThinAir Server
http://www.thinairapps.com/

Fenestrae Mobile Data Server
http://www.fenestrae.com

Seiren Waplook for MS Exchange
http://www.seiren.net/products/

Palm HotSync Server
http://www.palm.com/products/enterprise/server.html

Mobile data access -- whether via synchronization to a desktop system or direct server connection -- is getting more and more attention. We'll continue to be interested in your comments and try to discover what important issues you should consider when choosing a solution for your mobile devices. Write us at mailto:emo@slipstick.com?subject=sync if you have an opinion.

Microsoft is pushing back the release of Exchange 2000. Press reports point to an October date. See:

Computer Reseller News
http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=18364

eWeek
http://news.excite.com/news/zd/000713/17/microsoft-to-push?printstory=1

CNET
http://news.cnet.com/news/0-1003-200-2258364.html

You can check the latest features list for Exchange 2000 at http://www.microsoft.com/exchange/productinfo/FeaturesGuide.htm and get Release Candidate 2 from http://www.microsoft.com/exchange/productinfo/OrderKit.htm.