Exchange Messaging Outlook
|
|
|
Greetings! Welcome to Vol. 6, No. 8, of Exchange Messaging Outlook, a biweekly newsletter about Microsoft Exchange and Microsoft Outlook. Today's highlights:
Regular features:
Outlook View Control And CLSID Security Holes PatchedIn the last issue of EMO, I wrote about the security vulnerability found by George Guninski in the Outlook View Control (OVC), which is integrated into Outlook 2002 and available as a separate component for Outlook 2000. Microsoft has now issued OVC patches for both Outlook 2000 and Outlook 2002. For Outlook 2002, download the August 16, 2001 Update from http://office.microsoft.com/downloads/2002/olk1003.aspx. The MSKB article at http://support.microsoft.com/support/kb/articles/q303/8/25.asp explains how to deploy the administrative version of the update. For Outlook 2000, you can download the updated OVC from http://office.microsoft.com/downloads/2000/outlctlx.aspx. As a bonus, this version of the Outlook View Control (10.0.0.3124) now supports the Selection object, just as the Outlook 2002 version does, which opens up a whole new realm of possibilities for programmers using the OVC. [Editor's note: Additional testing after this issue of EMO was distributed found that Selection is not in fact available as a child object of the Outlook View Control.] Even though the original security bulletin on this vulnerability included both Outlook 98 and Outlook 2000, our testing -- using Guninski's original demonstration script at http://www.guninski.com/vv3-2demo.html -- didn't show the vulnerabilities that Guninski described. (Hey, it was news to me that the OVC worked at all in an Outlook 98 environment, but it does, showing whatever folder you configure the Outlook 2000 OVC to display.) Perhaps Microsoft found something else in the Outlook 2000 version that needed patching, beyond what was in Guninski's demo. The August 16, 2001 Update for Outlook 2002 is the second in a cumulative series of regular updates that Microsoft plans to issue for Office, largely to correct security problems. This update also plugs a vulnerability related to attachments using a CLSID unique identifier as the file extension instead of the standard three-letter extension, such as .exe or .doc. To plug the CLSID hole for Outlook 2000, Microsoft has revised the Outlook E-mail Security Update. The new version is available for download at http://office.microsoft.com/downloads/2000/out2ksec.aspx. In addition to the downloads discussed above, Microsoft has also updated the copy of the Outlook 2000 OVC posted at http://activex.microsoft.com/activex/controls/office/outlctlx.cab, which many digital dashboards and other applications use as the codebase to make it easy for users to download the latest version. Updated OVC Causes Problem For Digital Dashboards To secure the Outlook View Control, Microsoft has changed its functionality. The new version no longer supports the use of the View parameter when using the OVC outside Outlook, such as in an independent digital dashboard. Unfortunately, instead of degrading gracefully and just ignoring the View parameter when it is present, the control disregards the Folder parameter value as well and displays the Inbox. Also, any code that attempts to set the View property results in a Permission Denied error. This change in functionality is baffling. Why would switching to a named view that already exists on a user's system pose a security threat? I have posted a page at http://www.slipstick.com/dev/ovcviewdemo.htm that illustrates the issue. If you have the updated control, you should get different results on Tests 1 and 3 depending on whether the page is running in IE or as an Outlook folder home page. The workaround is simply not to use the View parameter with the Outlook View Control if your application may be viewed in a browser, not an Outlook folder home page. As far as we can tell, if you use the Outlook View Control only within an Outlook context, such as a form or Team Folders folder home page, it will continue to function as you'd expect. Teach Yourself Outlook 2000 Programming UnavailableI have been informed that my Teach Yourself Outlook 2000 Programming book is now out-of-print. This is very disappointing, since it was really the only comprehensive book for novice Outlook developers (and power users) and virtually all the content was still relevant to Outlook 2002. The online bookstores and Sams, the publisher, definitely do not have copies of this book, so if you see it in a store, you might want to grab it. I will be working to make the content available again, updated for Outlook 2002, but that effort probably will not bear fruit until early 2002. In the meantime, feel free to download the source code from http://www.slipstick.com/books/tyo2kp.htm and ask questions in our Outlook developers discussion list (http://groups.yahoo.com/group/outlook-dev/) or in the microsoft.public.outlook.* newsgroups. Beginners are always welcome in both forums.Microsoft Personal Security AdvisorAt http://www.microsoft.com/technet/mpsa/start.asp, you'll find an interesting new tool developed for Microsoft by Shavlik Technologies. The Microsoft Personal Security Advisor scans your system for possible vulnerabilities and provides you with an immediate report and suggestions on how to make your system safer from intrusion.It's a useful tool, though not as granular as I'd like to see. For example, it popped up a potential risk that my Internet Explorer settings for the Restricted Sites zone aren't as tight as they should be. Well, I've actually made them even tighter than the default settings for High security. Also, it reports "Outlook Attachment Security" as High. If this is what I think it is, it's a setting that's relevant only to versions of Outlook before the Email Security Update. On the other hand, MPSA did not detect that I have used the Level1Remove registry value to allow access to certain types of files that Outlook 2002 normally blocks. It also isn't checking the default mail client, because it gave me this message: "Outlook Express is installed on your computer. If possible, consider using Outlook as your primary email client." Outlook 2002 already is my primary mail client. Outlook Express, of course, is required for Outlook 98 or later versions to run. On the other hand, it reminded me that I hadn't installed the latest Windows service pack and some hotfixes. It's nice to have a to-do list to work from. Try it and see if you get new ideas for tightening up your own security. You can send feedback to mpsa@microsoft.com. Office Developer Connections Conference I will be speaking on Outlook development at the Office Developer Connections conference Oct. 4-5 in Scottsdale, Arizona -- covering Outlook security, Outlook reports, and what's new for developers in Outlook 2002. One of the sample applications that I'll be showing adds "merge to HTML e-mail" capability to Office XP, without raising the Outlook security prompts. Register at http://www.msofficeconnections.com. MEC Awards 2001 Once again, Microsoft is seeking the best applications for Exchange and best solutions that leverage Exchange features. You can nominate your company or your favorite tool in any of 10 categories at http://www.microsoft.com/corpevents/mec2001/awards.asp. Winners will be announced at MEC in Orlando in October. Get your nominations in before August 27 at 3:00 PM Pacific Daylight Savings Time. MEC registration open Registration is now open for MEC 2001 in Orlando, Florida, Sept. 30 - Oct. 4. Exhibits open Sept. 30, with conference sessions beginning Oct. 1. Microsoft is now billing MEC as the "premier Exchange, Windows, and .NET Enterprise Servers event." Register at http://www.microsoft.com/MSCorp/corpevents/mec2001/reg.asp by August 24 to get a discount. MEC Europe will take place in Nice, France, Nov. 6-9. The web site at http://www.microsoft.com/europe/mec/ is expected to have registration details at the end of June. MEC Japan will be in Tokyo, Oct. 29-30 (a change from the August date that Microsoft gave earlier). No registration site yet. |
|||
 |
|||
New Utilities |
ERETURN DETECTIVE http://www.personalcrm.com/ereturndetective.htm Monitors bounced messages to notify you which contact may need updating. For Outlook 2000 or later. GNUPG-PLUGIN SETFROM |
||
|
|
|||
Updated utilities |
HOTFIX FOR OFFICE XP ENTERPRISE EDITION http://support.microsoft.com/support/kb/articles/Q304/2/26.ASP Under certain conditions a PC to which Office XP was deployed using the enterprise edition may display a notice that activation is required. This notice appears in error. A hotfix is available. OUTLOOK 2000 E-MAIL SECURITY UPDATE OUTLOOK 2000 SR-1 UPDATE VIEW CONTROL SECURITY OUTLOOK 2002 UPDATE AUGUST 16, 2001
See http://support.microsoft.com/support/kb/articles/q303/8/25.asp for more information, including instructions on how to deploy the administrative version of this update. |
||
|
|
|||
Other new resources |
EXCHANGE 2000 SDK http://msdn.microsoft.com/exchange/ June 2001 version of the SDK documentation, samples, etc. I405.COM LITEMAIL IT FACTORY DEVELOPMENT CENTER FOR MICROSOFT MICROSOFT OFFICE XP DEPLOYMENT AND ADMINISTRATION OUTLOOK WEB ACCESS FOR WAP AND PDA TOUT POUR CONFIGURER OUTLOOK ET OUTLOOK EXPRESS VIRUS PROTECTION FOR MESSAGING |
||
|
|
|||
More Information |
Click here to subscribe to the Exchange Messaging Outlook newsletter. Exchange Messaging Outlook Newsletter back issues ISSN 1523-7990 |
||
Updated Apr 11 2009
|
|||
|
Home
| What's New | Exchange
Server | Outlook | Utilities
| Bookstore
|
|||