Exchange Messaging Outlook
Volume 8, Number 14

Greetings! Welcome to Vol. 8, No. 14, 16 Oct 2003, of Exchange Messaging Outlook, a biweekly newsletter about Microsoft Exchange and Microsoft Outlook.

• Critical Security Update for Exchange 2000; Updates Also for Exchange 5.5
• Outlook 2003 Rules May Halt Exchange 5.5
• Report from Microsoft Office System Connections
• Outlook on Their Minds
• Office 2003 and Exchange 2003 Launch Next Week

Regular features:

• New utilities
• Updated utilities
• Other resources

Critical Security Update for Exchange 2000; Updates Also for Exchange 5.5

Microsoft has released a critical security patch for Exchange 2000 to eliminate a vulnerability in the SMTP service that could result in a denial-of-service attack or an attacker running malicious programs in the security context of the SMTP service. The Internet Mail Service in Exchange 5.5 is also vulnerable to a similar denial-of-service attack. Patches are available for Exchange 5.5 Service Pack 4 and Exchange 2000 Service Pack 3. Microsoft also suggests several workarounds, such as SMTP authentication, that can provide some protection until you install the patch. For complete details, see "Microsoft TechNet Microsoft Security Bulletin MS03-046: Vulnerability in Exchange Server Could Allow Arbitrary Code Execution" http://www.microsoft.com/technet/security/bulletin/MS03-046.asp  

A second patch for Exchange 5.5 addresses a cross-site scripting vulnerability related to HTML encoding in a new mail message. Because this patch affects the .asp pages that drive Outlook Web Access, you should back up any customized pages before applying the patch. You will then need to reapply the customizations to the updated pages. For more information, see "Microsoft Security Bulletin MS03-047: Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack" at http://www.microsoft.com/technet/security/bulletin/MS03-047.asp. 

Links to all three patches are listed below under Updated Utilities. Exchange 2003 does not exhibit either vulnerability.

Outlook 2003 Rules May Halt Exchange 5.5

Using Outlook 2003 to modify or import rules may cause the Exchange 5.5 store to halt when it tries to process a rule with a malformed property. Microsoft has released a post-SP4 hotfix to correct the problem. Contact Microsoft Product Support Services (PSS) to obtain Exchange 5.5 Information Store Patch 2657.74. The Microsoft Knowledgebase article "XADM Information Store Intermittently Stops Responding and an Access Violation Occurs in EcDSDNFromSz" at http://support.microsoft.com/?kbid=829418 has more information.

Note that this is the second compatibility issue known to affect Exchange 5.5 after mailboxes have been accessed with Outlook 2003. The first one, discussed in EMO in August (http://www.slipstick.com/emo/2003/up030820.htm#updatecdo), can prevent Outlook Web Access users from accessing their mailboxes. It, too, has a hotfix available. Microsoft recently moved to provide public download locations for this fix (and the related fixes for Exchange 2000 and Exchange 2003), instead of making you call PSS to get the patch. See http://www.slipstick.com/exs/index.htm#ol2003cdo for download links.

Report from Microsoft Office System Connections

I'm on my way home from the Office Developer Connections conference, having spent three days learning about new tools and technologies such as InfoPath and Visual Studio Tools for Office (which released this week). Unlike the Professional Developers Conference (PDC) later this month or TechEd, which attract thousands of people, this is a small conference concentrated at one (really nice) resort hotel. The strong lineup of experienced non-Microsoft presenters (as well as a few folks from Microsoft with some really good code to share) were all willing to spend time to tackle specific development questions that attendees brought with them. The next Office Developer Connections conference will take place in April in Orlando, again concurrent with the other developer conference.

Outlook on Their Minds

Between sessions, I got an earful of questions not just from people doing development on various platforms but also from some involved in their organizations' deployment plans for Outlook. Some of their questions:

Does Outlook 2003 eliminate the limit on the maximum number of entries in a personal distribution list (DL)? No, the limit is the same, and it's due to constraints on the Exchange Server, not in Outlook. My feeling is that people shouldn't use large personal DLs in the first place. For one thing, unless users are meticulous, they'll wind up putting the DL name in the To box, which means that all those dozens or hundreds of names will have to print out before the actual message. My preference is either to manage a large DL in the Exchange GAL (and there are some nice tools for that -- see http://www.slipstick.com/exs/lists.htm) or to use mail merge to send individual messages, rather than one message to all recipients. Mail merge is almost essential if you're sending outside your organization, since messages with many recipients may be more likely to be classified as spam.

Why does Outlook sometimes prompt for credentials for my POP server but still works OK if I cancel that dialog? That one (from an Access guru) has me stumped. It rings a bell, but it's impossible to remember all the problems with Outlook, so I'll have to do some digging.

What's the future of Outlook as a programming platform? Ah, that's the big question, isn't it? There aren't many changes in Outlook 2003, which supports the same approaches as earlier versions -- custom forms, VBA, COM add-ins, and folder home pages. I spent some quality time looking at InfoPath this week and realized that its combination of easy form design and XML data representation might point to the direction Outlook could take someday. But, for now, we'll just have to wait to see what Outlook 12 has to offer a couple of years down the road.

And, by the way, in case you're wondering whether you can use Visual Studio Tools for Office to create managed .NET code for a Word template that Outlook uses for email, that just won't work. The security for VSTO applications won't permit it.

Office 2003 and Exchange 2003 Launch Next Week

In case you've been on another planet recently and haven't heard the news, the official launch of Microsoft Office System 2003 and Exchange 2003 takes place next Tuesday, October 21, in New York. I'll be there and expect that it will be an exciting event.

Launch events will be happening in many locations over several days; you can sign up for one near you at http://www.officesystemlaunch.com/.

New Utilities

EXCHANGE DISASTER RECOVERY SERVICE
http://rsmtek.com/exchange.html
Service to restore corrupted PRIV and PUB databases from Exchange.

PAYPAL PAYMENT WIZARD
http://www.paypal.com/cgi-bin/webscr?cmd=p/sell/payment_wizard_intro-outside
Add PayPal buttons -- payment request, product, service, auction payment, and donation to Outlook messages.

REMINDER MANAGER
http://www.slovaktech.com/remindermanager.htm
Makes it possible for Outlook to fire reminders from any calendar, contacts, mail, or tasks folder visible in the Folder List, whether it's in a Personal Folders .pst file or an Exchange mailbox or Public Folders. (IMAP folders not supported) Includes option to send reminders to any email, pager, or text messaging address. Manage all reminders in one Window, even in Outlook 2000. For Outlook 2000 or later.

ROOMSERVICE CENTRAL
http://www.ms-add-on.com/products_roomservice_eng.htm
Order additional services, such as catering or transportation, when scheduling a meeting. Orders can be integrated with your accounting system.

SPAMCATCHER
http://www.aladdinsys.com/win/spamcatcher/index.html
Anti-spam tool using Bayesian, whitelist (including Outlook contacts), blacklist (including Outlook junk senders), peer reporting, and other techniques. Handles POP, Exchange, and HotMail accounts. Outlook 2000 or later.

WINDOWS SHAREPOINT SERVICES
http://www.microsoft.com/windowsserver2003/technologies/sharepoint/default.mspx
Free component for Microsoft Windows Server 2003 that provides small group collaboration space with Outlook 2003 integration for shared contacts, shared calendar, meeting workspaces, and document workspaces.

Updated utilities

LOOK.WEB
http://www.symprex.com/lookweb/basics.htm
Version 3.03 of this tool for displaying multiple Exchange calendars in a browser interface uses an improved method of connecting to the Exchange server, adds a quarterly free/busy view, adds day list and week list views similar to Outlook Today, supports category color coding, supports multiple time zones and formats, and makes various other improvements and fixes.

OCTOBER 2003 CUMULATIVE PATCH FOR INTERNET EXPLORER
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
Critical security patch (Microsoft Security Bulletin MS03-040) for Internet Explorer 5.01 or later to protect against the latest vulnerabilities in HTML-format messages and other possible exploits.

SCOPEWARE VISION
http://www.scopeware.com/products/prod_v_subpage.html
Version 2.1 of this search tool extends the Outlook searching capability to calendar, contacts, notes, and tasks and can search RSS feeds. A separate CRM module for the Professional edition provides a quick lookup for Outlook contacts and searches all information related to that person.

SECURITY UPDATE FOR EXCHANGE 2000 (KB829436)
http://www.microsoft.com/downloads/details.aspx?FamilyId=7BAF5394-1B4E-4937-A570-9F232AE49F01&displaylang=en
Critical patch for Exchange 2000 to eliminate a vulnerability that could allow a denial-of-service attack or permit malicious code to run in the security context of the SMTP service.

SECURITY UPDATE FOR EXCHANGE 5.5 (KB828489)
http://www.microsoft.com/downloads/details.aspx?FamilyId=C516FE75-95CE-4FFF-B83D-9B170FCD0C1C&displaylang=en
Update for the OWA vulnerability identified in security bulletin MS03-47. Be sure to back up any customized OWA pages before installing this update. You will then need to apply your modifications to the patched pages.

SECURITY UPDATE FOR EXCHANGE 5.5 (KB829436)
http://www.microsoft.com/downloads/details.aspx?FamilyId=A9E872EA-54B0-4179-8AE9-5648BFB46459&displaylang=en
Important patch to prevent a denial-of-service attack via the Internet Mail Service.

TABTAG
http://www.sqlview.net
The latest version of this tool for integrating data from a Microsoft SQL database into Outlook improves documentation, adds more Word templates for doing mail merge, and adds the ability to create relationships among any Outlook objects. (Formerly SQLView)

Other resources

EXCHANGE 2000 SDK DOCUMENTATION AND SAMPLES SEPTEMBER 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=7BD65D0D-A3A4-41F4-9868-E643F4A030B1
Latest version of the basic documentation for creating applications related to Exchange 2000.

EXCHANGE 2003 SDK DOCUMENTATION AND SAMPLES SEPTEMBER 2003
http://msdn.microsoft.com/isapi/gomscom.asp?TARGET=/downloads/details.aspx?FamilyId=AAA9FEE9-426E-4437-BF3E-5A098D5F9A08
Latest version of the information needed to build applications that use Exchange 2003

EXCHANGE SERVER 2003 HELP UPDATE
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=EE2DA5B9-E32F-4991-9EC8-B5659BD4F946
Updated Help files with information not included on the Exchange CD.

DEPLOYING PROJECT 2003 WITH OUTLOOK 2003
http://www.microsoft.com/office/ork/2003/three/ch8/OutC08.htm
Office Resource Kit material explaining how to install and use the Outlook Integration add-in included with Microsoft Office Project (2003) Web Access. This COM add-in allows Outlook users to import and view Project assignments in their Calendar folder. Users can also send updates to assignments from Outlook to Project.

ISA SERVER 2000 EXCHANGE 2000/2003 SECURE REMOTE EMAIL DEPLOYMENT KIT (BETA 1)
http://www.isaserver.org/news/exchangekitbeta1.html
How to set up secure remote access to Exchange Server located on the internal network behind a Microsoft ISA Server firewall, including certificate and other configuration details for Exchange.

MAPI EXAMPLE CODE FOR GETTING FOLDERS AND MESSAGES
http://www.wischik.com/lu/programmer/mapi_utils.html
C++ sample functions for performing basic Outlook operations with Extended MAPI.

MICROSOFT OFFICE SYSTEM PRODUCT EVALUATION KITS
http://www.microsoft.com/office/preview/trial.asp
You can order trial versions of Office System 2003 and all the other new Office programs for $7.95 each for the first kit and $4.95 for each additional kit, including shipping (worldwide) and handling. Each copy can be installed and activated on up to four computers. If you decide to keep the software after the 30-day trial period ends, you won't need to do a complete removal and reinstallation. According to Microsoft, all you'll need to do is run setup from your retail copy and enter the product key when prompted.

OUTLOOK 2003 OBJECT MODEL MAP
http://www.microeye.com/resources/ObjectModel2003.htm
Detailed Visio map of all the objects in the Microsoft Outlook 2003 object model and their properties, methods, and events

OUTLOOK TIPS FROM MICROSOFT'S KC LEMSON
http://blogs.gotdotnet.com/kclemson/ Ongoing series of user tips.
You can also subscribe to KC's RSS feed to receive her tips in a news aggregator.

WORKING WITH STORE PERMISSIONS IN MICROSOFT EXCHANGE 2000 AND 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=2AE266F0-16B7-40D7-94D9-C8BE0E968A57&displaylang=en
Document explaining how Exchange store permissions work, including tips on when to use which interface to change permission settings.

More Information

• Click here to subscribe to the Exchange Messaging Outlook newsletter. 
• Exchange Messaging Outlook Newsletter back issues

ISSN 1523-7990
Copyright 1996-2006, Slipstick Systems and CDOLive LLC. All rights reserved.

Updated Jul 30 2006

Home | What's New | Exchange Server | Outlook | Utilities | Bookstore
About Slipstick | Feedback | Privacy Policy | Site Map | Archived Pages | Link to Us | Advertise