Exchange Messaging Outlook Volume 8, Number 23

Early last week Microsoft released Office XP Service Pack 3 along with security bulletin MS04-009. The exploit described in the security bulletin affects only Outlook 2002 SP2, so updating to SP3 takes care of one worry but may create more problems, as updating to Outlook 2002 SP3 adds additional security measures, bringing it inline with Outlook 2003, but without trusted add-ins. As a result, after installing Outlook 2002 SP3 you many see the 'a program is trying to access... allow it for 1 minute' security warning.

This warning message is a result of Outlook 2002 SP3 adding additional properties to the list of those that are affected by the security features, properties which are blocked by Outlook 2003. Anti-spam add-ins, which read the message body as part of their anti-spam scanning, are a common cause although other add-ins are affected by the changes as well. Many add-ins were updated following the release of Outlook 2003 and should work with SP3, but because Outlook 2002 SP3 doesn't support trusted add-ins, others will need to be re-engineered to work with it. Until the add-ins which cause this warning are updated, you'll need to either live with the warning or disable the add-in, as SP3 cannot be uninstalled, unless you use a version of Windows that supports System Restore and restore to a point prior to SP3's installation.

Other notable changes include:

Additional file extensions are blocked by SP3. These are asp, tmp, vsmacros, vss, vst, vsw, and ws.  Attachment Options was updated to handle these new file types, but unless you routinely send and receive these file types by email, you shouldn't unblock them.

The preview pane displays the sender's name and address in
Display Name [email@address.com] <email@address.com> format. This format is also used on some, but not all, opened messages.

The following issues are covered in more detail in Sue Mosher's master article on the "object model guard" security prompts and her accompanying article for  forms developers. Additional information on the development issues is at www.outlookcode.com.

VBScript in forms won't run and folder home pages won't load in folders in delegated/shared mailboxes. Use the SharedFolderScript reg key to re-enable it on mailbox folder or PublicFolderScript reg key to enable it on Public Folders.

The forms cache is folder specific as it is in Outlook 2003.

The <Filter> tag of the ViewXML property of the View Control won't work unless it's on a folder home page (i.e. "trusted").

Like many visitors to the Microsoft newsgroups you're probably wondering: "Didn't Microsoft test this?" Well, yes, but... SP's usually have a limited number of outside beta testers and the beta notes did not mention security changes. Apparently few, if any, beta testers used programs that triggered the warnings in Outlook, so no one knew about the security changes prior to the official release, or which add-ins would trigger the security warnings. Additionally, release notes did not mention the security changes and the KB articles covering the changes were not available at the time of SP3's release. It clearly was Microsoft's best-kept secret and caught everyone by surprise.

Administrators should not apply this SP on production systems until thoroughly testing it with their custom applications and forms first.

For the latest information on the applications and add-ins known to be affected, see http://www.slipstick.com/outlook/ol2002sp3.htm#problems. Information on Outlook's security features in general can be found at http://www.slipstick.com/outlook/esecup.htm.

For a list of all issues that are fixed for Microsoft Outlook 2002 in Service Pack 3, see Description of Microsoft Office XP Service Pack 3

Custom solutions and add-ins that integrate with Outlook 2002 are affected after you apply Office XP Service Pack 3 (SP3)

Download Office SP3: http://www.microsoft.com/downloads/details.aspx?familyid=85af7bfd-6f69-4289-8bd1-eb966bcdfb5e&displaylang=en
Note that SP3 contains all updates included in Office XP Service Pack 1 (SP1) and Office XP Service Pack 2 (SP2), and updates released after SP2.

Security bulletin MS04-009 addresses a security vulnerability which exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page.

Since users are only at risk when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page, they can disable Outlook Today by unchecking the option to show a folder homepage by default to fix this vulnerability.

As a reminder, you should not log on to administrator accounts for normal usage, even though it is more convenient. If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. This means users running under user accounts with fewer privileges on the system would be at less risk than users who use the administrator account..

Only Outlook 2002-SP2 is affected by this exploit, Outlook 98, 2000, and 2003 are not affected, however, anyone who doesn't use Outlook Today can disable it as a precaution. To disable Outlook Today, right click on the top level folder in the mailbox or personal folders. (It's the folder with the little house icon.) Choose Properties, then Home Page and remove the check from "Show home page by default for this folder".

For more information about the exploit, see http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx.

You can test Outlook by visiting http://www.nettwerked.co.uk/code/outlooksploit.html or learn more about the test at http://www.securityfocus.com/archive/1/357055/2004-03-10/2004-03-16/0. If you test this exploit using other versions of Outlook you may receive a warning that the command line is invalid. We believe Outlook is safe when this warning is displayed while running the test, since the error is expected when a command line that is not valid is used and the test uses JavaScript to run the command line. However, it may indicate that you need to revisit your Internet Zone Security settings.

Yes, you can. You may also want to create a script or batch file and schedule it to delete the contents of badmail every few days or weeks.

"Is there any way to recover e-mail from the badmail folder or read one of them after it has been sentenced to the badmail folder?"

Again, the answer is "Yes, you can." Each message dropped into the badmail folder has three files associated with it, one each with *.BDR, *.BDP, and *.BAD extensions.

If you really want to know what kind of messages are dropped to badmail, the *.BAD file contains the message itself and can be read in notepad. I've never found a legitimate message in my badmail folder, most were failed NDRs.

The BDR file has some information about the error that caused the message to be dropped in badmail, and can be opened in Notepad. You'll see an error message similar to this one, with the recipients names listed at the end.

"Unable to deliver this message because the follow error was encountered: This message is a delivery status notification that cannot be delivered. The specific error code was 0xC00402C7. The message sender was <>. The message was intended for the following recipients."

The *.BDP file can be opened in Notepad too, but is less than useful since it's binary data, not a text file. The information that is readable doesn't give you any more information than you learned from the other files. In any event, if you need to satisfy your curiosity that you aren't losing good messages to badmail, the *.BAD file is the one to open.

"I was wondering if there is some way that I can configure a password required to open Microsoft Outlook program. The thing is my computer can be accessed by a lot of people in my absence and I want to protect my emails to be read by another person than me."

Read complete article...

"I want Outlook to let me know when I have new mail. Is there a way for Outlook to notify me when new mail arrives, but only mail that stays in my Inbox not mail that moves through my Inbox to my deleted items folder? (I have a rule set up to move certain e-mails to my deleted items folder.)"

Yes, you can do this, but not using the normal mail alert. You'll need to create a rule to notify you using the New Alert dialog.

Add "stop processing" to all of the rules then create one last rule. Since you want to apply this rule to all mail left in your Inbox, don't choose a condition. As your action, "display a specific message in the New Alert window". Click on specific message and enter some text.

Note that because Outlook 2003's Junk mail filtering runs after Rules Wizard, this method may prevent the junk mail filter from processing mail, making it less than useful for users of Outlook 2003.