Join Outlook & Exchange Solutions Center on Facebook Follow @slipstickcom on Twitter


Outlook CDO Security Update



Please note: This page references older, outdated technology and is no longer maintained. As a result, links may point to documents no longer available or redirect to articles referencing newer versions. We've left it published for historical reasons and in the hope that it will benefit the few sites stilling using the older technology.


Microsoft has released additional patches for Outlook 2000 and Outlook 98 that work with the Outlook E-mail Security Update to provide the same level of security to the Collaboration Data Objects (CDO) programming interface, which is often used in Outlook client applications. This update has the same effect on applications using CDO as the Outlook E-mail Security Update had on applications using the Outlook object model. It blocks these functions:
  • Saving .exe, .com, .mdb and other types of file attachments that Microsoft considers dangerous
  • Accessing address information
  • Sending messages programmatically
  • Any program that tries to use CDO to get to address information or send a message will pop up a prompt that the user must respond to before the program can continue its work. A system running this patch will not be able to save "dangerous" attachments with CDO code.

    As with the Outlook E-mail Security Update, administrators can customize the effects of the CDO patch with the security settings form. See Customizing the Outlook 98/2000 E-mail Security Update. This is the only way to override the security settings in the update. Standalone users and users in other mail environments cannot customize the features of the update in any way. 

    Basic Facts and Download | Should you install this patch? | Installation | Removing the Patch | Attachment Security | Automation Security | More Information

    Basic Facts and Download

    Outlook 2000:
  • Outlook 2000 Collaboration Data Objects (CDO) Update Security (download page)
  • OL2000 Information About the CDO E-mail Security Update
  • Microsoft Outlook 2000 Service Pack 2 -- includes the E-mail Security Update and CDO Update.
  • Outlook 98: 

  • Outlook 98 Collaboration Data Objects (CDO) Update Security -- restores CDO to Outlook 98 with a secured version 
  • OL98 Information About the CDO E-mail Security Update
  • There also is no version for Outlook 97.

    Back to Top

    Should you install this patch? 

    CDO is not installed with Outlook 2000 by default. If the Cdo.dll file is not on your system, then you don't need this patch. The patch will say that it installs successfully, but it won't actually do anything to your system.

    On Outlook 98, installing the Outlook E-mail Security Update automatically removes CDO. The patch listed above restores CDO with a secured version.

    Under no circumstances should you install the CDO update on a server! This is strictly a client update. If you successfully install it on a server, your Exchange Server scripts, Outlook Web Access and any other ASP pages that use CDO may stop working. 

      Back to Top

    Installation 

    On Outlook 98, the CDO patch works only if the Outlook E-mail Security Update is in place.

    On Outlook 2000, the CDO patch works only if the Outlook E-mail Security Update is in place and you included CDO as a component installed through Office 2000 setup (rather than through a separate setup program). Before installing the CDO patch, you should check:

  • The version number for Outlook 2000 -- Click Help | About Microsoft Outlook. The About dialog should give the version number as 9.0.0.4201 or later and include the phrase "Security Update."
  • Whether CDO is installed on your system -- Use the Start | Find or Start | Search command to locate the cdo.dll file. The copy that Outlook 2000 installs should be in a subfolder such as under the \Program Files\Common Files\System\Mapi\1033 folder. (1033 is for U.S. English. If you have a different language version of Outlook, you'll see a different number.) The subfolder is 95 for Windows 95 and 98 users, NT for Windows NT and Windows 2000 users.
  • If you do not see a copy of Cdo.dll, your installation of Outlook 2000 does not include the Collaboration Data Objects component, and you do not need to install the CDO patch. CDO is not included in a default Outlook 2000 installation, so there's a very good chance that it is not present on your system.

    On Windows NT and Windows 2000 systems, you must have Administrator rights to install the patch.

    Do not install the Outlook 2000 CDO patch through the link on the OfficeUpdate Product Updates page. This page automatically checks your system for installed updates. However, it does not install the CDO update correctly, nor does it accurately report whether you have already installed the CDO update. Instead, download the patch from Outlook 2000 Collaboration Data Objects (CDO) Update Security and run the Cdoupdt.exe file. You should restart Windows after installing the patch. 

    The date on the updated version should be June 19, 2000, and the properties for the file should give its description as "Collaboration Data Objects 1.21s." The "s" stands for security, of course.

    If you installed the update, but the date on Cdo.dll did not change, that probably means that the CDO component was installed by some method other than Office 2000 setup. You should go to Control Panel, start Add/Remove Programs, and choose Office 2000 SR-1 (or Outlook 2000, depending on which you have installed). Click Add or Remove Features and then select Collaboration Data Objects under the Outlook components, setting it to Run from My Computer. Click Finish to complete installation of CDO via Office/Outlook setup. After setup completes, install the CDO patch again. This time, the date and description on the Cdo.dll file should show that it's the updated version.

    Removing the Patch

    To remove the patch on Outlook 2000: 

    1. Run Setup.exe from your original Office or Outlook 2000 CD.
    2. Click Add or Remove Features
    3. Under Outlook 2000, set the Collaboration Data Objects component to Not Available.  
    4. Click Finish

    To restore the original version of CDO after removing the patch from Outlook 2000:

    1. Run Setup.exe from your original Office or Outlook 2000 CD.
    2. Click Add or Remove Features
    3. Under Outlook 2000, set the Collaboration Data Objects component to Run from My Computer.  
    4. Click Finish

    We do not know any method for removing the patch from Outlook 98. 

    Attachment Security 

    Systems running this patch will no longer be able to open or save "dangerous" files programmatically via CDO if they are attached to an Outlook message. For the list of files, see Attachment Security

    Automation Security 

    The "object model guard" feature of the patch imposes two extreme restrictions on automating Outlook from add-ins that use CDO: 

  • If an add-in tries to send an Outlook message, the user gets a notification pop-up and must explicitly authorize or deny each attempt to send. The user must wait 5 seconds before the Yes button becomes available to click.  

  • If an add-in tries to access either a Contacts folder or the address book or save an Outlook item as a file, the user gets a notification pop-up and can deny access, authorize a one-time access or extend access for a period of several minutes. 

  • See:

  • INFO Developer Information About the CDO E-mail Security Update
  • OL2000: Developer Information About the Outlook E-mail Security Update
  • Back to Top

    More Information

  •  Installing the Outlook 98 Email Security Update with CDO
  • This page is printer friendly
    
    Copyright Slipstick Systems. All rights reserved.
    Send comments using our Feedback page

    Back to Top