Greetings! Welcome to Vol. 6, No. 8, of Exchange Messaging
Outlook, a biweekly newsletter about Microsoft Exchange and
- Outlook View Control and CLSID Security Holes
- Updated OVC Causes Problem for Digital Dashboards
- Office Developer connections conference
- Teach Yourself Outlook 2000 Programming Unavailable
- Microsoft Personal Security Advisor
- Office Developer Connections conference
- MEC Awards 2001
- MEC registration open
- New utilities
- Updated utilities
- Other new resources
Outlook View Control And CLSID Security Holes Patched
In the last issue of EMO, I wrote about the security
vulnerability found by George Guninski in the Outlook View Control
(OVC), which is integrated into Outlook 2002 and available as a
separate component for Outlook 2000. Microsoft has now issued OVC
patches for both Outlook 2000 and Outlook 2002.
For Outlook 2002, download the August 16, 2001 Update from
MSKB article at
explains how to deploy the administrative version of the update.
For Outlook 2000, you can download the updated OVC from
http://office.microsoft.com/downloads/2000/outlctlx.aspx. As a
bonus, this version of the Outlook View Control (10.0.0.3124) now
supports the Selection object, just as the Outlook 2002 version
does, which opens up a whole new realm of possibilities for
programmers using the OVC. [Editor's note: Additional testing
after this issue of EMO was distributed found that Selection is
not in fact available as a child object of the Outlook View
Even though the original security bulletin on this vulnerability
included both Outlook 98 and Outlook 2000, our testing -- using
Guninski's original demonstration script at
http://www.guninski.com/vv3-2demo.html -- didn't show the
vulnerabilities that Guninski described. (Hey, it was news to me
that the OVC worked at all in an Outlook 98 environment, but it
does, showing whatever folder you configure the Outlook 2000 OVC to
display.) Perhaps Microsoft found something else in the Outlook 2000
version that needed patching, beyond what was in Guninski's demo.
The August 16, 2001 Update for Outlook 2002 is the second in a
cumulative series of regular updates that Microsoft plans to issue
for Office, largely to correct security problems. This update also
plugs a vulnerability related to attachments using a CLSID unique
identifier as the file extension instead of the standard
three-letter extension, such as .exe or .doc.
To plug the CLSID hole for Outlook 2000, Microsoft has revised
the Outlook E-mail Security Update. The new version is available for
In addition to the downloads discussed above, Microsoft has also
updated the copy of the Outlook 2000 OVC posted at
which many digital dashboards and other applications use as the
codebase to make it easy for users to download the latest version.
Updated OVC Causes Problem For Digital
To secure the Outlook View Control, Microsoft has changed its
functionality. The new version no longer supports the use of the
View parameter when using the OVC outside Outlook, such as in an
independent digital dashboard. Unfortunately, instead of degrading
gracefully and just ignoring the View parameter when it is present,
the control disregards the Folder parameter value as well and
displays the Inbox.
Also, any code that attempts to set the View property results in
a Permission Denied error.
This change in functionality is baffling. Why would switching to
a named view that already exists on a user's system pose a security
I have posted a page at
https://www.slipstick.com/dev/ovcviewdemo.htm that illustrates
the issue. If you have the updated control, you should get different
results on Tests 1 and 3 depending on whether the page is running in
IE or as an Outlook folder home page.
The workaround is simply not to use the View parameter with the
Outlook View Control if your application may be viewed in a browser,
not an Outlook folder home page.
As far as we can tell, if you use the Outlook View Control only
within an Outlook context, such as a form or Team Folders folder
home page, it will continue to function as you'd expect.
Teach Yourself Outlook 2000 Programming Unavailable
I have been informed that my Teach Yourself Outlook 2000
Programming book is now out-of-print. This is very disappointing,
since it was really the only comprehensive book for novice Outlook
developers (and power users) and virtually all the content was still
relevant to Outlook 2002.
The online bookstores and Sams, the publisher, definitely do not
have copies of this book, so if you see it in a store, you might
want to grab it.
I will be working to make the content available again, updated
for Outlook 2002, but that effort probably will not bear fruit until
early 2002. In the meantime, feel free to ask questions in our Outlook developers discussion list (http://groups.yahoo.com/group/outlook-dev/)
or in the microsoft.public.outlook.* newsgroups. Beginners are
always welcome in both forums.
Microsoft Personal Security Advisor
you'll find an interesting new tool developed for Microsoft by
Shavlik Technologies. The Microsoft Personal Security Advisor scans
your system for possible vulnerabilities and provides you with an
immediate report and suggestions on how to make your system safer
It's a useful tool, though not as granular as I'd like to see.
For example, it popped up a potential risk that my Internet Explorer
settings for the Restricted Sites zone aren't as tight as they
should be. Well, I've actually made them even tighter than the
default settings for High security.
Also, it reports "Outlook Attachment Security" as High. If this
is what I think it is, it's a setting that's relevant only to
versions of Outlook before the Email Security Update. On the other
hand, MPSA did not detect that I have used the Level1Remove registry
value to allow access to certain types of files that Outlook 2002
It also isn't checking the default mail client, because it gave
me this message:
"Outlook Express is installed on your computer. If possible,
consider using Outlook as your primary email client."
Outlook 2002 already is my primary mail client. Outlook Express,
of course, is required for Outlook 98 or later versions to run.
On the other hand, it reminded me that I hadn't installed the
latest Windows service pack and some hotfixes. It's nice to have a
to-do list to work from. Try it and see if you get new ideas for
tightening up your own security. You can send feedback to firstname.lastname@example.org.
Office Developer Connections Conference
I will be speaking on Outlook development at the Office Developer
Connections conference Oct. 4-5 in Scottsdale, Arizona -- covering
Outlook security, Outlook reports, and what's new for developers in
Outlook 2002. One of the sample applications that I'll be showing
adds "merge to HTML e-mail" capability to Office XP, without raising
the Outlook security prompts. Register at
MEC Awards 2001
Once again, Microsoft is seeking the best applications for
Exchange and best solutions that leverage Exchange features. You can
nominate your company or your favorite tool in any of 10 categories
will be announced at MEC in Orlando in October. Get your nominations
in before August 27 at 3:00 PM Pacific Daylight Savings Time.
MEC registration open
Registration is now open for MEC 2001 in Orlando, Florida, Sept.
30 - Oct. 4. Exhibits open Sept. 30, with conference sessions
beginning Oct. 1. Microsoft is now billing MEC as the "premier
Exchange, Windows, and .NET Enterprise Servers event." Register at
by August 24 to get a discount.
MEC Europe will take place in Nice, France, Nov. 6-9. The web
http://www.microsoft.com/europe/mec/ is expected to
have registration details at the end of June.
MEC Japan will be in Tokyo, Oct. 29-30 (a change from the August
date that Microsoft gave earlier). No registration site yet.