Join Outlook & Exchange Solutions Center on Facebook Follow @slipstickcom on Twitter

Exchange Messaging Outlook
Volume 6, Number 8

Greetings! Welcome to Vol. 6, No. 8, of Exchange Messaging Outlook, a biweekly newsletter about Microsoft Exchange and Microsoft Outlook.

Today's highlights:
  • Outlook View Control and CLSID Security Holes Patched
  • Updated OVC Causes Problem for Digital Dashboards
  • Office Developer connections conference
  • Teach Yourself Outlook 2000 Programming Unavailable
  • Microsoft Personal Security Advisor
  • Office Developer Connections conference
  • MEC Awards 2001
  • MEC registration open

Regular features:

  • New utilities
  • Updated utilities
  • Other new resources

Outlook View Control And CLSID Security Holes Patched

In the last issue of EMO, I wrote about the security vulnerability found by George Guninski in the Outlook View Control (OVC), which is integrated into Outlook 2002 and available as a separate component for Outlook 2000. Microsoft has now issued OVC patches for both Outlook 2000 and Outlook 2002.

For Outlook 2002, download the August 16, 2001 Update from http://office.microsoft.com/downloads/2002/olk1003.aspx. The MSKB article at http://support.microsoft.com/support/kb/articles/q303/8/25.asp explains how to deploy the administrative version of the update.

For Outlook 2000, you can download the updated OVC from http://office.microsoft.com/downloads/2000/outlctlx.aspx. As a bonus, this version of the Outlook View Control (10.0.0.3124) now supports the Selection object, just as the Outlook 2002 version does, which opens up a whole new realm of possibilities for programmers using the OVC. [Editor's note: Additional testing after this issue of EMO was distributed found that Selection is not in fact available as a child object of the Outlook View Control.]

Even though the original security bulletin on this vulnerability included both Outlook 98 and Outlook 2000, our testing -- using Guninski's original demonstration script at http://www.guninski.com/vv3-2demo.html -- didn't show the vulnerabilities that Guninski described. (Hey, it was news to me that the OVC worked at all in an Outlook 98 environment, but it does, showing whatever folder you configure the Outlook 2000 OVC to display.) Perhaps Microsoft found something else in the Outlook 2000 version that needed patching, beyond what was in Guninski's demo.

The August 16, 2001 Update for Outlook 2002 is the second in a cumulative series of regular updates that Microsoft plans to issue for Office, largely to correct security problems. This update also plugs a vulnerability related to attachments using a CLSID unique identifier as the file extension instead of the standard three-letter extension, such as .exe or .doc.

To plug the CLSID hole for Outlook 2000, Microsoft has revised the Outlook E-mail Security Update. The new version is available for download at http://office.microsoft.com/downloads/2000/out2ksec.aspx.

In addition to the downloads discussed above, Microsoft has also updated the copy of the Outlook 2000 OVC posted at http://activex.microsoft.com/activex/controls/office/outlctlx.cab, which many digital dashboards and other applications use as the codebase to make it easy for users to download the latest version.

Updated OVC Causes Problem For Digital Dashboards

To secure the Outlook View Control, Microsoft has changed its functionality. The new version no longer supports the use of the View parameter when using the OVC outside Outlook, such as in an independent digital dashboard. Unfortunately, instead of degrading gracefully and just ignoring the View parameter when it is present, the control disregards the Folder parameter value as well and displays the Inbox.

Also, any code that attempts to set the View property results in a Permission Denied error.

This change in functionality is baffling. Why would switching to a named view that already exists on a user's system pose a security threat?

I have posted a page at https://www.slipstick.com/dev/ovcviewdemo.htm that illustrates the issue. If you have the updated control, you should get different results on Tests 1 and 3 depending on whether the page is running in IE or as an Outlook folder home page.

The workaround is simply not to use the View parameter with the Outlook View Control if your application may be viewed in a browser, not an Outlook folder home page.

As far as we can tell, if you use the Outlook View Control only within an Outlook context, such as a form or Team Folders folder home page, it will continue to function as you'd expect.

Teach Yourself Outlook 2000 Programming Unavailable

I have been informed that my Teach Yourself Outlook 2000 Programming book is now out-of-print. This is very disappointing, since it was really the only comprehensive book for novice Outlook developers (and power users) and virtually all the content was still relevant to Outlook 2002.

The online bookstores and Sams, the publisher, definitely do not have copies of this book, so if you see it in a store, you might want to grab it.

I will be working to make the content available again, updated for Outlook 2002, but that effort probably will not bear fruit until early 2002. In the meantime, feel free to ask questions in our Outlook developers discussion list (http://groups.yahoo.com/group/outlook-dev/) or in the microsoft.public.outlook.* newsgroups. Beginners are always welcome in both forums.

Microsoft Personal Security Advisor

At http://www.microsoft.com/technet/mpsa/start.asp, you'll find an interesting new tool developed for Microsoft by Shavlik Technologies. The Microsoft Personal Security Advisor scans your system for possible vulnerabilities and provides you with an immediate report and suggestions on how to make your system safer from intrusion.

It's a useful tool, though not as granular as I'd like to see. For example, it popped up a potential risk that my Internet Explorer settings for the Restricted Sites zone aren't as tight as they should be. Well, I've actually made them even tighter than the default settings for High security.

Also, it reports "Outlook Attachment Security" as High. If this is what I think it is, it's a setting that's relevant only to versions of Outlook before the Email Security Update. On the other hand, MPSA did not detect that I have used the Level1Remove registry value to allow access to certain types of files that Outlook 2002 normally blocks.

It also isn't checking the default mail client, because it gave me this message:

"Outlook Express is installed on your computer. If possible, consider using Outlook as your primary email client."

Outlook 2002 already is my primary mail client. Outlook Express, of course, is required for Outlook 98 or later versions to run.

On the other hand, it reminded me that I hadn't installed the latest Windows service pack and some hotfixes. It's nice to have a to-do list to work from. Try it and see if you get new ideas for tightening up your own security. You can send feedback to mpsa@microsoft.com.

Office Developer Connections Conference

I will be speaking on Outlook development at the Office Developer Connections conference Oct. 4-5 in Scottsdale, Arizona -- covering Outlook security, Outlook reports, and what's new for developers in Outlook 2002. One of the sample applications that I'll be showing adds "merge to HTML e-mail" capability to Office XP, without raising the Outlook security prompts. Register at http://www.msofficeconnections.com.

MEC Awards 2001

Once again, Microsoft is seeking the best applications for Exchange and best solutions that leverage Exchange features. You can nominate your company or your favorite tool in any of 10 categories at http://www.microsoft.com/corpevents/mec2001/awards.asp. Winners will be announced at MEC in Orlando in October. Get your nominations in before August 27 at 3:00 PM Pacific Daylight Savings Time.

MEC registration open

Registration is now open for MEC 2001 in Orlando, Florida, Sept. 30 - Oct. 4. Exhibits open Sept. 30, with conference sessions beginning Oct. 1. Microsoft is now billing MEC as the "premier Exchange, Windows, and .NET Enterprise Servers event." Register at http://www.microsoft.com/MSCorp/corpevents/mec2001/reg.asp by August 24 to get a discount.

MEC Europe will take place in Nice, France, Nov. 6-9. The web site at http://www.microsoft.com/europe/mec/ is expected to have registration details at the end of June.

MEC Japan will be in Tokyo, Oct. 29-30 (a change from the August date that Microsoft gave earlier). No registration site yet.

Back to Top

New Utilities

ERETURN DETECTIVE
http://www.personalcrm.com/ereturndetective.htm
Monitors bounced messages to notify you which contact may need updating. For Outlook 2000 or later.

GNUPG-PLUGIN
http://www.gdata.de/gpg/download.html
Encryption add-in for Outlook. Both recipient and sender need to be using it. Available in English and German versions. Source code available, too. Free.

SETFROM
http://victori.hypermart.net/setfrom.html
Outlook 2000 COM add-in for Corporate/Workgroup mode that lets you automatically insert in the "From:" or "Have replies sent to:" field any address/alias that you need for each outgoing message. If you're mainly concerned with getting From right when replying to mail from another user's Exchange mailbox, RIGHTFROM (http://victori.hypermart.net/rightfrom.html), from the same author, would be more appropriate. 

Updated utilities

HOTFIX FOR OFFICE XP ENTERPRISE EDITION
http://support.microsoft.com/support/kb/articles/Q304/2/26.ASP
Under certain conditions a PC to which Office XP was deployed using the enterprise edition may display a notice that activation is required. This notice appears in error. A hotfix is available.

OUTLOOK 2000 E-MAIL SECURITY UPDATE
http://office.microsoft.com/downloads/2000/Out2ksec.aspx
Updated version, fixing a security vulnerability related to file attachments that use a CLSID rather than a three-letter file extension. See Office 2000 Resource Kit Toolbox (http://www.microsoft.com/Office/ORK/2000/appndx/toolbox.htm) for the administrative version.

OUTLOOK 2000 SR-1 UPDATE VIEW CONTROL SECURITY
http://office.microsoft.com/downloads/2000/outlctlx.aspx
Update to the Outlook View Control used in Team Folders and digital dashboards to cure a significant security vulnerability. Requires Office 2000 SR-1/1a.

OUTLOOK 2002 UPDATE AUGUST 16, 2001
http://office.microsoft.com/downloads/2002/OLK1003.aspx
Second update to Outlook 2002, fixing several problems:

Outlook View Control Exposes Unsafe Functionality
http://www.microsoft.com/technet/security/bulletin/ms01-038.asp

Vulnerability to file attachments with a CLSID in the file extension -- These are now blocked.

BUG: Sort Method Sorts Incorrectly with Recurring Appointments
http://support.microsoft.com/support/kb/articles/q254/7/14.asp

See http://support.microsoft.com/support/kb/articles/q303/8/25.asp for more information, including instructions on how to deploy the administrative version of this update.

Other new resources

EXCHANGE 2000 SDK
http://msdn.microsoft.com/exchange/
June 2001 version of the SDK documentation, samples, etc.

I405.COM LITEMAIL
http://www.i405.com/LM/
Stripped down version of Outlook Web Access for Exchange 5.5, for use by WAP and PDA devices.

IT FACTORY DEVELOPMENT CENTER FOR MICROSOFT
http://www.itfactory.com/itf/homepage.nsf/web/ProductDevCenterSet
First visual tool for developing applications for the Exchange 2000 and SharePoint Portal System stores . Operates as a Visual InterDev add-in, providing wizards and drag and drop programming tools.

MICROSOFT OFFICE XP DEPLOYMENT AND ADMINISTRATION
http://www.microsoft.com/seminar/mmcfeed/mmcdisplayfeed.asp?Lang=en&PF=100503&Audience=IT Pro
12-part Microsoft online seminar covering everything from planning to security to SharePoint Team Services

OUTLOOK WEB ACCESS FOR WAP AND PDA
http://www.leederbyshire.com/
Separate OWA versions for WAP and PDA devices, plus a mailbox size utility for OWA, all for Exchange 5.5.

TOUT POUR CONFIGURER OUTLOOK ET OUTLOOK EXPRESS
http://configmail.free.fr/
Outlook configuration basics, in French, with lots of screen shots

VIRUS PROTECTION FOR MESSAGING
http://www.microsoft.com/seminar/mmcfeed/mmcdisplayfeed.asp?Lang=en&PF=100503&Audience=IT Pro
Microsoft online seminar covering Outlook, ISA, and Exchange 2000.

Back to Top

More Information

Click here to subscribe to the Exchange Messaging Outlook newsletter. 
Exchange Messaging Outlook Newsletter back issues
ISSN 1523-7990 Copyright 1996-2015, Slipstick Systems and CDOLive LLC. All rights reserved.

Updated Monday February 06 2017

Copyright Slipstick Systems. All rights reserved.
Send comments using our Feedback page

Back to Top