The Outlook Email Security Update for Outlook 98 and Outlook 2000 disables many of the features that allow viruses to spread quickly. The security update is also integrated into Office 2000 Service Pack 2. Newer versions of Outlook have the features built in, with one major change -- users can modify the list of blocked attachments and loosen security using Group Policy or registry edits.
Outlook 2007 and up allow end-users (or administrators) to better control the security.
To find out whether your copy of Outlook includes the security update, you can check the version number with the Help | About Microsoft Outlook command and compare it with this chart, which lists the versions with the security update:
|Outlook Version||Version Number|
|Outlook 2016||All versions (16.0.x.x)|
|Outlook 2013||All versions (15.0.x.x)|
|Outlook 2010||All versions (14.0.x.x)|
|Outlook 2007||All versions (12.0.x.x)|
|Outlook 2003||All versions (11.0.x.x)|
|Outlook 2002||All versions (10.0.x.x)|
|Outlook 2000||Version 188.8.131.5201 and later|
|Outlook 98||Version 8.5.7806 and later|
|Outlook 97||Not applicable, since the security update is not available for Outlook 97|
The update makes it difficult, if not impossible, to open program files in Outlook -- including VBScript .vbs files like those that spread Loveletter. It is also aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. This aspect of the patch, however, means that some Outlook features will no longer function at all. In other cases, a user may need to authorize access by outside programs, such as bulk mail applications.
Microsoft has provided two ways to customize the security settings in older versions:
- In Microsoft Exchange Server environments, administrators can customize the security settings by installing a special Outlook custom form in a public folder and configuring security options for individuals and groups.
- In Outlook 2002, end users can allow access to particular file attachment types that the security features normally block. However, administrators can block this customization with the new security form for Outlook 2002.
Basic Facts and Download | Should you install this patch? | Removing the Patch | Attachment Security | Automation Security | Outlook Forms Security | Outlook Security Zone | Other Changes | Known Problems | More Information
Basic Facts and Download
- Administrative Options for the Microsoft Outlook E-mail Security Patch
- OL2000 Known Setup Issues with the Outlook E-mail Security Update
- Nothing to download -- the security features are built in.
- End users can allow access to particular file attachment types that the security features normally block.
Note that you must install the Office Service Release 1 update before installing the securitiy update.
- Outlook 2000 SR-1 Update E-mail Security (download page) -- Updated August 2001 to resolve a security vulnerability with file attachments that use a CLSID (unique identifier) as the file extension.
- OL2000: Information About the Outlook E-mail Security Update
- OL2000- Known Issues with the Outlook E-Mail Security Update
- Microsoft Outlook 2000 Service Pack 2 includes the E-mail Security Update and CDO Update.
- OL2000 You Receive an Error Message After You Install Outlook 2000 SR-1 Extended E-mail Security Update on Some Localized Versions of Outlook
Related Updates for Outlook 2000 SR-1
- Word 2000 SR-1 Update Mail Command Security to block possible unauthorized sending of messages through the plain text or HTML WordMail or "Office envelope" feature
- Microsoft Outlook CDO Security Update to apply the same level of security to the Collaboration Data Objects programming interface
- Outlook 98 Update E-mail Security (download page)
- OL98- Information About the Outlook E-mail Security Update
- OL98- Known Issues with the Outlook E-Mail Security Update
Should you install this patch?
Proceed with caution. Removing the patch on Outlook 2000 is no easy matter.
|Normal standalone users||If you don't automate Outlook with code, this patch may be a good tradeoff between additional security and the inconvenience you might suffer in having to click the warning when you synchronize with a PDA. If you use Outlook 98 and various Outlook add-ins, check with your add-in vendor to find out whether you should Install the Outlook 98 Email Security Update with CDO in order to keep the CDO (Collaboration Data Objects) component.|
|Power users||If you automate Outlook with code or use various Outlook add-ins, you will not want to install this patch until you evaluate its possible effects on your add-ins and code. See Applications Affected by the Outlook Email Security Update.|
|Net Folders users||If you depend on Outlook Net Folders to share information, this patch may make that slightly feature less convenient to use, because it pops up a dialog when you share a new folder. However, contrary to the initial information from Microsoft, the notes for the release version indicate that the Net Folders feature should continue to work. Therefore, you can generally follow the recommendations for normal and power users above.|
|Exchange Server and HP OpenMail administrators in Outlook environments||The administrative features will make this patch acceptable in some cases. However, we still recommend that you carefully evaluate whether to roll out this patch. It could potentially affect both mission-critical Outlook add-ins and ad hoc, undocumented applications created by individual users. While you can relax some or all of the patch's restrictions for individuals or groups of users (see Customizing the Outlook 98/2000 E-mail Security Update), you will want to plan your security groups and settings very carefully.Also, you may want to consider Installing the Outlook 98 Email Security Update with CDO in order to keep the CDO (Collaboration Data Objects) component that many in-house Outlook forms and applications use.|
|Other corporate mail administrators||We do not recommend installing the patch in non-Exchange Server corporate mail environments until you evaluate its possible effects on mission-critical Outlook add-ins and ad hoc, undocumented applications created by individual users. Microsoft has provided information to Lotus and Novell Groupwise so that they can develop administrative tools comparable to those provided by Microsoft for Exchange Server and HP OpenMail.|
Removing the Patch
- Removal is not possible. All the security features are integrated into the program, but end users can modify the list of blocked attachments.
- You must remove Outlook and perform a complete reinstall. If you installed Outlook as part of Office 2000, you must remove Office 2000 completely -- not just the Outlook components -- and reinstall Office. See OFF2000 How to Completely Remove Office CD1 on Windows 2000 and OFF2000 Utility to Completely Remove Remaining Office CD1 Files and Registry Entries.
- Interestingly, several people on the newsgroups have reported good results from just replacing two Outlook application files with the corresponding files from the original Office CD or Office 2000 SR-1. (SR-1 probably would be better -- you could copy them before you run the SP2 update.) The two files are Outllib.dll from the Office folder and Outllibr.dll from the Office\1033 folder. This is an unsupported method and probably does not fix all the aspects of the patch, however. It may also cause other problems on your system. Implement at your own risk.
- Use Control Panel | Add/Remove Programs to remove the patch and automatically reinstall the necessary original Outlook 98 components. If you installed Outlook 98 from CD, it's a quick, painless process. If you installed Outlook 98 via the web, you may have to connect to the Internet to complete the reinstallation process.
Systems with the security update for Outlook 2000 and 98 or with Outlook 2002 will no longer be able to open or save the files listed below if they are attached to an Outlook message. The attachments will still be in the messages, and other programs or Outlook add-ins may be able to access them, but they will be invisible to Outlook itself.
In addition to these "Level 1" attachments, as Microsoft calls them, the patch also supports a "Level 2" list, which warns users when they try to open a file attached to a message. End users with Outlook 2002 or Office 2000 SP3 can demote a file type from Level 1 to Level 2. Only administrators in an Exchange Server environment can customize the Level 2 list.
If you don't have Outlook 2002 or Office 2000 SP3, there are many ways to open these "dangerous" files. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.
Users will also see a warning if they try to send an e-mail message that contains any Level 1 file attachment. However, the attachment is not actually stripped. If the receiving user is not running Outlook with the security patch, they will see the attachment as they normally do.
If you try to forward a message containing one of these files, even if Outlook has been customized to consider it as a Level 2 attachment (save before opening), Outlook strips the attachment from the forwarded copy.
TIP: If you need to send a file from this list and want to avoid problems with recipients who may have installed the patch, you can simply change the file name before attaching the file -- for example, rename an .exe file to a .ex_ file -- and include instructions on how to save it and rename it in the body of your message. Or use a zip utility to compress the file. Many Compression Tools are available to work automatically from within Outlook, though probably not all will be able to grab the .exe file, given the security surrounding attachments.
|File extension||File type|
|.ade||Microsoft Access project extension|
|.adp||Microsoft Access project|
|.app||Microsoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)|
|.asp||Active server page. (Blocked in Outlook 2002 SP3 and higher)|
|.asx||Windows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x)|
|.bas||Visual Basic class module|
|.cer||(blocked only in Outlook 2003 and later)|
|.chm||Compiled HTML Help file|
|.cmd||Windows NT Command script|
|.cpl||Control Panel extension|
|.csh||KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.fxp||Microsoft Visual FoxPro compiled program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.ins||Internet Naming Service|
|.isp||Internet Communication settings|
|.js||JScript Script file|
|.jse||Jscript Encoded Script file|
|.ksh||KornShell script file (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3 and later)|
|.mda||Microsoft Access add-in program (blocked only in Outlook 2002 and a patched version of Outlook 2000)|
|.mdb||Microsoft Access program|
|.mdt||Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)|
|.mdw||Microsoft Access workgroup information (blocked only in Outlook 2002 SP-1 and Outlook 2000 SP-3 and later)|
|.mde||Microsoft Access MDE database|
|.mdz||Microsoft Access wizard program (blocked only in Outlook 2002 and a patched version of Outlook 2000)|
|.msc||Microsoft Common Console document|
|.msi||Windows Installer package|
|.msp||Windows Installer patch|
|.mst||Visual Test source files|
|.ops||Office XP settings (blocked only in Outlook 2002 SP-1 and and Outlook 2000 SP-3 later)|
|.pcd||Photo CD image|
|.pif||Shortcut to MS-DOS program|
|.prf||Microsoft Outlook profile settings (blocked only in Outlook 2002)|
|.prg||Microsoft Visual FoxPro program (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)|
|.pst||Microsoft Outlook Personal Folders file (blocked only in Outlook 2000 SP-3)|
|.scf||Windows Explorer command (blocked only in Outlook 2002)|
|.sct||Windows Script Component|
|.shb||Shell Scrap Object|
|.shs||Shell Scrap Object|
|.tmp||Temporary file. (Blocked in Outlook 2002 SP3 and higher)|
|.vbe||VBScript encoded script file|
|.vbs||Visual Basic Script file|
|.vsmacros||Visual Studio .NET macro project file. (Blocked in Outlook 2002 SP3 and higher)|
|.vss||Visio shapes and Visio stencils (Blocked in Outlook 2002 SP3 and higher)|
|.vst||Visio template (Blocked in Outlook 2002 SP3 and higher)|
|.vsw||Visio workspace (Blocked in Outlook 2002 SP3 and higher)|
|.ws||Windows script file (Blocked in Outlook 2002 SP3 and higher)|
|.wsc||Windows Script Component|
|.wsf||Windows Script file|
|.wsh||Windows Script Host Settings file|
A "properly written" add-in should not trigger the security warnings in Outlook 2007 or Outlook 2010.
You can add a registry to prevent the dialog in Outlook 2007.
If you don’t find Office and the following keys under Microsoft, you can add the keys manually in the same order and then continue from Step 3.
Press Windows Key + R to open the Run command. Type regedit and press Enter to open the Registry Editor.
- Navigate to HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security.
<span >If this key does not exist, you need to create it. For many users, this means creating each level from Microsoft down to Security.
- Right click on Security and choose New, DWORD. Name it PromptSimpleMAPISend (copy and paste works well as this DWORD is case sensitive).
- Right click on PromptSimpleMAPISend and choose Modify.
- Enter a value of 2.
- Restart Outlook. (You may need to restart the computer.)
The "object model guard" feature of the patch imposes two extreme restrictions on automating Outlook from add-ins that use either the Outlook object model or Simple MAPI:
- If an add-in tries to send an Outlook message, the user gets a notification pop-up and must explicitly authorize or deny each attempt to send. The user must wait 5 seconds before the Yes button becomes available to click.
- If an add-in tries to access address information in an Outlook item or the address book or to save an Outlook item as a file, the user gets a notification pop-up and can deny access, authorize a one-time access or extend access for a period of several minutes. PDA sync utilities are an example of the kind of application that will be affected by this restriction.
The object model guard applies even if your code is digitally signed or running from a published Outlook form. The only way to turn it off is via the administrative options. Because of these restrictions, some Outlook features become virtually unusable, because of the number of times the user has to confirm the dialog boxes:
- Sequential routing from Word
- Mail merge to e-mail in Word
- Automated mailing programs that use the Outlook Send method
- Applications Affected by the Outlook Email Security Update
- OL2000: Known Issues with the Outlook E-mail Security Update
- OL2000: Developer Information About the Outlook E-mail Security Update
- INFO Developer Information About the CDO E-mail Security Update
To avoid the prompts in applications that you develop, you can use one of these programming interfaces:
Extended MAPI Language for programming Outlook/Exchange with C++ or Delphi only.
Provides a COM interface to Outlook objects that avoids the "object model guard" of the Outlook E-mail Security Update and exposes properties and methods not available through the Outlook model, such as sender address and Internet message headers. Several security features protect it from being used by malicious programs to send Outlook mail. For the redistributable version, it adds a Profman.dll component with the ability to enumerate, add, delete, and modify Outlook profiles using VB or VBScript.
Is Redemption a security risk? Redemption's author, Outlook MVP Dmitry Streblechenko, responded in the outlook-dev discussion list to the topic In My World Redemption Is A Security Risk.
Visit Outlookcode.com for assistance with programming issues.
Also see Reinforcing Dialog-Based Security, a paper by two U.S. Air Force Academy professors that demonstrates how to get around the object model guard prompts using VBScript code and the SendKeys method to, in effect, click the buttons on the prompts. For utilities that takes a similar approach, see the tools listed below.
Automation Security Tools
Use Advanced Security for Outlook to learn what programs are trying to access Outlook and permanently allow or deny access to the program and the next time it requests access, the action you choose will be automatically executed and Outlook Security will not annoy you with messages about trying to access e-mail addresses you have stored in Outlook. Freeware, available in English, German and Russian. Advanced Security is fully compatible with Windows 8 (32-bit and 64-bit editions) and Microsoft Office 2013 (32-bit editions only). The programs button is available on the ribbon in Outlook 2010 and Outlook 2013.
ClickYes Pro is a tuning tool for Microsoft Outlook security settings. It allows you to configure which applications can automatically send emails using Outlook and access email addresses stored in Outlook address book. ClickYes Pro runs as a background task providing a convenient icon in the taskbar notification area to manage allowed applications. It uses an encrypted storage and is highly secure and safe. Client and Server versions available. Works with Outlook 2000 - Outlook 2010.
CodeTwo Outlook WarningDoctor removes the security warnings that appear when sending mail or performing other actions recognized by Microsoft as a "risky" (for example, when you try to read some data using the Outlook or CDO API #. Especially useful for designers of macros, Visual Basic, and programmers of other scripting languages that use the object model.Outlook 2000 and up, including Outlook 2010 64bit.
Source code included. The SetAddressingPermissions procedure shows how to use SendKeys with Outlook security prompts.
Clicks the security dialog buttons automatically, but can be set to start in a suspended state. Developers can activate and suspend automatic clicking of the security dialogs programmatically. (HINT: Use &H2 instead of WM_CLOSE) Free.
Language for programming Outlook/Exchange with C++ or Delphi only.
Outlook Redemption works around limitations imposed by the Outlook Security Patch plus provides a number of objects and functions to work with properties and functionality not exposed through the Outlook object model. Redemption supports Outlook 98, 2000, 2002, 2003, 2007, 2010, 2013, 2016 (both 32 and 64 bit) (Outlook 97 is not supported by the Safe*Item objects) as well as the standalone version of MAPI (no Outlook installed).
Security Manager for Microsoft Outlook is a one-line programming tool that allows you to bypass security settings and avoid security warnings, alerts or prompts in add-ins and applications that interact with Microsoft Outlook. Security Manager is developed for .NET, VCL and ActiveX platforms (VB.NET, C#, C++, Visual Basic 6, Delphi, VBA, Word MailMerge) and supports MS Outlook 2000, Outlook 2002 (XP), Outlook 2003, Outlook 2007 and Outlook 2010 with / without service packs.
If you get the security prompt constantly in a Defense Messaging System environment, see OL DMS 3.0 Users Receive Security Prompt When Using Outlook 2000 SR1 or Outlook 2002.
Outlook Forms Security
With the patch applied, script on unpublished or one-off Outlook forms will not run. Users will no longer see an Enable/Disable Macros prompt.
With the security patch in place or with Outlook 2002, this means that you should never check the Send form definition with item box on the Properties page of a message form, since this will cause the form to one-off. Instead, you should make sure that the recipient has access to the published form.
Outlook Security Zone
The patch puts Outlook into the Restricted Sites security zone and disables scripting for the Restricted Sites zone. (The original default setting for both Outlook 98 and Outlook 2000 is the Internet zone.) For more information, see:
- OL2000: Security Zones in Outlook 2000
- Description of Internet Explorer Security Zones Registry Entries
The patch changes the setting for macro security for Word, Excel and PowerPoint to High. See:
The Outlook 98 version of the patch removes the CDO (Collaboration Data Objects) component, which is often used by Outlook-related applications.
You won't be able to edit embedded objects that you receive in rich-text format messages. However, you may be able click Forward and edit the embedded object in the copy to be forwarded. See OL2002 Can't Edit an Embedded Object in Rich Text Message.
The main problem is, of course, that users decide they need the blocked attachments after they've applied the patch. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.
These other problems are fixed in Office 2000 SP-2:
- OL2000 Long Name Attachment Causes Outlook to Stop Responding
- Outlook Does Not Exit After You Open an Embedded Object
- Administrative Options for the Microsoft Outlook E-mail Security Patch
- Protecting Microsoft Outlook against Viruses
- Attachment Security Update for Microsoft Outlook -- If you want less intrusive protection from potentially harmful attachments OL97 The Outlook E-mail Security Update Is Not Available for Outlook 97
- OL2000 Administrator Information About the Outlook E-mail Security Update
- OL98: Administrator Information About the Outlook E-mail Security Update
- How to Apply the Outlook E-Mail Security Update to an Administrative Installation Image