Skip navigation

Tighter Security in Outlook 2002 SP3

Microsoft caused a commotion when it released Service Pack 3 (SP3) for Office XP earlier this month. Along with fixing bugs in Outlook 2002 and other Office programs, this service pack tightens "object model guard" security for programs that access the contents of Outlook messages and other items. The tighter security had an immediate effect on certain antispam applications, PDA-synchronization tools, and other programs that work with Outlook--in some cases triggering a security prompt every few minutes as Outlook downloaded new messages. Vendors have now released updates for the most affected antispam and PDA tools. Initially, though, because the service pack can't be uninstalled, users who didn't want to deal with the prompts were left in the ironic position of having to choose between disabling their antispam programs (at least temporarily) or removing both SP3 and Office, then reinstalling Office XP and doing without the new security features.

As the Microsoft article "Custom solutions and add-ins that integrate with Outlook 2002 are affected after you apply Office XP Service Pack 3 (SP3)" ( ) explains, the properties that trigger an address book security warning in SP3 are Body, HTMLBody, WordEditor, and HTMLEditor. These are precisely the properties that custom Outlook forms, COM add-ins, and other applications use to work with the body of a message or other Outlook item. That's why the range of applications affected includes antispam tools, utilities that enhance Outlook message content, and PDA synchronization tools. All these tools work directly with the body of mail messages or other items.

That Microsoft would want to restrict access to these properties isn't surprising, given how many people include email addresses and other contact information in their messages. Message bodies present a ripe source for viruses and other malicious programs that try to harvest addresses. Office Outlook 2003 automatically blocks these properties but uses a slightly different security model that doesn't trigger security prompts from most Outlook add-ins. (See "Outlook 2003 Minimizes Intrusion of Security Prompts" at for more information about Outlook 2003's behavior.)

What is surprising is that Microsoft didn't anticipate how many applications and users might be affected by SP3 and didn't detail the security changes in the Knowledge Base articles that it published at the same time as the SP3 release. The Microsoft article about the SP3 security changes took several days to become available. In the meantime, users posted frantically to Outlook discussion forums and called Microsoft's support lines trying to get a solution.

Timely notice to known antispam and PDA-sync vendors might also have kept the commotion down to a manageable roar. In the future, Microsoft might know exactly which vendors to notify in such situations. Microsoft's new Customer Experience Improvement Program gathers data about Office-program usage from volunteer participants. This data could include information about which Outlook COM add-ins users are installing; Microsoft would then know which add-ins are in widespread use and could work with those vendors to make sure they're ready for any future tightening of security. (I'll discuss the Customer Experience Improvement Program in more detail in an upcoming column.)

In the meantime, if you're preparing to roll out SP3, you might want to check to see whether updates are available for the add-ins that you use in your organization and analyze the code used in any of your custom Outlook forms to determine whether those forms will be affected. To reduce Outlook 2002's vulnerability to known security exploits, install the Outlook 2002 Security Patch: March 9, 2004 ( ), which Microsoft released just before SP3 and which doesn't include the "object model guard" changes.

Administrators and Help desks should also be aware of several other security-related symptoms that SP3 might demonstrate to Outlook users. The service pack blocks more files--specifically, .asp, .tmp, .vsmacros, .vss, .vst, .vsw, and .ws files. The custom forms cache is folder-specific, as it is in Outlook 2003. If an item's custom form isn't published in the item's parent folder or in the Personal Forms or Organizational Forms library, Outlook will display the default form for the item's type, rather than the custom form.

In addition, code won't run for items in other users' mailboxes when those items use custom Outlook forms. Code also won't run on folder home pages for those mailbox folders. A new registry entry is available to allow such form or folder home page code to run. Another new registry entry can disable form and folder home page code in public folders, but that entry is enabled by default, so users shouldn't notice any change in public folder behavior. "Custom solutions and add-ins that integrate with Outlook 2002 are affected after you apply Office XP Service Pack 3 (SP3)" also describes these registry settings and other changes that might affect custom Outlook solutions.

You might need to make one additional registry change if users have installed Adobe Acrobat and use its PDFMaker component to create .pdf files from Word documents. The PDFMaker program includes an Outlook COM add-in that triggers a security prompt each time the user starts a message using WordMail as the email editor. If you don't want to disable WordMail, you can disable the add-in with a registry change. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins\PDFMOutlook.PDFMOutlook registry subkey and change the LoadBehavior entry's value from 3 to 2. Restart Outlook, and the PDFMaker COM add-in won't load in Outlook. The PDF functions will still be available in Word and the other Office programs, though.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.