Re: Office XP SP3 breaks 3rd-party junk email filter
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu, 11 Mar 2004 20:53:36 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I'm not convinced that Outlook 2002 SP3 actually created any new problems wrt the Object Model Guard. It may have, but as far as I can tell there's nothing new there that hasn't been around since Outlook 2002 was first released.
On June 9th, 2000, Microsoft released the Outlook Email Security Update. This functionality was subsequently built into the Gold versions of both Outlook 2002/XP and Outlook 2003. Full details of its features can be found in the following document at the section titled "Outlook Security Enhancements";
Among them is the Object Model Guard. Details about what the OMG does can be found in the following document at the section titled "About the Outlook Object Model Guard";
There you will also find recommendations from MS about how to perform tasks that were previously possible, such as accessing email addresses or programmatically sending email.
Boils down to this;
- You must use an Exchange Server with Outlook. In such an environment you can disable any of the Outlook Security features by user.
- The Add-in must use Extended MAPI. Some functionality can be achieved by using CDOSYS, but not nearly what can be done with Extended MAPI.
Some Add-ins have been modified, others haven't. Those that haven't, won't work with Outlook once the Email Security Update is in place (and if it was added, it cannot be removed.) Plain and simple, all you can do is contact your Vendor and ask what their solution is. As we've seen, some choose to make you work around it, others build to accommodate it.
If anyone's wondering if these security features have had an impact, consider what you're seeing these days in terms of email-borne attacks. Firstly, they've all shifted to searching your file system for addresses, so we get distribution to unknown or people you may have never emailed instead of being sent to your address book, or an Exchange Server's Global Address List. While its annoying, its better than spreading viruses to your friends and business partners, IMO.
Secondly, they have to supply the SMTP code. The advantage to us is that our mail servers aren't bogged down by our own desktops any more. Further, if we block outbound SMTP access at our borders we can prevent one of our infected systems from infecting anyone else, plus, we're able to identify infected hosts fairly easily.
I see both of these results, directly due to the Email Security Update, a definite benefit to the business world. Granted, doesn't have much effect on the home user, but then they aren't typically using Outlook anyway (they're using Outlook Express, or some other MUI.)
Anyway, there's a ton of articles on the MS KB and MSDN related to this topic:
Microsoft Outlook Security Center
OL2002: Developer Information About E-Mail Security Features
Microsoft Outlook 2002 Developer Security Overview
For those of you who are in an Exchange Server environment:
Customizing the Outlook Security Features Administrative Package
Using the COM Add-in Shim to Trust Outlook 2002 Add-ins Built with Visual Studio .NET
As well as a general page about the Outlook Email Security Update for Outlook 98/2000 and 2002:
Security Features for Outlook 2002 and Previous Versions
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.