Software

Get IT Done: Save your custom Outlook 2002 applications with Redemption

Tools that allow custom applications to bypass Outlook 2002 security

On May 31, 2001, Microsoft released the newest version of its e-mail client software, Outlook 2002 (part of the Office XP Suite). The new version of Outlook has many features and improvements that end users will enjoy. Developers, on the other hand, are worried.

Outlook 2002 includes features from the Outlook E-mail Security Update released in the wake of viruses such as Melissa and I LOVE YOU. Many of the features of this security update hinder or even “break” custom Outlook applications. This article outlines various techniques—including a handy tool named Redemption—that you can use to bypass these security roadblocks and save your custom Outlook applications.

A closer look at Outlook’s E-mail Security Update
This latest security update has three main components:
  1. Attachment blocking
  2. Address book access warning
  3. Automatic send warning

1. Attachment blocking
Many viruses are spread through malicious attachments included in e-mail messages. Outlook 2002 includes 43 file extensions that are blocked by default. The attachments are still received by Outlook but are not visible to users. Outlook 2002 includes a registry key that users can edit, which will let them move certain file attachments from Level 1 designation to Level 2. Level 1 attachments cannot be seen by the user. Level 2 attachments can be seen but must be saved to disk before they can be accessed. There is also a free COM Add-In that provides a tidy interface to modify the registry and move any or all attachment types from Level 1 to Level 2. It can be found at Slipstick System’s Web page on opening .exe attachments with the Microsoft Outlook E-mail Security Patch and Outlook 2002.

2. Address book access warning
A popular method for virus propagation is through access to the Outlook Address Book, Contacts Folder, or Global Address List. This access can also be necessary for mail merge operations or reporting applications. The code below will access the Contacts folder and retrieve the e-mail address from the first contact.
Set ns = Application.GetNamespace("MAPI")
Set fld = ns.GetDefaultFolder(10)   ‘olFolderContacts
Set itms = fld.Items
Set itm = fld.Items.GetFirst
Item.To = itm.Email1Address

In Outlook 2002, users of this code will see the warning shown in Figure A.

Figure A


In order for your code to be able to access the e-mail address in question, you will have to click the check box to Allow Access For, select how long you wish Outlook to allow address book access (1, 2, 5, or 10 minutes), and then click Yes.

3. Automatic send warning
Another feature virus writers often use in conjunction with the address list access is the ability to send a message unbeknownst to the user. The following code in unpatched Outlook 2000 will create and send a message without any user interaction. In fact, the only way to know the message is being sent is to watch the Outbox for the message to briefly appear.
Set itm = Application.CreateItem(olMailItem)
itm.To = patricia@cardozasolutions.com
itm.Send

That same code in Outlook 2002 will produce the window shown in Figure B.

Figure B


You have to wait for that blue progress bar to completely fill (which takes approximately 5 seconds) before you can click on the Yes button.

Bypassing Outlook 2002 security
So what is a developer to do? Many custom Outlook applications use these now blocked features. If your custom application falls into that category, you have several options.
  1. Configure administrative options with Microsoft Exchange Server or HP OpenMail
  2. Extended MAPI
  3. Redemption

1. Configure administrative options with Exchange Server or HP OpenMail
Microsoft Exchange Server and HP OpenMail offer an Administrative Options Pack that can be downloaded from Microsoft. This package allows you to:
  • Specify behavior when sending items via the Outlook Object Model or CDO.
  • Specify behavior when accessing the address book via the Outlook Object Model or CDO.
  • Designate specific COM Add-Ins as “trusted.” These add-ins can then access the Outlook Object Model without triggering any prompts.

2. Extended MAPI
Extended Messaging Application Programming Interface (MAPI) is a full-featured API that allows developers to write mail-enabled applications that will work with various messaging systems. MAPI allows for messaging, calendaring, and document management. An example of MAPI at work is the ability to send documents via e-mail from many word processing applications.

MAPI is a very powerful tool for developers. However, many have been hesitant to dive right in due to the complexity of the system and the restriction that it must be accessed by C or C++.

3. Redemption
Redemption uses Extended MAPI to provide “safe” objects that bypass the security prompts. Simply set a variable to one of these safe objects, and you can now use it just like you would a normal Outlook object.

Earlier, we saw that the following code triggered the address book prompt:
Set ns = Application.GetNamespace("MAPI")
Set fld = ns.GetDefaultFolder(10)
Set itms = fld.Items
Set itm = fld.Items.GetFirst
Item.To = itm.Email1Address

Now take a look at that same code using Redemption.
Set SafeContact = CreateObject("Redemption.SafeContactItem")
Set ns = Application.GetNamespace("MAPI")
Set fld = ns.GetDefaultFolder(10)   ‘olFolderContacts
Set itms = fld.Items
Set itm = itms.GetFirst
Set SafeContact.Item = itm  
Item.To = SafeContact.Email1Address

With the addition of two lines of code, we have bypassed the security prompt and allowed the code to grab the e-mail address of a contact in your Outlook Contacts folder.

One of the greatest advantages of Redemption is that changes to your code are very minimal, often requiring only two additional lines per object. Once you have set your object variable to a Redemption object, all of the rest of your code can remain the same.

Not only can Redemption be used with VBScript behind Outlook forms, but it can also be used with VB and VBA.

Redemption also exposes some properties that the Outlook object model does not. Have you ever wanted to get the sender’s e-mail address out of one of the messages in your Inbox? The following code can do that for you.
set utilobj = CreateObject("Redemption.MAPIUtils")
Set ns = Application.GetNamespace("MAPI")
set itm = ns.GetDefaultFolder(6).Items(1)
PrSenderEmail  = &H0C1F001E
strSenderEmail = utilobj.HrGetOneProp(itm.MAPIOBJECT, PrSenderEmail)
msgbox strSenderEmail

Getting Redemption
Outlook 2002 brings many advantages, but like any new version, it also brings challenges. Redemption gives developers answers to many of those challenges. The above examples represent only a portion of Redemption’s functionality. For additional information about Redemption, including how you can get a copy, please see Outlook Redemption.

Patricia Cardoza is an Outlook Developer and Microsoft Outlook MVP. She has been developing with Outlook since Outlook 97 and specializes in workflow and collaborative solutions. She is an MCP in Exchange and Outlook Collaborative Solutions and is currently diving into the exciting world of Exchange 2000 Development and Administration. She can be reached at patricia@cardozasolutions.com.


Want more?
Did you find this article helpful? Would you like to read more articles like this one? Let us know by posting a comment below or by dropping us a note.

 
0 comments