Downloads
15768.zip

You've explained that you can easily protect Outlook's preview pane from malicious code attacks. As a result, can you safely just download or preview messages?

In my August 2000 column, I described changes in Microsoft Internet Explorer (IE) security zones that you can make to secure Outlook against malicious code that might arrive in HTML messages, if you haven't installed the Outlook E-mail Security Update. These changes ensure that no code or ActiveX components can run when you just look at a message in Outlook's preview pane.

Unfortunately, the latest vulnerability in Outlook isn't related to these easy-to-adjust HTML mail settings and is potentially much more serious. The "Malformed Email Header" weakness exposes a chink in Outlook's defenses that can let malicious code enter your system—just by downloading a message. The attack can affect any copy of Outlook—even Outlook 97—that you use to retrieve Internet mail from a POP3 account. (You aren't at risk if you use Outlook only to access an Exchange Server mailbox through the Microsoft Exchange Server service.) You can read about this problem in Microsoft Security Bulletin (MS00-043), "Patch Available for 'Malformed E-mail Header' Vulnerability" (http://www.microsoft.com/technet/security/bulletin/ms00-043.asp).

To fix this vulnerability, perform one of the following preventive actions:

  • On OSs other than Windows 2000, install IE 5.5 from http://www .microsoft.com/windows/ie/ download/ie55.htm.
  • On Win2K, install Win2K Service Pack 1 (SP1) or IE 5.01 SP1. Both are available at the Windows Update site at http://windowsupdate.microsoft .com/.
  • If you're already using Outlook Express 5.01 with any OS, install the separate security update from http:// www.microsoft.com/windows/ie/ download/critical/patch9.htm. To check your Outlook Express version, start Outlook Express, and choose Help, About Microsoft Outlook Express. If the version is 5.00.2919.6600 or, for Win2K, 5.00.2919.6700, you have Outlook Express 5.01.

The Outlook Express version is relevant because Outlook shares components, such as the HTML rendering engine and Internet account management, with Outlook Express.

What fields does Outlook search when I use the Find a Contact box on the Standard toolbar?

When you type a name or part of a name in the Find a Contact box, then press Enter, Outlook searches the Full Name and Subject fields in your default Contacts folder. Outlook also searches the name portion of SMTP addresses by using the name@domain format, but not the domain name. In other words, a search for exadmin would find a contact with the address exadmin@slipstick.com, but not one with the address slipstick@exadmin.com.

For a shortcut to frequently used contacts, click the small arrow to the right of the Find a Contact box to see a list of names. When you use the Find a Contact box to locate a particular person's records, Outlook adds your search term to this list.

Why does Find a Contact sometimes overlook contacts that I know are in my Contacts folder?

Find a Contact uses the same functionality as the Check Names feature, which users can invoke by pressing Ctrl+K, that resolves names in the To, Cc, and Bcc fields to the email addresses. For Find a Contact to locate an entry in the Contacts folder, the default Contacts folder must be available as an address book for name resolution and the contact must have an email address or fax number.

If Find a Contact doesn't work at all, check Tools, Services for the Outlook Address Book service. Add the Outlook Address Book if the Services dialog box doesn't list it as a service in the current mail profile. Restart Outlook. Right-click your Contacts folder, choose Properties, then switch to the Outlook Address Book tab. If the Show this folder as an e-mail Address Book check box is clear, select that option. If Find a Contact doesn't locate certain contacts, check those contacts to make sure that they have either an email address or a fax number.

What fields does Outlook search when I use the Find button on the Standard toolbar?

When you click Find and enter text in the panel that appears in the Contacts folder, Outlook searches the various name fields, the Company and Category fields, and the address and email address fields to locate all matching items. Outlook also searches the Subject field and, if you select the Search all text in the contact check box, the large notes area for the contact. The search runs faster if you don't select the Search all text in the contact check box.

Can I modify the fields that Outlook searches with Find or Find a Contact?

No, you can't change which fields Outlook searches with the Find or Find a Contact functions. To search other fields, you must use the Tools, Advanced Find command.

Can I type a search string in the Find function in a Lightweight Directory Access Protocol (LDAP) address book that displays all mailboxes on our server?

Microsoft added support for LDAP address books in Internet Mail Only mode in Outlook 98 and in Corporate/ Workgroup mode in Outlook 2000. Typically, the user searches the LDAP address book for a particular name and can't simply view a list of all address book members.

If the LDAP address book is coming from your Exchange Server 5.5 server (perhaps to support POP or IMAP clients), you can change the LDAP options to give the user an address book through LDAP that looks more like the Global Address List (GAL). However, I don't recommend this procedure unless you have a relatively small GAL—say, fewer than 100 entries entries—because the necessary settings on the server make LDAP searches run slower.

To change the options, from the Microsoft Exchange Administrator program, go to the Protocols container for your server and bring up the properties for LDAP (Directory) Settings. On the General tab, clear the Use site defaults for all properties check box. On the Search tab, which Figure 1 shows, select Allow all substring searches (slow). Note that the figure for Maximum number of search results returned needs to be greater than the number of GAL entries or users can't see all the items in the GAL. Click OK to save your changes.

If you want to access the LDAP server in Outlook 2000 in Corporate/Workgroup mode, you need to add the Microsoft LDAP Directory service to the mail profile. This service isn't part of the default installation, so you need either the Outlook CD-ROM or access to a network installation point to add the service. After adding the service and providing your Exchange server's address, exit and log out of Outlook.

Restart Outlook to give the LDAP directory a try. Choose Tools, Address Book, then choose Tools, Find on the Address Book dialog box. Instead of typing in a name (as you might to search a public LDAP directory), type a space and click OK. The Address Book will display all the names in the GAL—at least all those with a space in them, which is probably most of the entries.

We used the Team Folders Wizard to set up team folders. Now, we want to move all the contacts from another folder into the team folders' Contacts folder. What's the easiest way to move the contacts?

The folders that the Team Folders Wizard creates are just like any other public folders, except they have rather elaborate folder home pages and the team Tasks folder uses a custom form. The Contacts public folder that the Team Folders Wizard builds doesn't use a custom contact form; therefore, you don't need to modify existing contact items to make them work in the Team Folders context. You just move them into the team Contacts folder—either by dragging from one folder to the other or by selecting all the items in the original folder and using the Edit, Move to Folder command.

How do we move appointments and tasks into a Team Folders hierarchy?

You can move appointments just like you move contacts because the team Appointments folder doesn't use a custom form. Tasks take a little more effort, though, because they use a custom TeamTask form published to the Tasks folder in your Team Folders hierarchy. The form includes 31 custom properties and about 200 lines of code that control the message that Outlook sends when you update a task in a team Tasks folder.

After you use the same procedure you use for contacts to move existing tasks into the team Tasks folder, you must convert them to use the TeamTask form. You can download the Outlook 2000 Existing Items Converter from http://www.microsoft.com/office/ ork/2000/journ/outtoolsintro.htm to help with this chore. The Microsoft article "OL97: How to Update Existing Items to Use a New Custom Form" (http://support.microsoft.com/support/ kb/articles/q170/3/01.asp) describes an alternative VBScript method.

Can we change the standard wording for the task update messages from Team Folders?

You can change the standard wording for the updated task message by changing the text for various properties on the All Fields tab in the custom TeamTask form. Use the Tools, Forms, Design a Form command to open the form in design view.

Figure 2 shows the (All Fields) tab and some of the fields for which you can change the text. Don't alter or remove any parameter that begins with %OLTF@ (such as %OLTF@TaskPriority% in the HTMLFifthRowText property). The code behind the form substitutes other values for these parameters and won't work properly if you remove the parameters.

Can I open a password-protected Outlook form if the designer has left the company without leaving the password?

You probably already know that password protection in Microsoft Office is weak; several password-cracking sites are available to help you unlock documents and even Personal Folders. Getting the password for an Outlook form is easy because the FormDescription object that contains key information about the form includes a Password property.

The Outlook 2000 Visual Basic for Applications (VBA) code in Web Listing 1 on the Exchange Administrator Web site displays the value of the Password property in a message box. Before running the code, open an item that uses the custom form. You can either open an existing item or use the File, New, Choose Form command to create a new item with the custom form. You can then press Alt+F8 to display the Macros dialog box and choose the GetFormPassword macro.

After you retrieve the password with this macro, you can open the form in design mode, enter the password in the prompt that appears, and remove the password protection completely. Figure 3 shows the form's (Properties) tab. Simply clear the Protect form design check box to remove the password protection. You can also click Set Password to set a new password.