Downloads
15547.zip

Has Microsoft issued a security patch for Collaboration Data Objects (CDO)?

Microsoft has now released a CDO patch for Outlook 2000 users. This update has the same effect on applications using CDO as the Outlook E-mail Security Update had on applications using the Outlook object model. The CDO patch blocks these functions:

  • Saving .exe, .com, .mdb, and other types of file attachments that Microsoft considers dangerous
  • Accessing address information
  • Sending messages programmatically

When an application tries to use a CDO object to obtain address information or send a message, the patch displays a prompt that the user must respond to before the application can continue its work. As with the Outlook E-mail Security Update, you can use the security settings form that I discussed in last month's column to customize the CDO patch's effects.

What are the prerequisites for the CDO patch?

The CDO patch works only on copies of Outlook 2000 that have the Outlook E-mail Security Update in place and that include CDO as a component installed through the Microsoft Office 2000 or Outlook 2000 setup rather than through a separate setup program. Thus, before installing the CDO patch, you need to check two items.

First, check Outlook 2000's version number. Open Outlook 2000, and click Help, About Microsoft Outlook. The About Microsoft Outlook dialog box must specify version 9.0.0.4201 or later and include the phrase Security Update.

Second, check whether the CDO component is installed on your system. Under the Start menu, use either the Find or Search command to locate the file cdo.dll. The copy that Office 2000 or Outlook 2000 installs is in a subfolder (the exact subfolder depends on the OS) under the \program files\common files\system\mapi\1033 folder. The number 1033 represents the number of the code page for US English. So, if you have a different language version of Outlook, you'll see a different number.

If you don't see a copy of cdo.dll, your Outlook 2000 installation doesn't include the CDO component and therefore you don't need to install the CDO patch. The CDO component probably isn't on your system because the Outlook 2000 default installation doesn't include this component. If you see a copy of cdo.dll, you need to install the CDO patch.

How do I install the CDO patch?

In Windows 2000 and Windows NT systems, you must have Administrator rights to install the CDO patch. Don't install the CDO patch through the Auto Update link on the Microsoft Office Update page. Although Auto Update automatically checks your system for updates and installs those you need, it doesn't install the CDO patch correctly. Instead, download the CDO patch and follow the installation instructions in the Microsoft article "OL2000: Information About the CDO E-mail Security Update".

How can I tell whether I've correctly installed the CDO patch?

After you install the CDO patch, search your system again for the cdo.dll file. In a correct installation, the updated version replaces the earlier version. The date on the correctly updated version is June 19, 2000, and the properties for the file have the description Collaboration Data Objects 1.21s. (The s stands for security.)

If you installed the CDO patch but the cdo.dll file's date didn't change, a method other than the Office 2000 or Outlook 2000 setup probably installed the CDO component. In this case, double-click the Control Panel Add/Remove Programs applet and select Office 2000 SR-1 (or Outlook 2000, depending on which one you've installed). Click Add or Remove Features. Under Microsoft Outlook for Windows, select Collaboration Data Objects, then select Run from My Computer, as Figure 1 shows. Click Finish to complete the installation of the CDO component, using the Office 2000 or Outlook 2000 setup. After the setup completes, install the CDO patch again. If the patch installed correctly, the date and description of the cdo.dll file shows that the file is the updated version.

How can I remove the CDO patch?

Although Microsoft's Web pages on the CDO patch say that no uninstall utility is available, you can easily remove the patch and restore the original version of cdo.dll. To remove the patch, follow these steps:

  1. Run setup.exe from your original Office 2000 or Outlook 2000 CD-ROM.
  2. Click Add or Remove Features.
  3. Under Outlook 2000, set the Collaboration Data Objects component to Not Available.
  4. Click Finish.

To restore the original version of cdo.dll after removing the patch, follow these steps:

  1. Run setup.exe from your original Office 2000 or Outlook 2000 CD-ROM.
  2. Click Add or Remove Features.
  3. Under Outlook 2000, select Collaboration Data Objects, then select Run from My Computer.
  4. Click Finish.

Does Microsoft have a CDO patch for Outlook 98 or Outlook 97?

Microsoft offers a patch only for Outlook 2000. The readme.txt file included with the CDO patch implies that you can install the patch on Outlook 98, but this implication isn't correct. The Microsoft article "OL2000: Information About the CDO E-mail Security Update" explains that the update isn't for Outlook 98 and that, when you install the original Outlook 98 E-mail Security Update, the update simply removes the CDO component.

Why would I want to install CDO on a client workstation in the first place?

Although the CDO object model isn't as easy to use as the Outlook object model, the CDO component provides many useful capabilities when you're building client applications that work with Outlook and Exchange Server. Here's a look at some of those capabilities:

  • You can use CDO to return the email addresses of people sending messages. See the Microsoft article "HOWTO: Access SMTP Headers of a Message Using CDO (1.x)".
  • The CDO object model's Session.AddressBook method displays the address book so that users can choose recipients.
  • The CDO object model's AddressEntry.Details method displays a dialog box that shows the details about a particular recipient's address entry.
  • The CDO object model's Recipient.Resolve and Recipients.Resolve methods prompt users if the application can't find the address for one or more recipients. The prompt is similar to the window you see when you click Tools, Check Names in any version of Outlook.
  • Within a single application, you can use CDO to run multiple sessions to access the mailboxes of different users, providing you have the necessary permissions.
  • When you need to iterate through many folders or items, code using CDO objects runs faster than code using objects from the Outlook object model.

Because of such capabilities, CDO is the choice of many developers. Developers might want to check the Microsoft article "INFO: Developer Information About the CDO E-mail Security Update" for information about the CDO patch's effect on the CDO component's capabilities.

My Exchange Server scripts and Outlook Web Access (OWA) pages use CDO. Should I install the CDO patch on my server, too?

Under no circumstances should you install the CDO patch on a server. The patch is strictly a client update for Outlook 2000. If you successfully install the CDO patch on a server, your Exchange Server scripts, OWA pages, and any other Active Server Pages (ASP) pages that use CDO will probably stop working.

I installed the Office 2000 Security Update UA Control Vulnerability patch (Microsoft Security Bulletin MS00-034) that you mentioned in your August 2000 column. Now, Help no longer works in Office. What's wrong?

Microsoft has found a problem with this update, which it designed to close another security loophole in Office 2000 that could affect HTML format mail. The problem affects only Win2K machines on which you've installed Microsoft Internet Explorer (IE) 5.01 Service Pack 1 (SP1). To fix the problem, you need to make a minor edit to the Windows Registry. The Microsoft article "OFF2000: Error Message: 'Help Requires Microsoft Internet Explorer 3.0 or Greater' When You Start Help" describes how to edit the Registry.

What is the Microsoft Word 2000 SR1 Mail Command Security Update?

This recent update works with the Outlook 2000 E-mail Security Update to close a security loophole that theoretically could let an external program send a plaintext or HTML-format message created with Outlook and Word. You can download the Word update. Before installing the Word update, you must install Office 2000 Service Release 1 (SR1) and the Outlook E-mail Security Update. For more information, see the Microsoft article "WD2000: Word 2000 SR-1 Mail Command Security Update Is Available".

How can I edit the Standard Forms library to display different forms?

The Standard Forms library holds Outlook's built-in forms. You can neither delete nor add forms to it. You need to publish custom forms to the Organization Forms library, the Personal Forms library, or a folder's Forms library. I describe the different forms libraries in my May 1999 column.

How can I set up a mailbox so that people can read that mailbox's incoming mail but not change anything?

This setup is simple. Start Outlook with a profile that lets you log on directly to the mailbox. Right-click the Inbox folder, and switch to the Permissions tab. Grant the Reviewer role to the appropriate person or people (preferably with a distribution list—DL). The Reviewer role means that the designated users can only read items in the Inbox.

How can I reset a group of contacts so that they aren't marked Private?

A bug in the Office 2000 Small Business Customer Manager (part of the Small Business Tools included in the Office 2000 Premium, Professional, and Small Business suites) can cause Outlook to mark all contacts as Private. As a result, other people can't see those contacts if you've shared the Contacts folder, and some Personal Digital Assistant (PDA) software might not be able to synchronize them. The Microsoft article "OL2000: SBCM: All New Contacts Are Marked Private After Saving" details this problem and describes how to fix it.

If you follow the directions in the article, Outlook will no longer mark all contacts as Private. However, you're still left with the existing Private contacts to fix. Fixing them is easy with the Outlook 2000 Visual Basic for Applications (VBA) code in Listing 1. Press Alt+F11 to open the VBA window, then choose Insert, Module to add a new code module. In the Properties window, change the name from Module1 to something like basFixPrivateContacts. Add the code in Listing 1. (You can download this code from the Code Library on the Exchange Administrator Web site at http://www.exchangeadmin.com/.) In this code, the FixPrivateContacts subroutine checks that you're looking at a Contacts folder and have selected some items, then it hands off control to the DoFix subroutine. DoFix loops through the selected items and, for each contact, changes the Sensitivity property to Normal, which is what it would be if you manually cleared the Private check box on each item.

I designed these subroutines to work with a selection of items in a folder rather than all items in a folder because I thought you'd probably want to keep some contacts Private.

Follow these instructions to use the code in Listing 1:

  1. Go to the Contacts folder.
  2. Create a Custom view, and group by the Sensitivity field.
  3. Click the group heading for Sensitivity: Private to select all the items marked Private.
  4. Hold down the Ctrl key, and click each contact that you want to keep Private.
  5. Press Alt+F8, or choose Tools, Macro, Macros.
  6. Select the FixPrivateContacts macro, then click Run.