To help protect you against most viruses spread via attachments in e-mail,
Microsoft has introduced a significant security enhancement for Outlook® 98 and 2000 —
the
Outlook 2000 SR-1 E-mail Security Update and the Outlook 98 E-mail Security Update. This security
update provides protection from most viruses, such as the
ILOVEYOU and Melissa viruses, as well as other viruses that spread themselves
through e-mail, or worm viruses that can replicate through Outlook. This update
limits certain functionality in Outlook to provide a higher level of security; it
was not created to address a security vulnerability within Outlook. This
update provides unprecedented security protection for Outlook and Microsoft
encourages all users of Outlook 2000 and Outlook 98 to install the appropriate
update for their version of Outlook.
Important
The Outlook 2000 SR-1 E-mail Security Update requires that you first install Office 2000 Service Release 1a (SR-1a) (which includes the original Office 2000 SR-1 update and the Office 2000/Windows 2000 Registry Repair Utility). To ensure the integrity of your Office 2000 installation, the Outlook 2000 SR-1 E-mail Security Update requires access to the Office CD or your network installation location during the installation process. If you have installed more than one version of Office 2000 on your machine (for example, if you installed Office 2000 Small Business Edition and then later installed Office 2000 Professional Service Release 1), all of the installed versions of Office 2000 must be updated to Service Release 1 level before you install this update. If you are not certain, install the Office 2000 Service Release 1a (SR-1a) to correctly update your installations of Office 2000 before you install this update.
The Outlook E-mail Security Update provides the following security measures:
- E-mail attachment security prevents users from accessing several
file types when sent as e-mail attachments. Affected file types include
executables, batch files, and other file types that contain executable code
often used by malicious hackers to spread viruses.
- Object Model Guard prompts users with a dialog box when an
external program attempts to access their Outlook Address Book or send e-mail
on their behalf, which is how insidious viruses such as ILOVEYOU spread.
- Heightened Outlook default security settings increase the default
Internet security zone setting within Outlook from "Internet" to "restricted
sites." In
addition, active scripting within restricted sites is disabled by default. These security features help protect users from many viruses that are spread by means of scripting.
Once installed, this update will affect certain functionality within Outlook,
and may also have
an impact on the interaction of some third-party software programs with Office. For more information before installing the update, read the Microsoft Knowledge Base article (Q262634) OL2000: Known Issues with the Outlook E-Mail Security Update.
System
administrators should read the Knowledge Base article (Q263297) OL2000: Administrator Information About the Outlook E-mail Security Update for information about customizing the E-mail Security Update.
Certain e-mail attachments are unavailable
Once you install this update, you will not be able to access attachments with
file types that could run executable code or change settings on a
computer — actions that could allow a virus to spread. These
file types are known as Level 1 security files.
Level 1 security files Level 1 security files (restricted
access in Outlook) are files that may contain executable code themselves, or may contain links to other files that contain executable code that could
execute a virus on your computer. Level 1 file types include program files (.EXEs,
.COMs), script modules and files (.BASs, .VBSs, .JSs), Internet links (URLs, .ISNs),
and shortcuts to files (.LNKs, .PIFs). For a
list of these file types, see
the Outlook E-mail Security Update — Frequently Asked Questions.
Level 2 security files File
types on the Level 2 security list
must be saved to disk before they can be opened; the files cannot be opened
directly from within Outlook. There are no files types on the Level 2 security
list by default, but file types can be added to the list by system
administrators. For more information, see the Knowledge Base article (Q263297) OL2000: Administrator Information About the Outlook E-mail Security Update.
Receiving a restricted attachment
If you receive a message that contains an attachment that cannot be accessed,
your Inbox will display the paperclip in the attachment column to let you know
that the message has an attachment. When you open the message, the attachment
will not be available and the following will be displayed at the top of the
message:
On the File menu, the Save Attachments command and the
View Attachments command on the shortcut menu will not be
available for this message. If you receive a message with multiple
attachments, any of the unsafe attachments will not be accessible, but other
attachments will be retained. When you open the message, you will see the same
warning as above, but any attachment not affected by the update will be
available to you. Save Attachments and View Attachments can be
used for the safe attachment.
Attachments that must be saved to
disk If you receive a message containing a Level
2 file as an attachment, the following warning is displayed if you try to open the
attachment.
Sending attachments
When you attach a file to e-mail, the update checks the file
type when you send the message. If the file type is on the list of
restricted files, you will be warned that
other Outlook users may not be able to open the attachment. If you click
Yes, the message is sent with the attachment. If other users have this
update installed, the attachment will be inaccessible. If you click No,
the message will be returned to you for editing, which will involve removal of
the attachment.
Programs are prevented from sending mail without
your permission
The Outlook 2000 SR-1 E-mail Security Update changes the behavior of some Outlook
automation functionality. Since viruses can spread by sending copies of e-mail
messages to people listed in your Address Book, this update changes Outlook
functionality so that programs cannot automatically access your Address Book or
Contacts list, or send messages on your behalf. In either case, Outlook will
prompt you, ensuring that Outlook can't be used to distribute e-mail without
your permission.
For example, if code attempts to access your Address Book in Outlook, a
warning appears. You can either allow the program access for this instance, or
you can select the Allow access for checkbox and specify an amount of
time up to 10 minutes. If you do not want the program to access your Address
Book, click No.
Outlook security settings are set to Restricted Sites by
default
Default security zone settings are set to Restricted Sites (rather than Internet) by default, and active scripting within restricted sites is disabled by default when this update is installed. The Restricted Sites security zone disables most automatic scripting and prevents ActiveX® controls from opening without the user's permission. These security features help protect users from many viruses that are spread by means of scripting. For more information on the difference between the Restricted Sites and Internet zones, see the Microsoft
Knowledge Base article (Q174360) How to Use Security Zones in Internet Explorer. To change your Outlook security
settings manually, on the Tools menu, click Options and then click
the Security tab.
Functionality
differences with Microsoft Office 2000 MultiLanguage Pack
For complete Outlook E-mail Security Update functionality when you are using an Office 2000 MultiLanguage Pack, you will need Office 2000 Service Release 1 (or Office 2000 Service Release 1a (SR-1a)) the Outlook 2000 SR-1 E-mail Security Update, the Office 2000 MultiLanguage Pack Service Release 1 for the language you are using, and the Outlook 2000 SR-1 E-mail Security Update for the MultiLanguage Pack you are using. The Office 2000 MultiLanguage Pack Service Release 1, and the Outlook 2000 SR-1 E-mail Security Update for the MultiLanguage Pack are not yet available; if you install this update without these two MultiLanguage Pack updates, the following functionality is affected when using the MultiLanguage Pack:
- If
you receive an e-mail with a Level 1 attachment, the name of the blocked
file will not appear at the top of the message, and you will not be able to
see or access the attachment within the message.
- When
you send an attachment with a Level 1 file type extension, you will not
receive a message warning you that other Outlook recipients may not be able
to access this type of attachment.
- You
will not be prompted to allow programmatic access to your Address Book or
Contacts list. Since viruses can spread by sending copies of e-mail messages to
people listed in your Address Book, access to the book is denied. This may
cause error messages to appear when using other Office programs or when
synchronizing with handheld PCs.
- You
will not receive a message asking you to allow a program to send an e-mail
using the Outlook Visual Basic® Application command, Item.Send. All
programmatic access to this command is denied.
Since the Office 2000 MultiLanguage Pack Service Release 1 and the Outlook 2000 SR-1 E-mail Security Update for the MultiLanguage Pack are not yet available, subscribe to the Microsoft Office Auto Update Notification service to be notified by e-mail when they are released.
The
Microsoft Office 2000 English Language Pack
The English Language Pack lets you change your user interface and Help to English. If you are using the Office 2000 English Language Pack and need to use this update, you must have installed Office 2000 Service Release 1 (or Office 2000 Service Release 1a (SR-1a)) and the Office 2000 English Language Pack Service Release 1 before you install the Outlook 2000 SR-1 E-mail Security Update. If the English Language Pack Service Release 1 is installed after you install this update, e-mail security functionality is the same as with the MultiLanguage Pack listed above. To prevent limited functionality, be sure to install the Outlook 2000 SR-1 E-mail Security Update after you have installed Office 2000 SR-1 and the Office 2000 English Language Pack Service Release 1.
More information
For additional information about the ILOVEYOU virus, read Information on the VBS/Loveletter Virus.
For
more information about the security update, read the Microsoft Knowledge Base
article (Q262631) OL2000: Information About the Outlook E-mail Security Update.
If
you are a system administrator, read Knowledge Base article (Q263297) OL2000: Administrator Information About the Outlook E-mail Security Update for information about customizing the E-mail Security Update. System administrators can download the Outlook 2000 SR-1 Security Update Administrative Tools from the Customizing the Outlook 98/2000 E-mail Security Update page.
The Microsoft Knowledge Base article (Q262701) OL2000: Developer Information About the Outlook E-mail Security Update contains additional information about Outlook automation changes.
After you have installed the update, you
can learn more about e-mail security by
typing virus protection, e-mail security, or unsafe
attachments in the Office Assistant
or on the Answer Wizard tab in the Outlook 98/2000 Help window, and
then clicking Search.
Once the update is installed you can read troubleshooting information about the Outlook E-mail Security Update by typing troubleshoot
e-mail security or troubleshoot virus protection in the Office Assistant or on the Answer Wizard
tab in the Outlook 98/2000 Help window, and then clicking Search.
For additional information about software security, take a look at the Office
Update Security and Microsoft Office Focus.
Featured in Office Update's Focus on