Security Issue with Office XP Outlook 2002 SP3

[Jim]

Hello,

A user of my Outlook Add-In (VB6) upgraded to Office XP SP3, and is
now experiencing the infamous security popup. I found KB838871, and I
am pretty sure that reading .Body in my Add-In via the Outlook Object
Model is the source of the problem.

I am aware of ClickYes, but that isn't seamless enough. I am
considering integrating full blown Redemption, or adding more
capability to my own bare bones wrapper around Extended MAPI so I can
read .Body without going through the OOM. Neither of these changes
are trivial, and either will reset my extensive product field testing
to zero.

But -- I found the following newsgroup posting that, if accurate,
suggests that Microsoft is considering an 'SP3 fix' that might
eliminate the security popup for one or more situations. If this is
so, I am much less motivated to spend precious development time
working around the SP3 security issue only to have it perhaps soon
become a non-issue.

From: Stephen L Dotson ([email protected])
Subject: Re: Office XP Outlook 2002 SP3 Update
Newsgroups: microsoft.public.outlook.installation
Date: 2004-03-12 14:06:31 PST

I just spoke with Microsoft and they acknowledge that "We have
a problem" and a fix is coming. When the fix is coming they
didn't say, but they are having a lot of people calling about
this problem. He told me I could uninstall Office XP and roll
it up to SP2 and wait for the SP3 fix.

Has anyone heard of a forthcoming SP3 fix that will allow my Add-In to
continue reading .Body via the Outlook Object Model without producing
the security popup?

Thanks.

Jim

 

[Ken Slovak - [MVP - Outlook]]

That same restriction on reading .Body is there in Outlook 2003, and will be
there from what I've been told in Outlook 2000 SP4 when it comes out. I
wouldn't bet that it's going to be removed from Outlook 2002 SP3 in any
later SP's or hotfixes. Do whatever you have to do to make it work now and
save yourself even more pain in the future.

 

[Jim]

Ken,

I guess I'd better get busy expanding my Extended MAPI wrapper DLL to
support reading .Body. Hopefully it isn't too complicated to
transition between the Outlook mail item object handle in VB6 and the
equivalent Extended MAPI handle in C code.

I may also try changing my approach. I need to write to .Body, but I
do that now without incident when I create the mail item using
Extended MAPI. Reading .Body is where I am bumping into the new
security barrier. Perhaps when I create the mail item, I can put my
data in .UserProperties, and then read that later via the Outlook
Object Model without any security issues. If I never read .Body via
the OOM, and it is ok to read .UserProperties, that might work.

Thanks.

Jim

 

[Ken Slovak - [MVP - Outlook]]

Writing to .Body or .HTMLBody is not restricted and won't fire the security,
only reading those properties does.

I just use Redemption myself, it's nice and easy.

 

[Jim]

Ken,

I may end up going with Redemption. I have leaned heavily on Dmitry's
newsgroup postings to make my house payments the last couple of years,
and I'm certain Redemption is a very fine product.

But before I commit my employer to a third party library, I want to
explore Extended MAPI. I already have a working bare bones DLL
wrapper around Extended MAPI for adding a *new* message to an Outlook
folder using:

MAPIInitialize
MAPILogonEx
HrMAPIFindDefaultMsgStore
HrMAPIFindFolderEx
OpenEntry
CreateMessage
SetProps
SaveChanges

Now I want to add code that can read PR_BODY from an *existing*
message using Extended MAPI, to avoid the security popup that occurs
as of SP3 if I read MailItem.Body via the Outlook Object Model.

But for all my digging around in the newsgroups so far, I don't see
how to get from a MailItem object with an EntryID in my Outlook Add-In
to some as yet undiscovered Extended MAPI function(s) that can be used
to open an existing message and read PR_BODY. I would expect
something like:

MAPIInitialize
MAPILogonEx
HrMAPIFindDefaultMsgStore
HrMAPIFindFolderEx
OpenEntry
? ConvertOutlookObjectModelEntryIdToMapiEntryId
? OpenExistingMessageUsingMapiEntryId
? GetPropertyFromMessage(PR_BODY)

Can anyone offer me some tips or keywords to get me started in the
right direction?

Thanks.

Jim

 

[Ken Slovak - [MVP - Outlook]]

Did you read the interesting information about MAPI wrappers at the MAPILabs
Web site? It might apply to what you are trying to do also.

Dmitry has a free version of Redemption that can be used for personal use.
It just can't be redistributed. So if you want to play with it you can at no
charge.

I'm not sure about the needed stuff to do that, but it obviously can be done
since Dmitry does it in OutlookSpy. At a guess you would check for both ID
and the long term ID of the item (in case the user was on Exchange) and then
use a MAPITable operation to get the Body property and whatever other
properties you needed using a filter on the MAPITable. That's pretty much
how I'd do it in Redemption code, with a lot more details of course...

Dmitry uses a lot of MAPI terminology with Redemption, and the Web site has
sample code you can look over. It might give you some ideas.

 

[Jim]

Ken,

The MAPIlabs web site is an excellent resource that I was unaware of.
As with Redemption, I may not be able to integrate a third party
library in my employer's product, but MAPIlabs publishes source code
that I can look at to get some ideas about how to read
objMailItem.Body (PR_BODY) via Extended MAPI. That should give me a
good start.

Thanks.

Jim