How to avoid security prompts in Visual Basic programs for Outlook

This article describes how to avoid security prompts in Visual Basic programs for Microsoft® Outlook®, using the MAPI subsystem and without using any third-party libraries. An overview of existing third-party libraries for MAPI is provided. The article is intended for experienced Visual Basic 5.x/6.x and Visual Basic .NET software developers.

The latest versions of Microsoft Outlook, including Microsoft® Outlook® 2003, provide protection from unauthorized access to address books and message stores, as well as protection from unauthorized message sending via Outlook services by malicious programs. In practice, the security system operation is manifested through security prompts shown to the user when the program tries to access certain objects and properties of Outlook.

The security system has one undesirable side effect: Visual Basic software developers have no means to prove to Microsoft Outlook that their programs are safe, which would work with all versions and configurations of Outlook.

The early versions of Microsoft Outlook had no such security system; however, security system updates were released for all versions starting from Microsoft® Outlook® 98. For more information on the updates and the list of "possibly dangerous" objects see the following Microsoft® documents:

• 263275 OL97: The Outlook E-mail Security Update Is Not Available for Outlook 97
• 262617 OL98: Information About the Outlook E-mail Security Update
• 262700 OL98: Developer Information About the Outlook E-mail Security Update
• 263210 OFF2000: Known Issues with Office 2000 After You Apply the Outlook E-mail Security Update
• 290500 OL2002: Developer Information About E-Mail Security Features

The full list of documents describing the changes to security system upon installation of service packs or updates that takes place with different versions of Microsoft Outlook is somewhat greater than the above. All these documents are available on the Microsoft web-site.

Malicious program authors not only try to use message sending through Outlook to distribute viruses, they also attempt the scanning of address books and message stores in search for more victims and to disguise their messages as messages from the infected user. The more sophisticated the methods used in malicious programs are getting, the more strict the Outlook security system becomes. With Outlook 2003, the security system already responds not only to an attempt at retrieving the message sender’s address, but even an attempt at viewing its text.