Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why Does CDO Bypass Outlook Security

Status
Not open for further replies.
PaulHerschell

PaulHerschell

Programmer
Oct 9, 2001
59
NL
I have just started using CDO to bypass the Outlook security issue when I send an email from VFP6. Its so simple and I cannot understand why I didn't do it many months ago and save myself and customers so much grief. Before releasing this though, I just have one concern - if Microsoft introduced the security feature at Outlook 2000 SR1a to stop virus writers etc hooking into their software without alerting the user then why do they allow it with CDO and what is to stop a virus writer / Spammer etc hooking into this technology instead. I am sure there is a logical explanation out there but it beats me at the moment other than its possibly to do with a more restricted feature set in CDO. Can anyone expand on this?

Thanks

Paul Herschell
 
Sort by date Sort by votes
Mike,

This does not answer my question but simply raises more questions. The link you posted takes me to an area where I see a download for a CDO security update.

Q1. This appears to be a separate update to the standard Outlook update at which introduced a the security patch that affected automation calls, am I correct?

Q2. If this patch is installed how does it stop viruses but let my app work away happily without security screens coming up, is there some kind of registration of trusted applications for example?

Q3. I have tested CDO on my XP machine running Office XP which all uses Windows auto update to apply security patches. Should I therefore not assume that CDO is patched with the latest version? It still lets me bypass any Outlook security quite happily without telling it that this is a trusted application - why could a virus not do the same?

Thanks

Paul Herschell
 
Upvote 0 Downvote
PaulHerschell

First of all you are right in saying that it does not aswer your question, but CDO is not the only protocol to bypass the security patch in outlook. The security patch has nothing to do whether your messages are scanned for viruses or not, it has to do with requesting a user accepting to send an e-mail "in the backgroud" - without using outlook's interface - but using outlook as a sending engine.

Q1. This appears to be a separate update to the standard Outlook update at which introduced a the security patch that affected automation calls, am I correct?

Correct

Q2. If this patch is installed how does it stop viruses but let my app work away happily without security screens coming up, is there some kind of registration of trusted applications for example?

No, some viruses use the Outlook engine to send e-mails automatically (and some don't). I believe that MS decided to add the patch to at least prevent this sort of activity. But Outlook uses the MAPI API to send e-mail but the MAPI function is wrapped around other functions that include the patch itself, where as CDO uses the MAPI directly making it a lower level function which does not include the patch.

Q3. I have tested CDO on my XP machine running Office XP which all uses Windows auto update to apply security patches. Should I therefore not assume that CDO is patched with the latest version? It still lets me bypass any Outlook security quite happily without telling it that this is a trusted application - why could a virus not do the same?

No, you should just understand that CDO is a low-level function that does not use the Outlook function to send an e-mail (SMTP is another one). You can actually send e-mail with CDO without Outlook being installed on the computer.

This link explains more about CDO libraries. [ignore}[/ignore]

Faq184-1768 and specially faq184-1769 (the first function allows to determine the current version of CDO).






Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first.
 
Upvote 0 Downvote
Mike,

Thanks for the more detailed response. I am still not sure whether I am more confused now than when I started. Yes I understand that CDO is a lower level function but it must still talk to something to find out which SMTP server to use, what is the user name, what is the password etc. I assume if Outlook is present it gets it from there but if not it gets it from somewhere else or am I oversimplifying things? I haven't told it where to look!

I had already visited FAQ184-1768, possibly as a result of finding one of your previous postings on the subject and this is where I got my first test code from and thought this was going to be so simple. Thanks for that.

This time, however, in revisiting that area, I also spotted the link to FAQ184-1769 for use with mail servers such as Exchange which you have also linked above. I had not realised that the first set of code would not work if Exchange Server is being used (or have I got that wrong?). I do not have Exchange Server installed here but I thought I would give the code a try anyway. On sending a simple email, it came up with the normal security dialogue but there was an extra bit which said ' and allow access for ' and you could select a time interval up to 10 minutes. This seemed an ideal solution, if only it had also been put into standard outlook automation! When it tried to send, however, it then also came up with the standard outlook security dialogue where the 'yes' and 'no' buttons do not light up for several seconds. Maybe that's just a red herring though and in a true Exchange Server environment users are much better offer already than I had realised.

In a true Outlook Exchange environment, my understanding now is that if I send email as in FAQ184-1769 then you will get the security message only once regardless of the number of emails being sent and can tell the system to continue to allow access for a further length of time without further security messages. Have I understood this correctly?

In your example code there, you resolve the name from the address book rather than simply pass a 'to' address. I tried

onewmessage.to = "me@mydomain.com"

however, it did not like the property. What is the correct syntax for this.

Thanks for your help on this. Sorry to ask so many questions on it, however, I am sure there must be a lot of other people out there thinking the same things who should also benefit.

Paul Herschell
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

foxup
  • Locked
  • Question
Sending emails with VFP with CDO 2
2
Replies
26
Views
693
Chris Miller
Chris Miller
EinTerraner
  • Locked
  • Question
index does not match the table
Replies
15
Views
819
EinTerraner
EinTerraner
icecr3amc4k3
  • Locked
  • Question
why file does not exist? 4
Replies
2
Views
107
Mike Lewis
Mike Lewis
SitesMasstec
  • Locked
  • Question
Does a Report use the available cursor? 6
Replies
15
Views
515
EinTerraner
EinTerraner
Rajesh Karunakaran
  • Locked
  • Question
Does VFPxWorkbookXLSX work with old .XLS files? 1
Replies
2
Views
169
Rajesh Karunakaran
Rajesh Karunakaran

Part and Inventory Search

Sponsor

Back
Top