Why Outlook has started seeing me as a security risk

I wrote a bunch of command-line apps a while ago that let me control my Outlook task list. As a big GTD devotee, everything that I do revolves around my task list. And as someone who spends a lot of time at the command prompt, these apps mean being able to add something to my task list when I think of it – without interrupting what I am doing. It means not needing to Alt-Tab to Microsoft Outlook, waiting for it to wake up, opening a new Form… all of which takes me away from what I was doing when I thought of whatever task needed capturing on my list.

But recently, Outlook started throwing up security warnings when I use them… which means I have to Alt-Tab to Outlook anyway to tick the box telling it it’s not under attack. 🙁

Screenshot of the Outlook security warning dialog

To give a little background, there are four main programs:

  • addtask (“t”) – adds a new task to my Outlook todo list
    C:\>t "Work out why Outlook is a pain" @Computer
  • listtasks (“l”) – shows a filtered, sorted list of my Outlook todo list
    C:\>l @Computer today
    1 h   Do this
    2 h o Do that
    3     Do the other
    4     Work out why Outlook is a pain
    5 l   Do something unimportant
  • opentask (“o”) – shows detailed information about a single task
    C:\>o 4
    Subject: Work out why Outlook is a pain
    Category: @Computer
    Start: none
    Due: none


  • completetask (“c”) – marks a task as complete
    C:\>c 4
    Marked complete: Work out why Outlook is a pain
      This task was 0 days old

They all take a ton of different arguments – to play with start dates, due dates, categories and so on – but you get the basic idea.

It was surprising – I haven’t made any recent changes to the programs, they’d not caused this before, and regardless of what the error message was claiming, I wasn’t going anywhere near email addresses!

I found articles like this Microsoft KB which talked about the error dialog I was seeing, saying that:

You receive the confirmation dialog box when a… program tries to … access the following features of the Outlook object model:

  • The following properties of a TaskItem object:
    • ContactNames
    • Contacts
    • Delegator
    • Owner
    • StatusUpdateRecipients
    • StatusOnCompletionRecipients

So, essentially anything that could have an email address (which makes sense, given the message in the dialog box). But I wasn’t going near any of those fields.

The answer showed up in an msdn developers article. In Outlook 2003, Microsoft updated the security model to “…add protection to the body properties of all items.”

My OpenTask program displays the notes for the task item that it opens – stored in the Outlook model as TaskItem.Body. As an impoverished geek, I’m still actually using Outlook 2002. But a few posts I found in newsgroups confirmed that this updated security model was included in Service Pack 3 (SP3) of Outlook 2002. That was the answer – Windows Update history shows that SP3 was installed a few days ago, which must’ve been when these dialogs started popping up.

So, what’s the answer? Well, first thing I did was to add a bit of error-handling to the programs to stop them dying if someone clicks the ‘No’ button to deny access to Outlook! That doesn’t solve the problem that the dialogs are popping up anyway. From what I’ve found so far, it looks like the best answer might be to rewrite the app using ‘Extended MAPI’

…external programs … can fully utilize Extended MAPI to avoid security warnings generated by the Outlook object model guard…

That’s something for another night, I think – should probably get on with some actual work now!

Damn security – might be easier to just remove SP3 😉

One Response to “Why Outlook has started seeing me as a security risk”

  1. dale says:

    An alternative to recoding applications using Extended MAPI is the free tool from MAPILab: Advanced Security for Outlook.

    This is an Outlook add-in which lets you: “specify the status for this program for future occasions e.g. allow access, block access or run the default Outlook handler. Future specified actions will be executed automatically and Outlook Security will cease to annoy you with messages concerning attempts to access e-mail addresses you have stored in Outlook.”

    I’ve been using it for a little while and it works well – avoids the dialog shown above being displayed every time you use your external Outlook apps!