Microsoft Security Bulletin (MS00-034): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-034 announces the availability of a patch that eliminates a vulnerability in Microsoft® Office 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
Office 2000 ships with an ActiveX control that is incorrectly marked as "safe for scripting". Because of the incorrect marking, a malicious web site operator could use the control to take inappropriate actions on the machine of a visiting user. The control ships only with Office 2000, so customers using previous versions do not need to take any action.
What causes the vulnerability?
The vulnerability exists because an ActiveX control, the Office 2000 UA Control, is incorrectly marked as "safe for scripting". It exposes fairly powerful functionality that is inappropriate for use by web sites.
What is ActiveX?
ActiveX is a technology that allows programmers to develop self-contained software modules called controls, that perform a single task or a collection of related tasks. An ActiveX control can be called by programs or web sites that need the functionality it provides.
ActiveX provides benefits to programmers and web developers, because it enables them to use pre-written ActiveX controls to carry out common tasks, rather than having to implement the functions themselves. The shortens development time and improves reliability.
What does "safe for scripting" mean?
Every ActiveX control is marked by the author to indicate what kinds of actions it's able to take. The "safe for scripting" marking is an assertion by the author that the control cannot cause any harm, deliberately or accidentally, to a machine that it runs on.
IE allows customers to choose whether ActiveX controls that are not marked "safe for scripting" can be used by web sites. By default, only controls that are marked "safe for scripting" can be used. This vulnerability involves an ActiveX control that ships as part of Office 2000 and was incorrectly marked as "safe for scripting".
Is this a vulnerability in the ActiveX technology?
No. This vulnerability results because of a manual error in marking the particular control at issue.
What's the control, and what does it do?
The ActiveX control at issue is called the Office 2000 UA Control. It's used to automate demonstrations in help files. Many Office 2000 help topics have a "show me" hyperlink that, if clicked, will demonstrate how to perform a particular task. To see an example, use the Excel 2000 Answer Wizard to search for "Display leading or trailing zeros in a number". You'll see a help topic that has a hyperlink in Step 2 that reads "Show Me". If you click on this link, Excel will show you how to use the feature that lets you select how many leading or trailing zeros are displayed.
In order to provide the "show me" functionality, the Office 2000 UA Control needs to be able to manipulate Office functions under program control. This doesn't pose a threat under normal conditions, because the demonstrations in Office 2000 were designed to only provide "Show Me" demonstrations for harmless actions. However, because of the incorrect "safe for scripting" marking, a malicious web site operator could use control, and this would allow him to take inappropriate actions on the computers of people who visited his site.
What kind of "inappropriate actions" could a malicious web site operator take using this control?
The control allows any Office function to be executed. A malicious web site operator could use it to, for instance, open Word and change the macro security settings, then open a Word document on his site that contained malicious macros.
How would a malicious web site operator get me to visit his site?
This would be a question of social engineering. The malicious web site operator could not force you to come to his site against your will; he would need to entice or persuade you to do it through some means.
Are there any other ways that this vulnerability could be exploited?
Yes. If a malicious user sent an HTML mail that used the control, it could potentially execute the control when the recipient opened it. Such an email could take the same actions that a web site could. However, customers who have set their email to run in the Restricted Zone would not be affected, as the default settings in the Restricted Zone do not allow ActiveX controls to run.
What is the Restricted Zone?
The Restricted Zone is one of the Security Zones in Internet Explorer. Not only do Security Zones govern what various web sites can do, they also govern what HTML emails can do in Outlook and Outlook Express. To view HTML mails in the Restricted Zone, follow these instructions:
- Select Tools, then Options.
- Click on the Security tab
- In the part of the page labeled "Secure Content", select Restricted Sites from the pull-down menu
- Select Tools, then Options
- Click on the Security tab
- In the part of the page labeled "Security Zones", click on the "Restricted Sites Zone" radio button.
Could this vulnerability be exploited accidentally?
No. Exploiting this vulnerability requires a specific procedure that is extremely unlikely to occur accidentally.
I have a version of Office older than Office 2000. Could I be affected?
No. The Office UA Control first shipped in Office 2000.
I don't have Office 2000 on my machine. Could I be affected?
You could only be affected if you've installed Office 2000, or installed an Office 2000 family member as a standalone product. The security bulletin provides a comprehensive listing of affected products.
What does the patch do?
The patch provides a new version of the Office 2000 UA Control. The new version is marked "safe for scripting", but the functionality has been reduced so that this really is the case. After installing the patch, the "Show Me" function in Office Help will no longer function. In addition, "pop-ups" in Office 2000 Help will no longer work - "pop-ups" are text boxes that pop up when you put your mouse over a specially-marked term.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article 262767 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that the file is present on your computer, and has the same size and creation date as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article 262767 explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.