Microsoft Security Bulletin MS00-049
Patches Available for 'Office HTML Script' and 'IE Script' Vulnerabilities
Originally Posted: July 13, 2000
Updated: May 18, 2003
On July 13, 2000, Microsoft released the original version of this bulletin. It provided a patch to eliminate a security vulnerability in Microsoft® Office 2000 and PowerPoint 97, and a workaround to protect against a vulnerability in Internet Explorer. On August 09, 2000, the bulletin was re-released to announce the availability of a patch for the vulnerability in Internet Explorer.
The effect of both vulnerabilities are the same -- they could allow a malicious web site operator to cause code of his choice to run on the computer of a visiting user.
Affected Software: The Office HTML Script vulnerability affects the following Office products when used in conjunction with Internet Explorer 4.x or 5.x:
- Microsoft Excel 2000
- Microsoft Powerpoint 2000
- Microsoft PowerPoint 97
The IE Script vulnerability affects Internet Explorer 4.01 SP2 and higher, when Microsoft Access 97 or Access 2000 is present on the user machine.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (July 13, 2000): Bulletin Created.
- V1.1 (August 09, 2000): Bulletin updated to advise availability of a patch for the "IE Script" vulnerability.
- V1.2 (February 28, 2003) : Updated link to Outlook Security Update in Frequently Asked Questions
- V1.3 (May 18, 2003): Updated links to Download Locations and Additional Information.