What's this bulletin about?
Microsoft Security Bulletin MS00-049 announces the availability of a patch that eliminates a vulnerability in Microsoft® Office 2000 (Excel and PowerPoint) and PowerPoint 97. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the Office HTML Script vulnerability?
The Office Script vulnerability allows any file to be saved to a user's local hard drive when the user is viewing a web page that contains script code referencing an Excel 2000 or PowerPoint file. By judicious selection of the format and location in which the file was saved, a malicious web site operator could cause the file to open automatically at some later time. If this happened, any code within the file would run.
What causes the Office HTML Script vulnerability?
If a malicious web page contains a script that references a remotely hosted Excel or PowerPoint object, that object can invoke a function within VBA (SaveAs) to save a file to a visiting user's local hard disk.
This issue only affects Powerpoint 97, Powerpoint 2000, and Excel 2000 files. Users running any other Office products would not be affected by it.
What script code are we referring to in these vulnerabilities?
An html file can contain script code that executes when the html file is referenced from Internet Explorer or through a link in email.
For example let's say you were visiting this url: www.fooexamplesite.com/start.html.
A sample of script code within "start.html" may appear as shown below.
<HTML>
.....
<SCRIPT>
function foo()
{
description of function;
}
</SCRIPT>
</HTML>
What is the difference between VBA and script code in the example above?
Microsoft Visual Basic for Applications (VBA) is the development environment and macro language that is included as part of Microsoft Office.
An example of specific script code that is used on web sites is Microsoft Visual Basic Scripting Edition (VBScript). VBScript is a subset of the Microsoft Visual Basic language. VBScript is implemented in Internet Explorer and other applications that use ActiveX Controls and Java applets.
Could this vulnerability be exploited through email?
Yes. The script at issue here could be included in an HTML mail. When opened, the script could reference an Excel or Powerpoint file on the sender's site.
Would the Outlook Email Security Update protect me from the mailborne version of this vulnerability?
Yes. The Outlook Email Security Update causes all HTML mail to be opened in the Restricted Zone, and disables Active Scripting and ActiveX Controls in that zone.
Who should use the Office HTML Script patch?
Microsoft recommends that all users of the affected versions of Microsoft Office install the patch for this vulnerability.
What does the Office HTML Script patch do?
The Office patch eliminates the vulnerability by marking Excel 2000 and PowerPoint files as unsafe for scripting.
Where can I get the Office HTML Script patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
An alternate download location is on the Microsoft Office Site: Product Updates
How do I use the Office HTML script patch?
Microsoft Knowledge Base (KB) articles:
Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477 (PowerPoint 97) contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
Microsoft Knowledge Base (KB) articles:
Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477 (PowerPoint 97) provides a manifest of the files in the Office patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
"IE Script" Vulnerability
What's this bulletin about?
Microsoft Security Bulletin MS00-049 announces the availability of a patch that eliminates a vulnerability in Internet Explorer 4.01 SP2 and higher. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the IE Script vulnerability?
This vulnerability would allow a malicious user to host an Access file on his web site and cause it to open on the computer of any user who visited the site. Once this happened, any code in the Access file, such as macro code or VBA code, would be free to run on the visitor's computer.
What causes the IE Script vulnerability?
Internet Explorer allows the execution of a remotely or locally hosted Microsoft Access database that is referenced from a web page containing script code. By default Microsoft Access files are treated as unsafe for scripting; however, a certain script tag can be used to reference an Access (.mdb) file and execute VBA macro code even if scripting has been disabled in Internet Explorer.
What is the "certain script tag" that causes the IE vulnerability?
There is an <OBJECT> script tag that causes the execution of Microsoft Access files if referenced from a scripted web page. By default Microsoft Access files are marked unsafe for scripting, but this enables its execution regardless of the user's browser settings.
The original version of this bulletin provided a workaround that involved setting an administrator password in Access. Now that there's a patch, can I remove the administrator password?
Yes. You may still wish to keep the administrator password for other purposes, but it's not needed as a protective measure against this vulnerability once the patch has been installed.
If I've installed the patch for the Office HTML Script vulnerability, do I still need to apply the patch for the "IE Script" vulnerability?
The two vulnerabilities are completely separate, and you need to take the appropriate action against each. If you are using a version of IE that is 4.01 SP2 or greater then we recommend applying this new patch. If you also have the affected Office products installed then we recommend applying both patches.
Who should use the IE Script patch?
Microsoft recommends all users of the affected versions of Internet Explorer install this patch.
What does the IE Script patch do?
The patch removes the <OBJECT> tag vulnerability from IE when it references a Microsoft Access file.
Where can I get the IE Script patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
Note: The patch for the IE Script vulnerability also eliminates a number of other security vulnerabilities. Please see Microsoft Security Bulletin MS00-055 for more information.
How do I use the IE Script patch?
Microsoft Knowledge Base (KB) article Q269368 (available soon) contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
Microsoft Knowledge Base (KB) article Q269368 (available soon) provides a manifest of the files in the IE patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about these issues?
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
