• Article

Security Bulletin

Microsoft Security Bulletin MS00-049 - Critical

Patches Available for 'Office HTML Script' and 'IE Script' Vulnerabilities

Published: July 13, 2000 | Updated: May 18, 2003

Version: 1.3

Originally Posted: July 13, 2000
Updated: May 18, 2003

Summary

On July 13, 2000, Microsoft released the original version of this bulletin. It provided a patch to eliminate a security vulnerability in Microsoft® Office 2000 and PowerPoint 97, and a workaround to protect against a vulnerability in Internet Explorer. On August 09, 2000, the bulletin was re-released to announce the availability of a patch for the vulnerability in Internet Explorer.

The effect of both vulnerabilities are the same -- they could allow a malicious web site operator to cause code of his choice to run on the computer of a visiting user.

Affected Software: The Office HTML Script vulnerability affects the following Office products when used in conjunction with Internet Explorer 4.x or 5.x:

  • Microsoft Excel 2000
  • Microsoft Powerpoint 2000
  • Microsoft PowerPoint 97

The IE Script vulnerability affects Internet Explorer 4.01 SP2 and higher, when Microsoft Access 97 or Access 2000 is present on the user machine.

Vulnerability Identifiers

General Information

Technical details

Technical description:

Two vulnerabilities have recently been discovered, one affecting Microsoft Office 2000 and PowerPoint 97, and the other affecting Internet Explorer 4.01 Service Pack 2 and higher. Although they involve different products, the effect, risk and exploit scenario are exactly the same. As a result, we have chosen to discuss them in the same bulletin. The vulnerabilities are:

  • The "Office Script" vulnerability. This vulnerability could allow script hosted on a malicious user's web site to save an Excel 2000, Powerpoint 2000, or Powerpoint 97 file to the computer of a visiting user. Depending on where and how the file were saved to the user's computer, it could be made to launch automatically. If this were done, macro or VBA code could be made to run.
  • The "IE Script" vulnerability. This vulnerability could allow script hosted on a malicious user's web site to reference a Microsoft Access file on the site. In turn, the Access file, when opened, could cause macro or VBA code to run.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-049 announces the availability of a patch that eliminates a vulnerability in Microsoft® Office 2000 (Excel and PowerPoint) and PowerPoint 97. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the Office HTML Script vulnerability?
The Office Script vulnerability allows any file to be saved to a user's local hard drive when the user is viewing a web page that contains script code referencing an Excel 2000 or PowerPoint file. By judicious selection of the format and location in which the file was saved, a malicious web site operator could cause the file to open automatically at some later time. If this happened, any code within the file would run.

What causes the Office HTML Script vulnerability?
If a malicious web page contains a script that references a remotely hosted Excel or PowerPoint object, that object can invoke a function within VBA (SaveAs) to save a file to a visiting user's local hard disk. This issue only affects Powerpoint 97, Powerpoint 2000, and Excel 2000 files. Users running any other Office products would not be affected by it.

What script code are we referring to in these vulnerabilities?
An html file can contain script code that executes when the html file is referenced from Internet Explorer or through a link in email. For example let's say you were visiting this url: www.fooexamplesite.com/start.html. A sample of script code within "start.html" may appear as shown below.

<html>
.....
<script>
function foo()
{
description of function;
}
</script>
</html>

What is the difference between VBA and script code in the example above?
Microsoft Visual Basic for Applications (VBA) is the development environment and macro language that is included as part of Microsoft Office. An example of specific script code that is used on web sites is Microsoft Visual Basic Scripting Edition (VBScript). VBScript is a subset of the Microsoft Visual Basic language. VBScript is implemented in Internet Explorer and other applications that use ActiveX Controls and Java applets.

Could this vulnerability be exploited through email?
Yes. The script at issue here could be included in an HTML mail. When opened, the script could reference an Excel or Powerpoint file on the sender's site.

Would the Outlook Email Security Update protect me from the mailborne version of this vulnerability?
Yes. The Outlook Email Security Update causes all HTML mail to be opened in the Restricted Zone, and disables Active Scripting and ActiveX Controls in that zone.

Who should use the Office HTML Script patch?
Microsoft recommends that all users of the affected versions of Microsoft Office install the patch for this vulnerability.

What does the Office HTML Script patch do?
The Office patch eliminates the vulnerability by marking Excel 2000 and PowerPoint files as unsafe for scripting.

Where can I get the Office HTML Script patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin . An alternate download location is on the Microsoft Office Site: Product Updates

How do I use the Office HTML script patch?
Microsoft Knowledge Base (KB) articles: Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477 (PowerPoint 97) contains detailed instructions for applying the patch.

How can I tell if I installed the patch correctly?
Microsoft Knowledge Base (KB) articles: Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477 (PowerPoint 97) provides a manifest of the files in the Office patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

"IE Script" Vulnerability

What's this bulletin about?
Microsoft Security Bulletin MS00-049 announces the availability of a patch that eliminates a vulnerability in Internet Explorer 4.01 SP2 and higher. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the IE Script vulnerability?
This vulnerability would allow a malicious user to host an Access file on his web site and cause it to open on the computer of any user who visited the site. Once this happened, any code in the Access file, such as macro code or VBA code, would be free to run on the visitor's computer.

What causes the IE Script vulnerability?
Internet Explorer allows the execution of a remotely or locally hosted Microsoft Access database that is referenced from a web page containing script code. By default Microsoft Access files are treated as unsafe for scripting; however, a certain script tag can be used to reference an Access (.mdb) file and execute VBA macro code even if scripting has been disabled in Internet Explorer.

What is the "certain script tag" that causes the IE vulnerability?
There is an <OBJECT> script tag that causes the execution of Microsoft Access files if referenced from a scripted web page. By default Microsoft Access files are marked unsafe for scripting, but this enables its execution regardless of the user's browser settings.

The original version of this bulletin provided a workaround that involved setting an administrator password in Access. Now that there's a patch, can I remove the administrator password?
Yes. You may still wish to keep the administrator password for other purposes, but it's not needed as a protective measure against this vulnerability once the patch has been installed.

If I've installed the patch for the Office HTML Script vulnerability, do I still need to apply the patch for the "IE Script" vulnerability?
The two vulnerabilities are completely separate, and you need to take the appropriate action against each. If you are using a version of IE that is 4.01 SP2 or greater then we recommend applying this new patch. If you also have the affected Office products installed then we recommend applying both patches.

Who should use the IE Script patch?
Microsoft recommends all users of the affected versions of Internet Explorer install this patch.

What does the IE Script patch do?
The patch removes the <OBJECT> tag vulnerability from IE when it references a Microsoft Access file.

Where can I get the IE Script patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

Note: The patch for the IE Script vulnerability also eliminates a number of other security vulnerabilities. Please see Microsoft Security Bulletin MS00-055 for more information.

How do I use the IE Script patch?
Microsoft Knowledge Base (KB) article Q269368 (available soon) contains detailed instructions for applying the patch.

How can I tell if I installed the patch correctly?
Microsoft Knowledge Base (KB) article Q269368 (available soon) provides a manifest of the files in the IE patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about these issues?

  • Microsoft has developed a procedure that eliminates the vulnerability.

  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.

  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.

  • Microsoft Knowledge Base (KB) articles

    Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477 (PowerPoint 97) discusses the "Office HTML Script" vulnerability in more detail.

  • Knowledge Base (KB) article Q269368 explaining the "IE Script" Vulnerability in more detail will be available soon.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Servicescan provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch Office HTML Script vulnerability:

IE Script vulnerability:

  • </https:>https:

    Note: The patch for the IE Script vulnerability also eliminates a number of other security vulnerabilities. Please see Microsoft Security Bulletin MS00-055 for more information.

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

Other information:

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 13, 2000): Bulletin Created.
  • V1.1 (August 09, 2000): Bulletin updated to advise availability of a patch for the "IE Script" vulnerability.
  • V1.2 (February 28, 2003) : Updated link to Outlook Security Update in Frequently Asked Questions
  • V1.3 (May 18, 2003): Updated links to Download Locations and Additional Information.

Built at 2014-04-18T13:49:36Z-07:00 </https:>