Microsoft KB Archive/262767

= Update available for Office 2000 UA Control vulnerability =

Article ID: 262767

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Project 2000 Standard Edition
 * Microsoft Excel 2000 Standard Edition
 * Microsoft Access 2000 Standard Edition
 * Microsoft FrontPage 2000 Standard Edition
 * Microsoft Outlook 2000 Standard Edition
 * Microsoft PowerPoint 2000 Standard Edition
 * Microsoft Publisher 2000 Standard Edition
 * Microsoft Word 2000 Standard Edition
 * Microsoft Works Suite 2000
 * Microsoft PhotoDraw 2000 Standard Edition

-



This article was previously published under Q262767



SUMMARY
Microsoft has released an update that eliminates a security vulnerability in Microsoft Office 2000 and all of the programs listed at the beginning of this article. The vulnerability could allow a malicious Web site operator or e-mail author to take inappropriate action on the computer of a user who visited the operator's Web site or opened the HTML e-mail message.

An ActiveX control that is included with Office 2000 is incorrectly marked as &quot;safe for scripting&quot;. This control, the Office 2000 UA Control (Ouactrl.ocx), is used by the &quot;Show Me&quot; function in Office Help and allows Office functions to be scripted. A malicious Web site operator or e-mail author could use the control to carry out Office functions on the computer of a user who visited the Web site or opened the HTML e-mail message.

This update removes this unsafe functionality, with the result that the &quot;Show Me&quot; and pop-up window definition functions are turned off in Office 2000.

For example, in Microsoft Excel 2000, any hyperlink that has the javascript:HelpPopup property does not function.

NOTE: The Office 2000 UA Control is not included in Microsoft Office 2000 Service Release 1a (SR-1a).



How to Install the Update
Follow these steps to download and install this update:
 * 1) Point your Web browser to the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=1e9388cc-76fa-40cf-a84a-6284f5a15533&DisplayLang=en
 * 1) Click Download Now!. Click Save this program to disk, and then click OK.
 * 2) Click Save to save the Uactlsec.exe file in the selected folder.
 * 3) In Windows Explorer, double-click Uactlsec.exe.
 * 4) Click Yes when you are asked whether to install this update.
 * 5) Click Yes to accept the License Agreement.
 * 6) Click OK in the alert that indicates that the installation was successful.

Files Contained in the Uactlsec.exe Download
If you download Uactlsec.exe and manually extract the files by using a command line similar to the following

C:\Downloads\Uactlsec.exe /c /t:C:\Uafiles

the following files will be listed in the C:\Uafiles folder:

Advpack.dll

Install.inf

Ouactrl.ocx

W95inf16.dll

W95inf32.dll

How to Verify That the Update Is Successful
To verify whether the installation of the update was successful, you can check the version of the Ouactrl.ocx file, or you can verify whether the pop-up window and &quot;Show Me&quot; functionality is turned off, or you can do both.

How to Check the Version of Ouactrl.ocx
The original version of the Ouactrl.ocx file (1.01.0009 or 1.0.1.9) is replaced with the new version (2.0 or 2.0.0.0). By default, this file is in the following location on your computer:

C:\Program Files\Microsoft Office\Office

How to Check Whether Functionality for Pop-up Windows and &quot;Show Me&quot; Is Turned Off
To make sure the pop-up window and &quot;Show Me&quot; functionality is turned off, follow these steps:
 * 1) Start Microsoft Excel.
 * 2) Click the Office Assistant, and then type copy a formula.
 * 3) Click Search.
 * 4) Click Copy only formulas.
 * 5) Follow the steps listed in the &quot;Copy only values, formulas, comments, or cell formats&quot; Help topic.
 * 6) When you get to step 3, click Paste area.

Normally, you see a pop-up window displayed with a description of the term &quot;paste area&quot;. If you do not see this pop-up window, this functionality was turned off by the new version of Ouactrl.ocx.
 * 1) In step 4, click Show Me.

Normally, the Paste Special dialog box is automatically displayed. If you do not see this dialog box, this functionality was turned off by the new version of Ouactrl.ocx.

Additional query words: OFF2000 patch UA Control Vulnerability

Keywords: kbdownload kbbug kbfix KB262767

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.