Microsoft KB Archive/268365

= Update available for HTML script vulnerability =

Article ID: 268365

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Excel 2000 Service Pack 1
 * Microsoft Excel 2000 Standard Edition

-



This article was previously published under Q268365



SUMMARY
Microsoft has released an update that eliminates a security vulnerability in Microsoft Excel 2000 and PowerPoint 2000. This update, the Excel and PowerPoint 2000 SR-1 Add-In Security Update, eliminates a security vulnerability that could allow unsafe scripts to be run in Microsoft Excel 2000 or Microsoft PowerPoint 2000 when you view a Web page or HTML e-mail message. To prevent unsafe scripts from running, this update makes changes to the registry and eliminates the ability to run unsafe Excel or PowerPoint scripts by using the Internet Explorer Object Model.

NOTE: To use the Excel and PowerPoint 2000 SR-1 Add-In Security Update, you must first install Office 2000 SR-1 or Office 2000 Service Release 1a (SR-1a).

System administrators can find additional information and the administrator version of this update at the following Microsoft Web site:

Microsoft Office Resource Kit

To learn more about the Excel and PowerPoint 2000 SR-1 Add-In Security Update, please see the Microsoft Security Bulletin MS00-049: Frequently Asked Questions.

NOTE: There are two separate updates: one for both PowerPoint 2000 and Excel 2000, and the other for Microsoft PowerPoint 97. Microsoft Excel 97 is not affected by this vulnerability. For more information about the Microsoft PowerPoint 97 version of this update, click the following article number to view the article in the Microsoft Knowledge Base:

268477 Update available for HTML script vulnerability



How to download and install the update
IMPORTANT:

To install the update, you must have access to your original Excel or Office CD. (One exception is if you installed from a &quot;flat copy&quot; of the CD stored on a network server. A &quot;flat copy&quot; is not the same as an administrative installation.)If you installed from a network administrative installation to your workstation, you should contact your administrator about obtaining this update. Do not attempt to apply this update to your workstation. For more information about how to apply this update to an administrative installation, click the following article number to view the article in the Microsoft Knowledge Base:

268654 Administrative update available for HTML script vulnerability

You must shut down all running programs, including Microsoft Office, Microsoft Project, and the Microsoft Office Shortcut Bar, before you begin the installation.

Follow these steps to download and install the update:  Point your Web browser to the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5c011c70-47d0-4306-9fa4-8e92d36332fe&DisplayLang=en

 Click Download. Click Save, and then click OK. Click Save to save the O2kSp3.exe file to the selected folder. In Windows Explorer, double-click O2kSp3.exe. Click Yes when you are asked whether to install this update. Click Yes to accept the License Agreement. If you are prompted to insert your Office 2000 CD, do this, and then click OK.</li> Click OK in the alert that indicates that the installation was successful.</li></ol>

Files contained in the O2kSp3.exe download
If you download O2kSp3.exe and manually extract the files by using a command line similar to the following:

C:\Downloads\O2kSp3.exe /c /t:C:\Addinsec

the following files will be listed in the C:\Addinsec folder:

ARTSP3.msp

launcher.exe

MAINSP3.msp

Readme.txt

ohotfix.exe

ohotfix.ini

ohotfixr.dll

outlctlx.exe

SP3CD2.msp

How to verify that the update is successful
To verify whether the installation of the update was successful, you can check that the version of the Excel.exe file on your system is equal to or later than 9.0.4307. By default, Excel.exe is in the following location on your computer:

C:\Program Files\Microsoft Office\Office

<div class="references_section">