PPT2000: Update Available for HTML Script Vulnerability (268457)

SUMMARY

Microsoft has released an update that eliminates a security vulnerability in Microsoft Excel 2000 and PowerPoint 2000. This update, the Microsoft Excel and PowerPoint 2000 SR-1 Add-In Security Update, eliminates a security vulnerability that could allow unsafe scripts to be run in Microsoft Excel 2000 or Microsoft PowerPoint 2000 when you view a Web page or HTML e-mail message. This update makes changes to the registry and eliminates the ability to run unsafe Excel or PowerPoint scripts by using the Internet Explorer Object Model.

NOTE: To use the Microsoft Excel and PowerPoint 2000 SR-1 Add-In Security Update, you must first install Office 2000 SR-1 or Office 2000 Service Release 1a (SR-1a).

System administrators can find additional information and the administrator version of this update at the Microsoft Office Resource Kit Web site.

To learn more about the Microsoft Excel and PowerPoint 2000 SR-1 Add-In Security Update, please see the Microsoft Security Bulletin MS00-049: Frequently Asked Questions.

NOTE: There are two separate updates: one for both PowerPoint 2000 and Excel 2000, and the other for PowerPoint 97. Excel 97 is not affected by this vulnerability. For additional information about the Microsoft PowerPoint 97 version of this update, click the article number below to view the article in the Microsoft Knowledge Base:

268477 PPT97: Update Available for HTML Script Vulnerability

MORE INFORMATION

How to Download and Install the Update

IMPORTANT:

To install the update, you must have access to your original PowerPoint or Office CD. (One exception is if you installed from a "flat copy" of the CD stored on a network server. A "flat copy" is not the same as an administrative installation.)If you installed from a network administrative installation to your workstation, you should contact your administrator about obtaining this update. Do not attempt to apply this update to your workstation.

Follow these steps to download and install the update:

Point your Web browser to the following Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2005ba83-cde4-44e3-9680-af28a3421f77&DisplayLang=en
Click Download Now!. Click Save this program to disk, and then click OK.
Click Save to save the Addinsec.exe file to the selected folder.
In Windows Explorer, double-click Addinsec.exe.
Click Yes when you are asked whether to install this update.
Click Yes to accept the License Agreement.
If you are prompted to insert your Office 2000 CD, do this and then click OK.
Click OK in the alert that indicates that the installation was successful.

Files Contained in the Addinsec.exe Download

If you download Addinsec.exe and manually extract the files by using a command line similar to the following

C:\Downloads\Addinsec.exe /c /t:C:\Addinsec

the following files will be listed in the C:\Addinsec folder:

Ohotfix9.exe
Oqfe7752.msp
Oqfe7779_client.msp
Readme.txt

How to Verify That the Update Is Successful

The only changes made to Microsoft PowerPoint 2000 are in the registry. However, if you also have Microsoft Excel 2000 installed, you can verify installation by checking the version of Excel.exe.

To verify whether the installation of the update was successful, you can check that the version of the Excel.exe file on your system is equal to or greater than 9.0.4307. By default, Excel.exe is in the following location on your computer:

C:\Program Files\Microsoft Office\Office