what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ms04-033.txt

ms04-033.txt
Posted Oct 13, 2004
Site microsoft.com

A Microsoft update has been released. This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in Microsoft Excel. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

tags | advisory, remote, code execution
advisories | CVE-2004-0846
SHA-256 | 3a26b12732044b073dd79d79ff092513cab6c18141f701323054a437bbfc5041

ms04-033.txt

Change Mirror Download
  Microsoft Security Bulletin MS04-033


Vulnerability in Microsoft Excel Could Allow Remote Code Execution
(886836)

*Issued:* October 12, 2004
*Version:* 1.0


Vulnerability in Microsoft Excel Could Allow Code Remote Execution

*Who should read this document:* Customers who use Microsoft Excel 2000,
Microsoft Excel 2002, Microsoft Excel 2001 for Mac, or Microsoft Excel
v. X for Mac

*Impact of Vulnerability:* Remote Code Execution

*Maximum Severity Rating: *Critical

*Recommendation: *Customers should apply the update immediately.

*Security Update Replacement: *MS03-050

*Caveats: *None

*Tested Software and Security Update Download Locations:*

*Affected Software: *

?

Microsoft Office 2000 Software Service Pack 3 - Download the update
(KB873372)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B0C40C24-4DDE-45AF-8433-6DBDDD030C30>

Microsoft Office 2000 Service Pack 3 Software:

?

Excel 2000

?

Microsoft Office XP Software Service Pack 2 - Download the update
(KB873366)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5E0FADD3-1554-4C43-9B4A-D5E031478892>

Microsoft Office XP Software:

?

Excel 2002

?

Microsoft Office 2001 for Mac - Download the update
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9889BEAE-4771-415D-8070-3E51F4CC7AE3>

Microsoft Office 2001 for Mac:

?

Excel 2001 for Mac

?

Microsoft Office v. X for Mac - Download the update
<http://www.microsoft.com/downloads/details.aspx?FamilyId=148E9283-4DF8-4A75-9671-CC72E6306B84>

Microsoft Office v. X for Mac:

?

Excel v. X for Mac

*Non-Affected Software:*

?

Microsoft Office XP Service Pack 3

?

Microsoft Office Excel 2003

?

Microsoft Office 2003 Service Pack 1

?

Microsoft Excel 2004 for Mac

The software in this list has been tested to determine if the versions
are affected. Other versions either no longer include security update
support or may not be affected. To determine the support lifecycle for
your product and version, visit the following Microsoft Support
Lifecycle Web site <http://go.microsoft.com/fwlink/?LinkId=21742>.

Top of section <#EVAA>Top of section <#EVAA>


General Information

<javascript:Toggle('s3l1-EDUAA')> <javascript:Toggle('s3l1-EDUAA')>


Executive Summary <javascript:Toggle('s3l1-EDUAA')>

<javascript:Toggle('s3l1-EDUAA')>

*Executive Summary:*

This update resolves a newly-discovered, privately reported
vulnerability. A remote code execution vulnerability exists in Microsoft
Excel. The vulnerability is documented in the Vulnerability Details
section of this bulletin.

If a user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges. Users
whose accounts are configured to have fewer privileges on the system
would be at less risk than users who operate with administrative privileges.

*Severity Ratings and Vulnerability Identifiers:*

Vulnerability Identifiers Impact of Vulnerability Office 2000 SP3 and
Excel 2000 Office XP SP2 and Excel 2002 Office 2001 for Mac and Excel
2001 for Mac Office v. X for Mac and Excel v. X for Mac

Vulnerability in Microsoft Excel Vulnerability - CAN-2004-0846
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-9998>

Remote Code Execution

Critical

Critical

Important

Important

This assessment <http://go.microsoft.com/fwlink/?LinkId=21140> is based
on the types of systems that are affected by the vulnerability, their
typical deployment patterns, and the effect that exploiting the
vulnerability would have on them.

Top of section <#EDUAA>Top of section <#EDUAA>
<javascript:Toggle('s3l1-ECUAA')> <javascript:Toggle('s3l1-ECUAA')>


Frequently asked questions (FAQ) related to this security update
<javascript:Toggle('s3l1-ECUAA')>

<javascript:Toggle('s3l1-ECUAA')>

*What updates does this release replace?*
This security update replaces several prior security bulletins. The
security bulletin IDs and operating systems that are affected are listed
in the following table.

Bulletin ID Office 2000 SP3 and Excel 2000 Office XP SP2 and Excel 2002
Office 2001 for Mac and Excel 2001 for Mac Office v. X for Mac and Excel
v. X for Mac

*MS03-050*

Replaced

Replaced

Not Applicable

Not Applicable

*Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine
if this update is required?*MBSA does report on software supported by
the Office Inventory Tool for local computer scans. For detailed
information about how MBSA detects Office updates, visit the following
Web site <http://go.microsoft.com/fwlink/?LinkId=21141>. MBSA cannot use
the Office Detection Tool to scan remote systems; it will only use this
tool to scan a system locally for required security updates. For more
information about MBSA, visit the MBSA Web site
<http://www.microsoft.com/technet/security/tools/mbsahome.mspx>.

*Can I use Systems Management Server (SMS) to determine if this update
is required?*
Yes. SMS can help detect and deploy this security update. For
information about SMS, visit the SMS Web site.

Top of section <#ECUAA>Top of section <#ECUAA>
<javascript:Toggle('s3l1-EBUAA')> <javascript:Toggle('s3l1-EBUAA')>


Vulnerability Details <javascript:Toggle('s3l1-EBUAA')>

<javascript:Toggle('s3l1-EBUAA')>

<javascript:Toggle('s3l2-EABUAA')> <javascript:Toggle('s3l2-EABUAA')>


Excel Vulnerability - CAN-2004-0846:
<javascript:Toggle('s3l2-EABUAA')>

<javascript:Toggle('s3l2-EABUAA')>

A remote code execution vulnerability exists in Excel. If a user is
logged on with administrative privileges, an attacker who successfully
exploited this vulnerability could take complete control of the affected
system.

<javascript:Toggle('s3l3-ECABUAA')> <javascript:Toggle('s3l3-ECABUAA')>


Mitigating Factors for Excel Vulnerability - CAN-2004-0846
<javascript:Toggle('s3l3-ECABUAA')>

<javascript:Toggle('s3l3-ECABUAA')>

?

In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site. At this point a user could be exploited.

?

An attacker who successfully exploited this vulnerability could gain the
same privileges as the user. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges.

?

The vulnerability can not be exploited automatically through e-mail. For
an attack to be successful through e-mail, a user must open an
attachment that is sent in an e-mail message.

?

Excel 2001 for Mac users and Excel v. X for Mac users are prompted to
download an Excel file before they open it. Therefore, a user may not be
exploited by an attacker upon an initial visit to a web site.

?

Office XP Service Pack 3 is not affected by this vulnerability.

?

Office 2003 and Office 2003 Service Pack 1 are not affected by this
vulnerability.

?

Excel 2004 for Mac is not affected by this vulnerability.

Top of section <#ECABUAA>Top of section <#ECABUAA>
<javascript:Toggle('s3l3-EBABUAA')> <javascript:Toggle('s3l3-EBABUAA')>


Workarounds for Excel Vulnerability - CAN-2004-0846
<javascript:Toggle('s3l3-EBABUAA')>

<javascript:Toggle('s3l3-EBABUAA')>

None.

Top of section <#EBABUAA>Top of section <#EBABUAA>
<javascript:Toggle('s3l3-EAABUAA')> <javascript:Toggle('s3l3-EAABUAA')>


FAQ for Excel Vulnerability - CAN-2004-0846:
<javascript:Toggle('s3l3-EAABUAA')>

<javascript:Toggle('s3l3-EAABUAA')>

*What is the scope of the vulnerability?*
This is a remote code execution vulnerability. If a user is logged on
with administrative privileges, an attacker who successfully exploited
this vulnerability could take complete control of an affected system,
including installing programs; viewing, changing, or deleting data; or
creating new accounts with full privileges. Users whose accounts are
configured to have fewer privileges on the system would be at less risk
than users who operate with administrative privileges.

*How could an attacker exploit the vulnerability?*
An attacker could host a malicious Excel file on a web site and persuade
a user to click a link to the file. The file could then be executed
allowing the attacker to execute code of their choice. An attacker could
also attempt to exploit the vulnerability by sending a specially crafted
file in email.

*What systems are primarily at risk from the vulnerability?*
Workstations and terminal servers are primarily at risk. Servers are
only at risk if users who do not have sufficient administrative
credentials are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

*Are all versions of Office and Excel affected by this vulnerability?
*No. Office XP Service Pack 3, Office 2003 and Excel 2003, Office 2003
Service Pack 1, and Excel 2004 for Mac are not affected.

*When this security bulletin was issued, had this vulnerability been
publicly disclosed?*
No. Microsoft received information about this vulnerability through
responsible disclosure.

*What does the update do?*
The patch removes the vulnerability by making sure that Excel correctly
validates parameters when it opens an Excel file.

Top of section <#EAABUAA>Top of section <#EAABUAA>
Top of section <#EABUAA>Top of section <#EABUAA>
Top of section <#EBUAA>Top of section <#EBUAA>
<javascript:Toggle('s3l1-EAUAA')> <javascript:Toggle('s3l1-EAUAA')>


Security Update Information <javascript:Toggle('s3l1-EAUAA')>

<javascript:Toggle('s3l1-EAUAA')>

*Installation Platforms and Prerequisites:*

For information about the specific security update for your platform,
click the appropriate link:

<javascript:Toggle('s3l2-EDAUAA')> <javascript:Toggle('s3l2-EDAUAA')>


Office XP and Excel 2002 <javascript:Toggle('s3l2-EDAUAA')>

<javascript:Toggle('s3l2-EDAUAA')>

<javascript:Toggle('s3l3-EDDAUAA')> <javascript:Toggle('s3l3-EDDAUAA')>


Prerequisites and Additional Update Details
<javascript:Toggle('s3l3-EDDAUAA')>

<javascript:Toggle('s3l3-EDDAUAA')>

*Important *Before you install this update, make sure that the
following requirements have been met:

?

Microsoft Windows Installer 2.0 must be installed. Microsoft Windows
Server 2003, Windows XP and Microsoft Windows 2000 Service Pack 2 (SP2)
include Windows Installer 2.0 or later. To install the latest version of
the Windows Installer, visit one of the following Microsoft Web sites:

Windows Installer 2.0 for Windows 95, Windows 98, Windows 98 SE, and
Windows Millennium Edition <http://go.microsoft.com/fwlink/?LinkId=33337>

Windows Installer 2.0 for Windows 2000 and Windows NT 4.0
<http://go.microsoft.com/fwlink/?LinkId=33338>

For additional information about how to determine the version of Office
XP on your computer, see Microsoft Knowledge Base Article 291331
<http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;291331>.

*Inclusion in Future Service Packs:*

The fix for this issue is in Office XP Service Pack 3

*Restart Requirement*

No restart is required.

*Removal Information*

After you install the update, you cannot remove it. To revert to an
installation before the update was installed, you must remove the
software, and then install it again from the original CD-ROM.

Top of section <#EDDAUAA>Top of section <#EDDAUAA>
<javascript:Toggle('s3l3-ECDAUAA')> <javascript:Toggle('s3l3-ECDAUAA')>


Automated Client Installation Information
<javascript:Toggle('s3l3-ECDAUAA')>

<javascript:Toggle('s3l3-ECDAUAA')>

*Office Update Web Site*

We recommend that you install the Office XP client updates by using the
Office Update Web site <http://go.microsoft.com/fwlink/?LinkId=21135>.
The Office Update Web site detects your particular installation and
prompts you to install exactly what you must have to make sure that your
installation is completely up to date.

To have the Office Update Web site detect the required updates that you
must install on your computer, visit the Office Update Web site
<http://go.microsoft.com/fwlink/?LinkId=21135>, and then click *Check
for Updates*. After detection is complete, the site displays a list of
recommended updates for your approval. Click *Start Installation* to
complete the process.

Top of section <#ECDAUAA>Top of section <#ECDAUAA>
<javascript:Toggle('s3l3-EBDAUAA')> <javascript:Toggle('s3l3-EBDAUAA')>


Manual Client Installation Information
<javascript:Toggle('s3l3-EBDAUAA')>

<javascript:Toggle('s3l3-EBDAUAA')>

For detailed information about how to manually install this update
please review the following section.

*Installation Information *

The security update supports the following setup switches:

/*Q* Specifies quiet mode, or suppresses prompts, when files are
being extracted.

/*Q:U* Specifies user-quiet mode, which presents some dialog boxes to
the user.

/*Q:A* Specifies administrator-quiet mode, which does not present any
dialog boxes to the user.

/*T*: *<full path>* Specifies the target folder for extracting files.

/*C* Extracts the files without installing them. If /*T*: path is not
specified, you are prompted for a target folder.

/*C*: *<Cmd>* Override Install Command defined by author. Specifies
the path and name of the setup .inf or .exe file.

/*R:N* Never restarts the computer after installation.

/*R:I* Prompts the user to restart the computer if a restart is
required, except when used with */Q:A*.

/*R:A* Always restarts the computer after installation.

/*R:S* Restarts the computer after installation without prompting the
user.

/*N:V* No version checking - Install the program over any previous
version.

*Note *These switches do not necessarily work with all updates. If a
switch is not available that functionality is necessary for the correct
installation of the update. Also, the use of the /*N:V* switch is
unsupported and may result in an unbootable system. If the installation
is unsuccessful, you should consult your support professional to
understand why it failed to install.

For additional information about the supported setup switches, see
Microsoft Knowledge Base Article 197147
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;197147>.

*Client Deployment Information *

1.

Download the client version of this security update.
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5E0FADD3-1554-4C43-9B4A-D5E031478892>

2.

Click *Save this program to disk*, and then click *OK*.

3.

Click *Save*.

4.

Using Windows Explorer, locate the folder that contains the saved file,
and then double-click the saved file.

5.

If you are prompted to install the update, click *Yes*.

6.

Click *Yes* to accept the License Agreement.

7.

Insert your original source CD-ROM if you are prompted to do so, and
then click *OK*.

8.

When you receive a message that indicates the installation was
successful, click *OK*.

*Note *If the security update is already installed on your computer,
you receive the following error message: *This update has already been
applied or is included in an update that has already been applied*.

*Client Installation File Information*

The English version of this update has the file attributes (or later)
that are listed in the following table. The dates and times for these
files are listed in coordinated universal time (UTC). When you view the
file information, it is converted to local time. To find the difference
between UTC and local time, use the *Time Zone* tab in the Date and Time
tool in Control Panel.

Office XP SP2 and Excel 2002:

Date Time Version Size File name
----------------------------------------------------------
05-May-2004 04:47 10.00.6713.0000 9,190,080 Excel.exe

*Verifying Update Installation *

?

*Microsoft Baseline Security Analyzer*

To verify that a security update is installed on an affected system, you
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool.
This tool allows administrators to scan local and remote systems for
missing security updates and for common security misconfigurations. For
more information about MBSA, visit the Microsoft Baseline Security
Analyzer Web site <http://go.microsoft.com/fwlink/?LinkId=21134>.

?

*File Version Verification*

*Note* Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are, see your
product documentation to complete these steps.

1.

Click *Start*, and then click *Search*.

2.

In the *Search Results pane*, click *All files and folders* under
*Search Companion*.

3.

In the *All or part of the file name box*, type a file name from the
appropriate file information table, and then click *Search*.

4.

In the list of files, right-click a file name from the appropriate file
information table, and then click *Properties*.

*Note* Depending on the version of the operating system or programs
installed, some of the files that are listed in the file information
table may not be installed.

5.

On the *Version* tab, determine the version of the file that is
installed on your computer by comparing it to the version that is
documented in the appropriate file information table.

* Note *Attributes other than file version may change during
installation. Comparing other file attributes to the information in the
file information table is not a supported method of verifying the update
installation. Also, in certain cases, files may be renamed during
installation. If the file or version information is not present, use one
of the other available methods to verify update installation.

Top of section <#EBDAUAA>Top of section <#EBDAUAA>
<javascript:Toggle('s3l3-EADAUAA')> <javascript:Toggle('s3l3-EADAUAA')>


Administrative Installation Information
<javascript:Toggle('s3l3-EADAUAA')>

<javascript:Toggle('s3l3-EADAUAA')>

If you installed your application from a server location, the server
administrator must update the server location with the administrative
update and deploy that update to your computer.

*Installation Information *

The following setup switches are relevant to administrative
installations as they allow an administrator to customize the manner in
which the files are extracted from within the security update:

/*?* Displays the command line options

/*Q* Specifies quiet mode, or suppresses prompts, when files are
being extracted.

/*T*: *<full path>* Specifies the target folder for extracting files.

/*C* Extracts the files without installing them. If /*T*: path is not
specified, you are prompted for a target folder.

/*C*: *<Cmd>* Override Install Command defined by author. Specifies
the path and name of the Setup .inf or .exe file.

For additional information about the supported setup switches, see
Microsoft Knowledge Base Article 197147
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;197147>.

*Administrative Deployment Information*

To update your administrative installation, please perform the following
procedure:

?

Download the administrative version of this security update.
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5E0FADD3-1554-4C43-9B4A-D5E031478892>

?

Click *Save this program to disk*, and then click *OK*.

?

Click *Save*.

?

Using Windows Explorer, locate the folder that contains the saved file
and run the following command line to extract the .msp file:

/ [path\name of EXE file]/ /c /t:C:\AdminUpdate

*Note* Double-clicking the .exe file does not extract the .msp file; it
applies the update to the local computer. In order to update an
administrative image, you must first extract the .msp file.

?

Click *Yes* to accept the License Agreement.

?

Click *Yes* if you are prompted to create the folder.

?

If you are familiar with the procedure for updating your administrative
installation, click *Start*, and then click *Run*. Type the following
command in the *Open* box:

msiexec /a Admin Path\MSI File /p C:\adminUpdate\MSP File
SHORTFILENAMES=TRUE

Where Admin Path is the path of your administrative installation point
for your application (for example, C:\OfficeXP), MSI File is the .msi
database package for the application (for example, Data1.msi), and MSP
File is the name of the administrative update (for example, SHAREDff.msp).

*Note *You can append /*qb+* to the command line so that the
*Administrative Installation* dialog box and the *End User License
Agreement* dialog box do not appear.

?

Click *Next* in the provided dialog box. Do not change your CD Key,
installation location, or company name in the provided dialog box.

?

Click *I accept the terms in the License Agreement*, and then click
*Install*.

At this point, your administrative installation point is updated. Next,
you must update the workstations that were originally installed from
this administrative installation. To do this, please review the
Workstation Deployment section. Any new installations that you run from
this administrative installation point will include the update.

*Warning *Any workstation that was originally installed from this
administrative installation before you installed the update cannot use
this administrative installation for actions like repairing Office or
adding new features until you complete the steps in the Workstation
Deployment section for this workstation.

*Workstation Deployment Information *

To deploy the update to the client workstations, click *Start*, and then
click *Run*. Type the following command in the *Open* box:

msiexec /i Admin Path\MSI File /qb REINSTALL=Feature List REINSTALLMODE=vomu

Where Admin Path is the path of your administrative installation point
for your application (for example, C:\OfficeXP), MSI File is the .msi
database package for the application (for example, Data1.msi), and
Feature List is the list of feature names (case sensitive) that must be
reinstalled for the update. To install all features, you can use
*REINSTALL=ALL*.

*Note *Administrators working in managed environments can find complete
resources for deploying Office updates in an organization on the Office
Admin Update Center
<http://www.microsoft.com/office/ork/updates/default.htm>. On the home
page of that site, look in the *Update Strategies* section for the
software version you are updating. The Windows Installer Documentation
<http://go.microsoft.com/fwlink/?LinkId=21685> also provides additional
information about the parameters supported by the Windows Installer.

*Administrative Installation File Information*

The English version of this update has the file attributes (or later)
that are listed in the following table. The dates and times for these
files are listed in coordinated universal time (UTC). When you view the
file information, it is converted to local time. To find the difference
between UTC and local time, use the *Time Zone* tab in the Date and Time
tool in Control Panel.

Office XP Service Pack 2 and Excel 2002:

Date Time Version Size File name
----------------------------------------------------------
05-May-2004 04:47 10.00.6713.0000 9,190,080 Excel.exe

*Verifying Update Installation *

?

*Microsoft Baseline Security Analyzer*

To verify that a security update is installed on an affected system, you
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool.
This tool allows administrators to scan local and remote systems for
missing security updates and for common security misconfigurations. For
more information about MBSA, visit the Microsoft Baseline Security
Analyzer Web site <http://go.microsoft.com/fwlink/?LinkId=21134>.

?

*File Version Verification*

*Note* Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are, see your
product documentation to complete these steps.

1.

Click *Start*, and then click *Search*.

2.

In the *Search Results pane*, click *All files and folders* under
*Search Companion*.

3.

In the *All or part of the file name box*, type a file name from the
appropriate file information table, and then click *Search*.

4.

In the list of files, right-click a file name from the appropriate file
information table, and then click *Properties*.

*Note* Depending on the version of the operating system or programs
installed, some of the files that are listed in the file information
table may not be installed.

5.

On the *Version* tab, determine the version of the file that is
installed on your computer by comparing it to the version that is
documented in the appropriate file information table.

* Note *Attributes other than file version may change during
installation. Comparing other file attributes to the information in the
file information table is not a supported method of verifying the update
installation. Also, in certain cases, files may be renamed during
installation. If the file or version information is not present, use one
of the other available methods to verify update installation.

Top of section <#EADAUAA>Top of section <#EADAUAA>
Top of section <#EDAUAA>Top of section <#EDAUAA>
<javascript:Toggle('s3l2-ECAUAA')> <javascript:Toggle('s3l2-ECAUAA')>


Office 2000 and Excel 2000 <javascript:Toggle('s3l2-ECAUAA')>

<javascript:Toggle('s3l2-ECAUAA')>

<javascript:Toggle('s3l3-EDCAUAA')> <javascript:Toggle('s3l3-EDCAUAA')>


Prerequisites and Additional Update Details
<javascript:Toggle('s3l3-EDCAUAA')>

<javascript:Toggle('s3l3-EDCAUAA')>

*Important *Before you install this update, make sure that the
following requirements have been met:

?

Microsoft Windows Installer 2.0 must be installed. Microsoft Windows
Server 2003, Windows XP and Microsoft Windows 2000 Service Pack 3 (SP3)
include Windows Installer 2.0 or later. To install the latest version of
the Windows Installer, visit one of the following Microsoft Web sites:

Windows Installer 2.0 for Windows 95, Windows 98, Windows 98 SE, and
Windows Millennium Edition <http://go.microsoft.com/fwlink/?LinkId=33337>

Windows Installer 2.0 for Windows 2000 and Windows NT 4.0
<http://go.microsoft.com/fwlink/?LinkId=33338>

?

Office 2000 Service Pack 3 (SP3) or Microsoft Excel 2000 must be
installed. Before you install this update, install Office 2000 SP3. For
additional information about how to install Office 2000 SP3, see
Microsoft Knowledge Base Article 326585
<http://support.microsoft.com/default.aspx?scid=kb;en-us;326585>. The
administrative update can also be installed on systems that are running
Office 2000 SP2 or Office 2000 SP3.

For additional information about how to determine the version of Office
2000 on your computer, see Microsoft Knowledge Base Article 255275.

*Restart Requirement*

No restart is required.

*Removal Information*

After you install the update, you cannot remove it. To revert to an
installation before the update was installed, you must remove the
software, and then install it again from the original CD-ROM.

Top of section <#EDCAUAA>Top of section <#EDCAUAA>
<javascript:Toggle('s3l3-ECCAUAA')> <javascript:Toggle('s3l3-ECCAUAA')>


Automated Client Installation Information
<javascript:Toggle('s3l3-ECCAUAA')>

<javascript:Toggle('s3l3-ECCAUAA')>

*Office Update Web Site*

Microsoft recommends that you install the Office 2000 client updates by
using the Office Update Web site
<http://go.microsoft.com/fwlink/?LinkId=21135>. The Office Update Web
site detects your particular installation and prompts you to install
exactly what you must have to make sure that your installation is
completely up-to-date.

To have the Office Update Web site detect the required updates that you
must install on your computer, visit the Office Update Web site
<http://go.microsoft.com/fwlink/?LinkId=21135>, and then click *Check
for Updates*. After detection is complete, the site displays a list of
recommended updates for your approval. Click *Start Installation* to
complete the process.

Top of section <#ECCAUAA>Top of section <#ECCAUAA>
<javascript:Toggle('s3l3-EBCAUAA')> <javascript:Toggle('s3l3-EBCAUAA')>


Manual Client Installation Information
<javascript:Toggle('s3l3-EBCAUAA')>

<javascript:Toggle('s3l3-EBCAUAA')>

For detailed information about how to manually install this update,
please review the following section.

*Installation Information *

The security update supports the following setup switches:

/*Q* Specifies quiet mode, or suppresses prompts, when files are
being extracted.

/*Q:U* Specifies user-quiet mode, which presents some dialog boxes to
the user.

/*Q:A* Specifies administrator-quiet mode, which does not present any
dialog boxes to the user.

/*T*: *<full path>* Specifies the target folder for extracting files.

/*C* Extracts the files without installing them. If /*T*: path is not
specified, you are prompted for a target folder.

/*C*: *<Cmd>* Override Install Command defined by author. Specifies
the path and name of the setup .inf or .exe file.

/*R:N* Never restarts the computer after installation.

/*R:I* Prompts the user to restart the computer if a restart is
required, except when used with */Q:A*.

/*R:A* Always restarts the computer after installation.

/*R:S* Restarts the computer after installation without prompting the
user.

/*N:V* No version checking - Install the program over any previous
version.

*Note *These switches do not necessarily work with all updates. If a
switch is not available that functionality is necessary for the correct
installation of the update. Also, the use of the /*N:V* switch is
unsupported and may result in an unbootable system. If the installation
is unsuccessful, you should consult your support professional to
understand why it failed to install.

For additional information about the supported setup switches, see
Microsoft Knowledge Base Article 197147
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;197147>.

*Client Deployment Information *

1.

Download the client version of this security update.
<http://download.microsoft.com/download/b/0/3/b03abaa0-dd54-4223-b43e-130d338678b1/office2000-kb873372-client-enu.exe>

2.

Click *Save this program to disk*, and then click *OK*.

3.

Click *Save*.

4.

Using Windows Explorer, locate the folder that contains the saved file,
and then double-click the saved file.

5.

If you are prompted to install the update, click *Yes*.

6.

Click *Yes* to accept the License Agreement.

7.

Insert your original source CD-ROM if you are prompted to do so, and
then click *OK*.

8.

When you receive a message that indicates the installation was
successful, click *OK*.

*Note *If the security update is already installed on your computer,
you receive the following error message: *This update has already been
applied or is included in an update that has already been applied*.

*Client Installation File Information*

The English version of this update has the file attributes (or later)
that are listed in the following table. The dates and times for these
files are listed in coordinated universal time (UTC). When you view the
file information, it is converted to local time. To find the difference
between UTC and local time, use the *Time Zone* tab in the Date and Time
tool in Control Panel.

Office 2000 and Excel 2000:

Date Time Version Size File name
--------------------------------------------------------
09-Aug-2004 19:09 9.00.00.8924 7168045 Excel.exe

*Verifying Update Installation *

?

*Microsoft Baseline Security Analyzer*

To verify that a security update is installed on an affected system, you
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool.
This tool allows administrators to scan local and remote systems for
missing security updates and for common security misconfigurations. For
more information about MBSA, visit the Microsoft Baseline Security
Analyzer Web site <http://go.microsoft.com/fwlink/?LinkId=21134>.

?

*File Version Verification*

*Note* Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are, see your
product documentation to complete these steps.

1.

Click *Start*, and then click *Search*.

2.

In the *Search Results pane*, click *All files and folders* under
*Search Companion*.

3.

In the *All or part of the file name box*, type a file name from the
appropriate file information table, and then click *Search*.

4.

In the list of files, right-click a file name from the appropriate file
information table, and then click *Properties*.

*Note* Depending on the version of the operating system or programs
installed, some of the files that are listed in the file information
table may not be installed.

5.

On the *Version* tab, determine the version of the file that is
installed on your computer by comparing it to the version that is
documented in the appropriate file information table.

* Note *Attributes other than file version may change during
installation. Comparing other file attributes to the information in the
file information table is not a supported method of verifying the update
installation. Also, in certain cases, files may be renamed during
installation. If the file or version information is not present, use one
of the other available methods to verify update installation.

Top of section <#EBCAUAA>Top of section <#EBCAUAA>
<javascript:Toggle('s3l3-EACAUAA')> <javascript:Toggle('s3l3-EACAUAA')>


Administrative Installation Information
<javascript:Toggle('s3l3-EACAUAA')>

<javascript:Toggle('s3l3-EACAUAA')>

If you installed your application from a server location, the server
administrator must update the server location with the administrative
update and deploy that update to your computer.

*Installation Information *

The following setup switches are relevant to administrative
installations as they allow an administrator to customize the manner in
which the files are extracted from within the security update:

/*?* Displays the command line options

/*Q* Specifies quiet mode, or suppresses prompts, when files are
being extracted.

/*T*: *<full path>* Specifies the target folder for extracting files.

/*C* Extracts the files without installing them. If /*T*: path is not
specified, you are prompted for a target folder.

/*C*: *<Cmd>* Override Install Command defined by author. Specifies
the path and name of the Setup .inf or .exe file.

For additional information about the supported setup switches, see
Microsoft Knowledge Base Article 197147
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;197147>.

*Administrative Deployment Information*

To update your administrative installation please perform the following
procedure:

1.

Download the administrative version of this security update
<http://download.microsoft.com/download/b/0/3/b03abaa0-dd54-4223-b43e-130d338678b1/office2000-kb873372-fullfile-enu.exe>.

2.

Click *Save this program to disk*, and then click *OK*.

3.

Click *Save*.

4.

Using Windows Explorer, locate the folder that contains the saved file
and run the following command line to extract the .msp file:

/ [path\name of EXE file]/ /c /t:C:\AdminUpdate

*Note* Double-clicking the .exe file does not extract the .msp file; it
applies the update to the local computer. In order to update an
administrative image, you must first extract the .msp file.

1.

Click *Yes* to accept the License Agreement.

2.

Click *Yes* if you are prompted to create the folder.

3.

If you are familiar with the procedure for updating your administrative
installation, click *Start*, and then click *Run*. Type the following
command in the *Open* box:

msiexec /a Admin Path\MSI File /p C:\adminUpdate\MSP File
SHORTFILENAMES=TRUE

Where Admin Path is the path of your administrative installation point
for your application (for example, C:\Office2000), MSI File is the .msi
database package for the application (for example, Data1.msi), and MSP
File is the name of the administrative update (for example, SHAREDff.msp).

*Note *You can append /*qb+* to the command line so that the
*Administrative Installation* dialog box and the *End User License
Agreement* dialog box do not appear.

1.

Click *Next* in the provided dialog box. Do not change your CD Key,
installation location, or company name in the provided dialog box.

2.

Click *I accept the terms in the License Agreement*, and then click
*Install*.

At this point, your administrative installation point is updated. Next,
you must update the workstations that were originally installed from
this administrative installation. To do this, please review the
Workstation Deployment section. Any new installations that you run from
this administrative installation point will include the update.

*Warning *Any workstation that was originally installed from this
administrative installation before you installed the update cannot use
this administrative installation for actions like repairing Office or
adding new features until you complete the steps in the Workstation
Deployment section for this workstation.

*Workstation Deployment Information *

To deploy the update to the client workstations, click *Start*, and then
click *Run*. Type the following command in the *Open* box:

msiexec /i Admin Path\MSI File /qb REINSTALL=Feature List REINSTALLMODE=vomu

where Admin Path is the path of your administrative installation point
for your application (for example, C:\Office2000), MSI File is the ,msi
database package for the application (for example, Data1.msi), and
Feature List is the list of feature names (case sensitive) that must be
reinstalled for the update. To install all features, you can use
*REINSTALL=ALL*.

*Note* Administrators working in managed environments can find complete
resources for deploying Office updates in an organization on the Office
Admin Update Center
<http://www.microsoft.com/office/ork/updates/default.htm>. On the home
page of that site, look in the *Update Strategies* section for the
software version you are updating. The Windows Installer Documentation
<http://go.microsoft.com/fwlink/?LinkId=21685> also provides additional
information about the parameters supported by the Windows Installer.

*Administrative Installation File Information*

The English version of this update has the file attributes (or later)
that are listed in the following table. The dates and times for these
files are listed in coordinated universal time (UTC). When you view the
file information, it is converted to local time. To find the difference
between UTC and local time, use the *Time Zone* tab in the Date and Time
tool in Control Panel.

Office 2000 and Excel 2000:

Date Time Version Size File name
----------------------------------------------------------
09-Aug-2004 19:09 9.00.00.8924 7168045 Excel.exe

*Verifying Update Installation *

?

*Microsoft Baseline Security Analyzer*

To verify that a security update is installed on an affected system, you
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool.
This tool allows administrators to scan local and remote systems for
missing security updates and for common security misconfigurations. For
more information about MBSA, visit the Microsoft Baseline Security
Analyzer Web site <http://go.microsoft.com/fwlink/?LinkId=21134>.

?

*File Version Verification*

*Note* Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are, see your
product documentation to complete these steps.

?

Click *Start*, and then click *Search*.

?

In the *Search Results pane*, click *All files and folders* under
*Search Companion*.

?

In the *All or part of the file name box*, type a file name from the
appropriate file information table, and then click *Search*.

?

In the list of files, right-click a file name from the appropriate file
information table, and then click *Properties*.

*Note* Depending on the version of the operating system or programs
installed, some of the files that are listed in the file information
table may not be installed.

?

On the *Version* tab, determine the version of the file that is
installed on your computer by comparing it to the version that is
documented in the appropriate file information table.

* Note *Attributes other than file version may change during
installation. Comparing other file attributes to the information in the
file information table is not a supported method of verifying the update
installation. Also, in certain cases, files may be renamed during
installation. If the file or version information is not present, use one
of the other available methods to verify update installation.

Top of section <#EACAUAA>Top of section <#EACAUAA>
Top of section <#ECAUAA>Top of section <#ECAUAA>
<javascript:Toggle('s3l2-EBAUAA')> <javascript:Toggle('s3l2-EBAUAA')>


Excel v. X for Mac <javascript:Toggle('s3l2-EBAUAA')>

<javascript:Toggle('s3l2-EBAUAA')>

*Prerequisites*

This security update requires Excel v. X for Mac Versions 10.0 through
10.1.5 to be installed..

*Installation Information*

*Restart Requirement*

This update does not require you to restart your computer.

*Removal Information*

This update cannot be uninstalled.

*Verifying Update Installation*

To verify that a security update is installed on an affected system,
please perform the following steps:

1.

Navigate to the Application Binary (*Applications/Microsoft Office
X/Microsoft Excel*).

2.

Click on the application

3.

Select *File* then *Get Info*

If the Version number reads 10.1.6, the update has been successfully
installed.

Top of section <#EBAUAA>Top of section <#EBAUAA>
<javascript:Toggle('s3l2-EAAUAA')> <javascript:Toggle('s3l2-EAAUAA')>


Excel 2001 for Mac <javascript:Toggle('s3l2-EAAUAA')>

<javascript:Toggle('s3l2-EAAUAA')>

*Prerequisites*

This security update requires Excel 2001 for Mac Versions 9.0.0 through
9.0.4 to be installed.

*Installation Information*

*Restart Requirement*

This update does not require you to restart your computer.

*Removal Information*

This update cannot be uninstalled.

*Verifying Update Installation*

To verify that a security update is installed on an affected system,
please perform the following steps:

1.

Navigate to the Application Binary (:*Microsoft Office 2001:Microsoft
Excel*).

2.

Click on the application

3.

Select *File* then *Get Info*

If the Version number reads 9.0.5, the update has been successfully
installed.

Top of section <#EAAUAA>Top of section <#EAAUAA>
Top of section <#EAUAA>Top of section <#EAUAA>

*Acknowledgments*

Microsoft thanks <http://go.microsoft.com/fwlink/?LinkId=21127> the
following for working with us to help protect customers:

?

Brett Moore of Security-Assessment.com
</My%20Documents/Excel/FinderWebSite> for reporting the Excel
Vulnerability (CAN-2004-0846).

*Obtaining Other Security Updates:*

Updates for other security issues are available from the following
locations:

?

Security updates are available from the Microsoft Download Center
<http://go.microsoft.com/fwlink/?LinkId=21129>: You can find them most
easily by doing a keyword search for "security_patch".

?

Updates for consumer platforms are available from the Windows Update Web
site <http://go.microsoft.com/fwlink/?LinkId=21130>.

*Support: *

?

Customers in the U.S. and Canada can receive technical support from
Microsoft Product Support Services
<http://go.microsoft.com/fwlink/?LinkId=21131> at 1-866-PCSAFETY. There
is no charge for support calls that are associated with security updates.

?

International customers can receive support from their local Microsoft
subsidiaries. There is no charge for support that is associated with
security updates. For more information about how to contact Microsoft
for support issues, visit the International Support Web site
<http://go.microsoft.com/fwlink/?LinkId=21155>.

*Security Resources: *

?

The Microsoft TechNet Security
<http://go.microsoft.com/fwlink/?LinkId=21132> Web site provides
additional information about security in Microsoft products.

?

Microsoft Software Update Services
<http://go.microsoft.com/fwlink/?LinkId=21133>

?

Microsoft Baseline Security Analyzer
<http://go.microsoft.com/fwlink/?LinkId=21134> (MBSA)

?

Windows Update <http://go.microsoft.com/fwlink/?LinkId=21130>

?

Windows Update Catalog: For more information about the Windows Update
Catalog, see Microsoft Knowledge Base Article 323166
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166>.

?

Office Update <http://go.microsoft.com/fwlink/?LinkId=21135>

*Software Update Services:*

By using Microsoft Software Update Services (SUS), administrators can
quickly and reliably deploy the latest critical updates and security
updates to Windows 2000 and Windows Server 2003-based servers, and to
desktop systems that are running Windows 2000 Professional or Windows XP
Professional.

For more information about how to deploy this security update with
Software Update Services, visit the Software Update Services Web site
<http://go.microsoft.com/fwlink/?LinkId=21133>.

*Systems Management Server:*

Microsoft Systems Management Server (SMS) delivers a highly-configurable
enterprise solution for managing updates. By using SMS, administrators
can identify Windows-based systems that require security updates and to
perform controlled deployment of these updates throughout the enterprise
with minimal disruption to end users. For more information about how
administrators can use SMS 2003 to deploy security updates, visit SMS
2003 Security Patch Management Web site
<http://go.microsoft.com/fwlink/?LinkId=22939>. SMS 2.0 users can also
use Software Updates Service Feature Pack
<http://go.microsoft.com/fwlink/?LinkId=33340> to help deploy security
updates. For information about SMS, visit the SMS Web site
<http://go.microsoft.com/fwlink/?LinkId=21158>.

*Note *SMS uses the Microsoft Baseline Security Analyzer and the
Microsoft Office Detection Tool to provide broad support for security
bulletin update detection and deployment. Some software updates may not
be detected by these tools. Administrators can use the inventory
capabilities of the SMS in these cases to target updates to specific
systems. For more information about this procedure, visit the following
Web site <http://go.microsoft.com/fwlink/?LinkId=33341>. Some security
updates require administrative rights following a restart of the system.
Administrators can use the Elevated Rights Deployment Tool (available in
the *SMS 2003 Administration Feature Pack*
<http://go.microsoft.com/fwlink/?LinkId=33387> and in the *SMS 2.0
Administration Feature Pack*
<http://go.microsoft.com/fwlink/?LinkId=21161>) to install these updates.

*Disclaimer: *

The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.

*Revisions:*

?

V1.0 (October 12, 2004): Bulletin published


Top of page <#top>Top of page <#top>


Manage Your Profile <http://go.microsoft.com/?linkid=317027> |Contact Us
</technet/contactus.mspx> |Newsletter
</technet/abouttn/subscriptions/flash_register.mspx>
©2004 Microsoft Corporation. All rights reserved. Terms of Use
<http://www.microsoft.com/info/cpyright.mspx> |Trademarks
</library/toolbar/3.0/trademarks/en-us.mspx> |Privacy Statement
<http://www.microsoft.com/info/privacy.mspx>
Microsoft

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close