[thelist] [Fwd: Microsoft Security Bulletin (MS00-034)]

Anthony Baratta Anthony at Baratta.com
Sat May 13 02:05:51 2000
Previous message: [thelist] MAS-90
Next message: [thelist] PHP/MySQL for beginners...
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]
Very serious if you are using Office 2000. Get the patch.

Microsoft Product Security wrote:
> 
> The following is a Security  Bulletin from the Microsoft Product Security
> Notification Service.
> 
> Please do not  reply to this message,  as it was sent  from an unattended
> mailbox.
>                     ********************************
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Microsoft Security Bulletin (MS00-034)
> - --------------------------------------
> 
> Patch Available for "Office 2000 UA Control" Vulnerability
> 
> Originally Posted: May 12, 2000
> 
> Summary
> =======
> Microsoft has released a patch that eliminates a security
> vulnerability in Microsoft(r) Office 2000 and Office 2000 family
> members. The vulnerability could allow a malicious web site operator
> to take inappropriate action on the computer of a user who visited his
> web site.
> 
> Frequently asked questions regarding this vulnerability
> and the patch can be found at
> http://www.microsoft.com/technet/security/bulletin/fq00-034.asp
> 
> Issue
> =====
> An ActiveX control that ships as part of Office 2000 is incorrectly
> marked as "safe for scripting". This control, the Office 2000 UA
> Control, is used by the "Show Me" function in Office Help, and allows
> Office functions to be scripted. A malicious web site operator could
> use the control to carry out Office functions on the machine of a user
> who visited his site.
> 
> The control ships only as part of Office 2000 (and Office 2000 family
> members, as listed below). The patch removes all unsafe functionality,
> with the result that the "Show Me" function will be disabled in Office
> 2000.
> 
> Affected Software Versions
> ==========================
>  - Office 2000
> 
> Note: The products in the Office suite also are available for purchase
> separately. The control ships as part of the following such products:
>     - Word 2000
>     - Excel 2000
>     - Powerpoint 2000
>     - Access 2000
>     - Photodraw 2000
>     - FrontPage 2000
>     - Project 2000
>     - Publisher 2000
>     - Outlook 2000
>     - Works 2000 Suite
> 
> Patch Availability
> ==================
>  - http://officeupdate.microsoft.com/info/ocx.htm
> 
> NOTE: Additional security patches are available at the Microsoft
> Download Center
> 
> More Information
> ================
> Please see the following references for more information related to
> this issue.
>  - Frequently Asked Questions: Microsoft Security Bulletin MS00-034,
>    http://www.microsoft.com/technet/security/bulletin/fq00-034.asp
>  - Microsoft Knowledge Base article Q262767 discusses this issue and
>    will be available soon.
>  - Microsoft TechNet Security web site,
>    http://www.microsoft.com/technet/security/default.asp
> 
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
> 
> Acknowledgments
> ===============
> Microsoft thanks Dildog of the @Stake, Inc. L0pht Research Labs for
> reporting this vulnerability to us and working with us to protect
> customers.
> 
> Revisions
> =========
>  - May 12, 2000: Bulletin Created.
> 
> - -----------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
> OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
> OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
> SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
> CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
> NOT APPLY.
> 
> Last updated May 12, 2000
> 
> (c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
> 
> iQEVAwUBORy/vY0ZSRQxA/UrAQEjqgf+KgiiiLPoxXj7Rw3PRMicvUizONGw0fnh
> sCco+IPaoENQmmqIvyRyjRB5GKrJP/qSLyGrgv7ONCwzulUAAw9BC7AsRaBdlzuz
> kyaFWdrC6nQh2QgwsWMnSY0D+q4I4QjuoTZdJ7DJ5JEwybLHArvlvECj9JkEq6f4
> BR4bp5lKyy79yxacPGw3FtOect3vJtZb1mhY9oyI2eg2ypPhrH4LpTK3+vuT0No2
> 8/LyZsRH/YWD0uNgqUIaaS+st9bSvbhDcGbEgjUTfZDRE/rKZaoTAaGGmKrfiDXP
> K38zGhbGUb125InSUkYsdcwsZ+G/RWaSyzgupJJUWZvzoYnKRU6ptQ==
> =VedF
> -----END PGP SIGNATURE-----
> 
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your registration
> to  the   Microsoft  Product  Security  Notification   Service.  You  may
> unsubscribe from this e-mail notification  service at any time by sending
> an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing the request,
> and can be anything you like.
> 
> To verify the digital signature on this bulletin, please download our PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
> 
> For  more  information on  the  Microsoft  Security Notification  Service
> please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
> security-related information  about Microsoft products, please  visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous message: [thelist] MAS-90
Next message: [thelist] PHP/MySQL for beginners...
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]