The Excel 2000 and PowerPoint® 2000 SR-1 HTML Script Vulnerability Updates help eliminate a security vulnerability in the Excel 2000 and PowerPoint 2000 object models that could expose users to unsafe scripts when they view a Web page or HTML e-mail message. Once the updates are installed, Excel 2000 or PowerPoint 2000 can only be scripted if the Initialize and script ActiveX controls not marked as safe option in the Microsoft Internet Explorer Security Settings is set to Enable.

 Note    To use the Excel 2000 and PowerPoint 2000 SR-1 HTML Script Vulnerability Updates, you must have installed Office 2000 SR-1 or Office 2000 Service Release 1a (SR-1a). For additional information and the administrator version of this update, see Deploying Office 2000 Service Release 1 in the Office Resource Kit Journal.

Toolbox    The script vulnerability updates for Excel and PowerPoint consist of two separate Windows Installer patches (MSP files) packaged together in one downloadable in the Excel 2000 and PowerPoint 2000 SR-1 HTML Script Vulnerability Updates file. You can find this downloadable file on the Office 2000 Resource Kit Downloads page.

Applying the HTML Script Vulnerability Updates to an administrative installation point

Two separate update files are included in the one downloadable file:

• Oqfe7752.msp is a 422 KB file that updates PowerPoint 2000 registry settings.
• Oqfe7779_Admin.msp is a 4,808 KB file that updates files in Excel 2000.

Administrators will need to apply both .MSP files to their administrative installation points.

To add the HTML script vulnerability update to an administrative installation point

1. Download Addin_a.exe and double-click the file name to extract the administrative update files (Oqfe7779_Admin.msp and Oqfe7752.msp).
2. Connect to the server share for the administrative installation point.

   You must have write access to the administrative installation point on the server and the appropriate privileges to carry out the task.

3. On the Start menu, click Run and then type the command line for Windows Installer with the appropriate options for the update. You will need to repeat this step twice, once for each of the updates (.MSP) files. Use the following syntax:

   [start] msiexec /p [path\name of update MSP file] /a [path\name of MSI file] SHORTFILENAMES=TRUE /qb /L* [path\name of log file]

The following table describes the command-line options.

Updating client computers from an administrative installation point

After you update your administrative installation point, you must perform a recache and repair on existing client computers that use the administrative image. Any new client installations from the administrative installation point will automatically include the updated version of the HTML script vulnerability update.

To update an existing client installation from an administrative installation point, run the following command line on the client computer:

start msiexec /i [path to updated .msi file on the administrative image] REINSTALL=[list of features] REINSTALLMODE=vomus

You can run this command line by creating a log-on script, distributing it as a batch file, deploying it via Systems Management Server, or using other means according to your practice. The options for this command line are as follows.

For the HTML script vulnerability update, the variable [list of features] should be replaced with the following value:

EXCELFiles,PPTFiles

If you are uncertain about the feature list for your situation, you can substitute the option REINSTALL=ALL to reinstall all components on the client computer.

 Note    If you originally installed Excel 2000 and PowerPoint 2000 on a client computer from an administrative installation point, you must follow the recache and repair procedure described above to update that client. If you update the client directly by using the end-user patch from the Office Update Web site, the client and administrative images will become out-of-sync, which may cause future updates to fail.

Applying the HTML script vulnerability update under Windows 2000

If your administrative installation point and all of your client computers are running Windows 2000, you can use IntelliMirror to manage the installation of the script vulnerability upgrade.

 Note    Be sure to test all software updates in a controlled setting before modifying your administrative installation point or deploying the new version throughout your organization.

To deploy a QFE fix or update under Windows 2000

1. Apply the update or patch (.MSP file) to the original Office administrative installation point.
2. Open the Software Installation snap-in within the Group Policy Object (GPO) that you are using to manage the existing Office installation.
3. In the details pane, right-click the Office package, point to All Tasks, and click Redeploy application.
4. The next time the Group Policy is applied to the designated users or computers, the updated files are copied to their computers.

 Note    You can redeploy a package only if it is being managed by Group Policy — that is, only if you originally installed it by using IntelliMirror software installation and maintenance or if you brought it into a managed state under Windows 2000.

Related links

To learn more about the Excel 2000 and PowerPoint 2000 SR-1 HTML Script Vulnerability Update, see the MS00-049: Frequently Asked Questions.

Additional information can be found in the Microsoft Knowledge Base:

• Article (Q268457) PPT2000: Update Available for HTML Script Vulnerability pertains to security vulnerabilities in PowerPoint.
• Article (Q268365) XL2000: Update Available for HTML Script Vulnerability provides additional information about the script vulnerability in Excel.