The Word 2000 SR-1a and Word 97 RTF Security updates correct a vulnerability that could potentially allow unauthorized code to run in RTF-format documents without warning.

The vulnerability can occur when a user opens an RTF document that is attached to a template that contains macros. A hacker could potentially write code in these macros to damage or retrieve data from the user's system.

By applying the Word RTF updates, you can prevent code attached to Word RTF documents from running on a user's computer without explicit authorization.

Two separate patches are available — one for Microsoft® Word 2000 and one for Word 97. While the Word 2000 update will be made available for all supported languages, the Word 97 update is available only for English.

---

Toolbox The Word 2000 SR-1a RTF Security Update administrative update is now available. You can find this downloadable file on the Office 2000 Resource Kit Downloads page.

---

The following procedures describe how to apply the updates to your administrative installation points. Separate procedures are provided for Word 2000 SR-1a and Word 97.

Applying the Word 2000 SR-1a RTF Security Update to an administrative installation point

The administrative update file for the Word 2000 SR-1a RTF Security Update is a Windows Installer patch (MSP file) that you apply to your administrative share by using a command line with specific parameters.

Before installing the version for Word 2000, you must first ensure that the computers have been upgraded to Office 2000 Service Release 1a (SR-1a).

 Note   For best results, the update files should be applied from the console of the computer containing the administrative installation point. Make sure that the files on the share point are not in use when the updates are being applied. If there are multiple shares, you can replace the other administrative installation points with the updated administrative installation point after backing-up any custom transform, Setup.ini, or other files on the share points.

To apply the Word 2000 SR-1a RTF Security Update to an administrative installation point

1. Download Wd2kmc_a.exe and double-click the file name to extract the administrative update file (Winword_Admin.msp).
2. Connect to the server share for the administrative installation point.

   You must have write access to the administrative installation point on the server and the appropriate privileges to carry out the task.

3. On the Start menu, click Run, and then type the command line for Windows Installer with the appropriate options for the Word 2000 SR-1a RTF Security Update. Use the following syntax:

   [start] msiexec /p [path\name of update MSP file] /a [path\name of MSI file] SHORTFILENAMES=TRUE /qb /L* [path\name of log file]

You will need to run the command line separately for each MSP file you apply to the administrative installation point — you cannot reference multiple MSP files on the same command line. The following table describes the command-line options.

Updating client computers from an administrative installation point

After you update your administrative installation point, you must perform a recache and repair on existing client computers that use the administrative image. Any new client installations from the administrative installation point will automatically include the updated version of Word.

To update an existing client installation from an administrative installation point, run the following command line on the client computer:

start msiexec /i [path to updated .msi file on the administrative image] REINSTALL=[list of features] REINSTALLMODE=vomus /q

You can run this command line by creating a logon script, distributing it as a batch file, deploying it via Systems Management Server, or using other means according to your practice. The options for this command line are as follows.

For the Word 2000 SR-1a RTF Security Update, the variable [list of features] should be replaced with the following value:

WORDFiles

Optionally, you can substitute the parameter REINSTALL=ALL to reinstall all components on the client computer.

---

 Note   If you originally installed Office 2000 on a client computer from an administrative installation point, you must follow the recache and repair procedure described above to update that client. If you update the client directly by using the end-user patch from the Office Update Web site, the client and administrative images will become out-of-sync, which may cause future updates to fail.

---

Applying the Word 2000 SR-1a RTF Security Update under Windows 2000

If your administrative installation point and all of your client computers are running Microsoft® Windows 2000, you can use IntelliMirror® technology to manage the installation of the security update.

---

 Note   Be sure to test all software updates in a controlled setting before modifying your administrative installation point or deploying the new version throughout your organization.

---

To deploy a QFE fix or update under Windows 2000

1. Apply the updates (MSP files) to the original Office administrative installation point.

   You will need to run the command line separately for each MSP file you apply to the administrative installation point — you cannot reference multiple MSP files on the same command line.

2. Open the Software Installation snap-in within the Group Policy Object (GPO) that you are using to manage the existing Office installation.
3. In the details pane, right-click the Office package, point to All Tasks, and click Redeploy application.

   The next time the Group Policy is applied to the designated users or computers, the updated files are copied to their computers.

---

 Note   You can redeploy a package only if it is being managed by Group Policy — that is, only if you originally installed it by using IntelliMirror software installation and maintenance or if you brought it into a managed state under Windows 2000.

---

Applying the Word 97 RTF Security Update

The Word 97 RTF Security Update can be installed on a network administrative installation point or a stand-alone computer. Before installing the update, you should make sure that the computer has first been upgraded to Office 97 SR-2.

To install the update on an administrative share, you'll need privileges to write to the network directory where the Word 97 executable resides.

To update a Word 97 administrative installation point

1. Download Wd97mcrs.exe and copy it to a working directory on your computer.
2. Run Wd97mcrs.exe to install the update.

3. When you run the update file, the update will first display a license agreement. Click Yes to accept the agreement and continue.

4. Open the INF file for the application, search for each of the updated files, and then update the version number information. The updated files and version numbers are as follows:

Updating Word 97 client computers from an administrative installation point

To update client computers running Word 97, you can either apply the end-user patch directly to the client, or update the client from the administrative installation point.

The following procedures describe how to update client computers from an administrative installation point. For information on updating a client computer directly, see the Office Update Web site.

To install Word 97 on a client computer from an updated administrative installation point

1. From the client computer, connect to the administrative installation point and start Office 97 Setup.
2. Start the Microsoft Office 97 Setup program, and when prompted, choose the Reinstall option.

3. Office Setup checks for necessary disk space, then installs the updated version of Word 97 from the administrative installation point.

Related links

For information on deploying the Office 2000 SR-1a Update, see Deploying Office 2000 Service Release 1 in the Office Resource Kit Journal.

For more information on the Word 2000 SR-1a RTF Security Update, see Description of the history of Word 2000 updates in the Microsoft Knowledge Base.