The Web Extender Client (WEC) is a component that ships as part of Microsoft Office 2000, Microsoft Windows® 2000, and Microsoft Windows Millennium (Windows Me). WEC allows Microsoft Internet Explorer to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the Internet Explorer security settings regarding when Windows NT Challenge/Response (NTLM) authentication will be performed. Instead, WEC will perform NTLM authentication with any server that requests it.

If a user is coerced into establishing a session with a malicious user's Web site — either by browsing to the site or by opening an HTML mail that initiates a session with it — an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.

The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user was authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely log on to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would help prevent an attacker from using the credentials to log on to the target system.

---

Toolbox The administrative version of the Web Client Security Update is available from the Office Resource Kit Web site. You can find this downloadable file on the Office 2000 Resource Kit Downloads page.

---

Applying the Web Client Security Update to an administrative installation point

The administrative update file for the Web Client Security Update is a Windows Installer patch (MSP file) you apply to your administrative share by using a command line with specific parameters.

To add the Web Client Security Update to an administrative installation point

1. Download Fpwec_a.exe and double-click the file name to extract the administrative update file (FRONTPG_Admin.msp).
2. Connect to the server share for the administrative installation point.

   You must have write access to the administrative installation point on the server and the appropriate privileges to carry out the task.

3. On the Start menu, click Run and then type the command line for Windows Installer with the appropriate options for the Web Client Security Update. Use the following syntax:

   [start] msiexec /p [path\name of update MSP file] /a [path\name of MSI file] SHORTFILENAMES=TRUE /qb /L* [path\name of log file]

The following table describes the command-line options.

Updating client computers from an administrative installation point

After you update your administrative installation point, you must perform a recache and repair on existing client computers that use the administrative image. Any new client installations from the administrative installation point will automatically include the updated version of the Web Extender Client.

To update an existing client installation from an administrative installation point, run the following command line on the client computer:

start msiexec /i [path to updated .msi file on the administrative image] REINSTALL=[list of features] REINSTALLMODE=vomus

You can run this command line by creating a logon script, distributing it as a batch file, deploying it via Systems Management Server, or using other means according to your practice. The options for this command line are as follows.

For the Web Client Security Update, the variable [list of features] should be replaced with the following value:

WebPublFiles

If you are uncertain about the feature list for your situation, you can substitute the option REINSTALL=ALL to reinstall all components on the client computer.

---

 Note   If you originally installed Office 2000 on a client computer from an administrative installation point, you must follow the recache and repair procedure described above to update that client. If you update the client directly by using the end-user patch from the Office Update Web site, the client and administrative images will become out-of-sync, which may cause future updates to fail.

---

Applying the Web Client Security Update under Windows 2000

If your administrative installation point and all of your client computers are running Windows 2000, you can use IntelliMirror® to manage the installation of the security update.

---

 Note   Be sure to test all software updates in a controlled setting before modifying your administrative installation point or deploying the new version throughout your organization.

---

To deploy a QFE fix or update under Windows 2000

1. Apply the update or patch (MSP file) to the original Office administrative installation point.
2. Open the Software Installation snap-in within the Group Policy Object (GPO) that you are using to manage the existing Office installation.
3. In the details pane, right-click the Office package, point to All Tasks, and click Redeploy application.

   The next time the Group Policy is applied to the designated users or computers, the updated files are copied to their computers.

---

 Note   You can redeploy a package only if it is being managed by Group Policy — that is, only if you originally installed it by using IntelliMirror software installation and maintenance or if you brought it into a managed state under Windows 2000.

---

Related links

For information on the version of the Web Client Security Update for stand-alone computers, see Office 2000 Update: Service Pack 3 (SP3) on Microsoft Office Update. For general information on using transforms, see How to Use a Transform with Office Setup in the Office 2000 Resource Kit.