COMMAND

    MS Office 2000

SYSTEMS AFFECTED

    Microsoft Word 2000, Microsoft Excel 2000 and Microsoft PowerPoint 2000

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-056).
    Jesper M. Johansson found this originally.  Microsoft Office  2000
    applications are  capable of  reading HTML  files saved  as Office
    documents.  A malformed data  object tag embedded in one  of these
    documents could cause  the Office application  to crash and  allow
    arbitrary code to be executed.

    In order for this behavior  to occur, a malicious user  would need
    to  entice  a  user  into  opening  the malformed Office document.
    Word 2000 users can protect themselves from opening malformed HTML
    documents within  Word by  enabling "Confirm  conversion at  Open"
    from the  Tools-Options-General tab.   In addition,  Outlook users
    who  have  applied  the  Outlook  Security Update will be prompted
    before opening web hosted or mail-borne Office documents.

    Office 2000  products other  than those  specifically listed above
    are not affected by this vulnerability.

SOLUTION

    Patch availability:

        http://officeupdate.microsoft.com/2000/downloadDetails/Of9data.htm

    Office 2000 SR-1 is required before this patch can be applied.