• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Office Web Components Active Script Execution Vulnerability

Severity: MODERATE

Description:

Microsoft Office Web Components (OWC) are a collection of ActiveX objects which provide limited Office functionality to web pages.

A vulnerability has been reported within some versions of the OWC Spreadsheet component. It is possible for a web page using this component to execute arbitrary Active Script code, even when Active Scripting has been disabled by the client.

This is possible through usage of the HOST() formula within the Spreadsheet component. It is possible to associate script code with events of the OWC object. This has been demonstrated through usage of the setTimeout method, although other vectors may be possible.

Reportedly this formula may also be used to manipulate the browser Document Object Model (DOM), with less severe consequences.

Affected Products:

• Microsoft Back Office Server 2000 0.0.0
• Microsoft BizTalk Server 2000 Developer Edition
• Microsoft BizTalk Server 2000 Developer Edition 0.0.0 SP1a
• Microsoft BizTalk Server 2000 Developer Edition 0.0.0 SP2
• Microsoft BizTalk Server 2000 Enterprise Edition
• Microsoft BizTalk Server 2000 Enterprise Edition 0.0.0 SP1a
• Microsoft BizTalk Server 2000 Enterprise Edition 0.0.0 SP2
• Microsoft BizTalk Server 2000 Standard Edition
• Microsoft BizTalk Server 2000 Standard Edition 0.0.0 SP1a
• Microsoft BizTalk Server 2000 Standard Edition 0.0.0 SP2
• Microsoft BizTalk Server 2002 Developer Edition
• Microsoft BizTalk Server 2002 Enterprise Edition
• Microsoft Commerce Server 2000 0.0.0
• Microsoft Commerce Server 2000 0.0.0 SP1
• Microsoft Commerce Server 2000 0.0.0 SP2
• Microsoft Commerce Server 2002 0.0.0
• Microsoft ISA Server 2000 0.0.0
• Microsoft ISA Server 2000 0.0.0SP1
• Microsoft Money 2002 0.0.0
• Microsoft Money 2003 0.0.0
• Microsoft Office 2000
• Microsoft Office 2000 SP1
• Microsoft Office 2000 SP2
• Microsoft Office Web Components 2000 0.0.0
• Microsoft Office Web Components 2002 0.0.0
• Microsoft Office XP
• Microsoft Project 2002
• Microsoft Project Server 2002 0.0.0
• Microsoft Small Business Server 2000 0.0.0

References:

• Microsoft: Microsoft Security Bulletin MS02-044

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.