The Microsoft Office 2000 UA ActiveX control is incorrectly marked as "safe for scripting". This vulnerability may allow an intruder to disable macro warnings in Office products and, subsequently, execute arbitrary code. This vulnerability may be exploited by viewing an HTML document via a web page, newsgroup posting, or email message.
Microsoft and L0pht Research Labs have recently published advisories describing a vulnerability in the Microsoft Office 2000 UA ActiveX control. Due to the severity of this vulnerability, we are issuing a CERT advisory to help reach as broad an audience as possible.
More information about ActiveX and COM can be found at
The Microsoft Office 2000 UA ActiveX Control
The UA ActiveX control implements the "Show Me" feature of the interactive help system. Because the control is incorrectly marked "safe for scripting", a malicious web author may use the UA ActiveX control to script interactions that result in reduced security, such as activating the dialog box for "Macro Security Setting" and selecting the least secure choice. The control is correctly signed by Microsoft.
Other Advisories and Information
L0pht Research Labs and @Stake Inc. published an advisory describing this vulnerability. They also produced a proof-of-concept exploit. These documents are available from the L0pht web site:
Microsoft has published a security bulletin, an FAQ, and a knowledgebase article describing this vulnerability. These documents are available from Microsoft's web site:
The Office 2000 UA control is able to perform a wide variety of actions within the Microsoft Office Product Suite, including
Perhaps the most significant impact is the ability to set Macro Virus Protection to "Low", disabling warnings about malicious macro activity in future documents. An intruder can exploit this vulnerability to disable these warnings and then link directly to another Office document that contains malicious macros. The macros in the second document will run without confirmation and may take essentially any action desired by the intruder.
Calls to the vulnerable control may originate in script or OBJECT tags in web pages, newsgroup postings, or email messages.
As suggested by L0pht, this virus could be incorporated into an electronic mail virus such as LoveLetter or Melissa. Note that exploitation of this vulnerability under the default configuration of Internet Explorer 5 and Microsoft Outlook 2000 does not require the user to open any attachments or confirm any warning dialogs.
Apply a patch
Limit Exposure to Vulnerability via Email
Since many e-mail applications provide the ability to start your web browser automatically, you may wish to reduce your exposure via mail messages by disabling scripting languages in your email client.
The Restricted Zone and Active Scripting
Microsoft suggests in their advisory to configure Outlook to view mail in the Restricted Zone. While this is certainly good advice, it is not sufficient to protect you from exploitation of this vulnerability if the patch for the Office 2000 UA control has not been applied.
Because the Restricted Zone still allows the execution of scripts, an intruder can send you an email message which when viewed starts Internet Explorer and immediately exploits the vulnerability. To protect against this scenario, and others like it, you may wish to disable Active Scripting in the Restricted Zone.
Instructions for changing Outlook to use the Restricted Zone are available in Microsoft's FAQ on this topic. Instructions for disabling Active Scripting in the Restricted Zone are similar to those at
Note that these changes may result in reduced functionality in Internet Explorer and Outlook.
Microsoft Outlook Security Update
Installing the Microsoft Outlook 2000 E-Mail Security Update will modify Outlook to use the Restricted Zone as suggested previously. It also limits which attachment file types are displayed in Outlook messages, and adds new prompts for accessing the address book or sending email messages. While none of these changes will protect you completely from the Office 2000 UA vulnerability described in this advisory, the update may significantly reduce the chance of the vulnerability being exploited successfully on your system by a worm propagating via Outlook.
More information about the Outlook 2000 E-Mail Security Update is available from
Other Email Clients
The CERT Coordination Center thanks L0pht Research Labs and @Stake for initially discovering and reporting this vulnerability. We also thank the Microsoft Security Team for their assistance in preparing this document.
This document was written by Cory F Cohen and Shawn Hernan.