Microsoft Word Documents That "Phone Home"

ephraim writes "According to The Privacy Foundation, Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found here. While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it." Props to their CTO Richard M. Smith.

Here is what Microsoft had to say about it (emphasis added)...

Vendor Contact and Response

Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

This would happen with HTML documents too

[donutello]

If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

Re:This would happen with HTML documents too

[Erasmus+Darwin]

The difference is that embedded image tags within an HTML document are something that someone who's familiar with the technology expects. That's the whole point of a Hyper-Text Markup: it references other documents.

Comparing a Word document retrieving arbitrary objects off the web to an HTML document retrieving arbitrary objects off the web is like comparing a shock from a defective toaster to a shock from sticking a fork in an outlet.

Re:This would happen with HTML documents too

[Shadowkiller]

This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!

Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.

As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!

Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.

Well, that makes me feel better.

[tycage]

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.

--Ty

Um.

[FascDot+Killed+My+Pr]

So let me get this straight. Word can:

-Run arbitrary macros
-Access your hardware
-Access the Internet
-Download and upload data
-Set and send cookies

I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.

Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
--

Re:Um.

[Myddrin]

Easier than that. It can the word macro
could just access the internet capabilities of
IE3.0 and above and ftp a file where-ever you
want.

Since it's known that IE is installed on almost
every machine (and that it's an activex component)
makes it just sooooo easy to say upload an entire
harddrive to a given site....

Or barring that, I'm sure there's some activex
exploit that could be used to install the internet
activex control that ships with vb(especially since activex controls signed by microsoft are automatically trusted until the user says they aren't anymore... then the sky is the limit!

This isn't much different than Web Pages already..

[LionKimbro]

We shouldn't be too surprised; Web Pages are already like this.

I remember the surprise that a friend of mine showed when I showed her "Apache Logs".

Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

(This is a particularly paranoid friend of mine.)

General rule of thumb: If you're doing something on the Internet, you're being logged.

Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).

How hard is it

[Rurik]

On the topic of Word: How hard is it to just have a simple word processor package?
WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?

Re:How hard is it

[Zan+Thrax]

WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix?

Because those 1%ers are the ones who buy the upgrade as soon as its available, and thus start the cycle of forcing others to upgrade to stay compatible with everyone else.

Re:How hard is it

[baka_boy]

Microsoft, like any software design group, has the right to make a design choice favoring code reusability over security. In my opinion, though, they've screwed up here by not making clear to their users the potential implications of a choice made when designing the application. The "user friendly" interface and widespread distribution of Microsoft productivity applications contributes to their appearance of being "safe", while the flexibility of the components makes them very powerful.

The average user of MS Office knows their way around the interface, and may even be able to throw together a few quick-and-dirty macros, but they are by no means an experienced object-oriented programmer, or a distributed systems designer. They will not expect to have to check every Word processing document they receive for potential security risks; nor will they automatically run any filtering or TCP/IP monitoring software. Hence, there will continue to be millions of computers comprimised to attackers on a regular basis.

I have little symphathy for system administrators who fail to take basic precautions like changing default passwords or disabling unneeded services -- that's their job, and they should know better. However, I don't expect the same level of dilligence from an inexperienced user who's trying to type view a business letter sent to them from outside the office. Microsoft distributes even their "basic" productivity applications with all the functionality of a basic operating system, makes that power easy to harness (for whatever purpose), and demonstrates little more to their average user than how easy it makes dragging and dropping a spreadsheet chart into a business report. That's irresposible and misleading.

Exactly

[GMontag]

If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

And if you read *any* document with a ref to an outside object (like a one pixel .jpg) with *anything* that is web aware the exact same thing will happen.

However, if you read the document in Wordpad or some other text only program you can avoid the effect. Makes for some pesky reading around markup and junk, but you will see the refrences to the web too.

Visit DC2600

What I'd like to know is

[ch-chuck]

what are those curious little dots that appear and disappear on /. as the page loads, like right above the banner ads?? Are we being web-bugged even as we talk about it?? :))

However, looking at page source it looks like something to do w/ pagecount, but you got us wondering about any image w/ WIDTH=1 HEIGHT=1

Re:What I'd like to know is

[jamiemccarthy]

We get this every so often. They're pagecounters, not web bugs. My traditional response is here.

Jamie McCarthy

Re:What I'd like to know is

[tealover]

I don't understand this. Why do you need to count pages based on the image? You have the damn web logs !! Why can't you just analyze the web logs? Your traditional response is lacking.

I'm sure you won't respond to this because you never respond with anything more than your obligatory response.

Preventing this

[FIGJAM]

When I am in Vindoz I use ZoneAlarm as a firewall which asks me if I want an application to access the Internet when an attempt is made. I have never had any Office component attempt this but I like knowing if and when Word or anything else tries...

Re:Preventing this

[the-banker]

And you would never know if word tried, since it is the Internet Explorer compnent accessing the net, which I am sure you have granted access. Being a "necessary component of the OS" (their words, not mine) it will always be available, and chances are your firewall will never pick it up.

And of course HTML emails

[zlite]

And they're *not* viewed in a web browser. Indeed, it's a good way to get an "opened" receipt when you send email (even if they choose not to acknowledge the usual "reciept requested" flag): embed a graphic from your own site and their client will automatically fetch it when they open the message. Cookies, too.

Clever, but not new. Why the big MSFT-is-evil hype about this?

Who's reading my resume?

[spudboy]

Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.

"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.

Personally...

[tealover]

I hate the term "web bug". Actually, I'm more offended at the people who come up with these stupid terms rather than the potential abuse they bring about.

I propose that we direct our energies to tracking and hunting down people who come up with these terms and sending them to Texas. I'm sure they'll know what to do about them down there.

Word for Unix

[Jeffrey+Baker]

ln -s `which strings` /usr/local/bin/word

Emacs too

GNU emacs can do all of these things to (including harboring document virii). What's the diff?

Re:Emacs too

[pohl]

Hmmm...I open a document, and it contains some emacs lisp code...how does this code become executed automatically without me instructing emacs to do so? I know that I can use M-x eval-buffer, or select a region and use M-x eval-region -- but in order to be analagous to a Word macro virus, wouldn't emacs have to automatically execute the contents of the file without my direction to do so? If this is the case, point this feature out to me. I'm curious.

Re:Emacs too

[ink]

GNU emacs can do all of these things to (including harboring document virii). What's the diff?

That's not true. Emacs does not execute arbitrary lisp code embedde in a document. It certainly doesn't follow hyperlinks and set up cookies transparently. You have to explicitly do all of these things.

The wheel is turning but the hamster is dead.

This also happens in spam.....

[blogan]

I've notice some spam that would try to fetch a graphic from a website. They track your address in the image location so they know who's getting it and who isn't. We need a backwards firewall to prevent traffic like this from leaving.....

Who would have thought....

[tiny69]

Who would have thought that the biggest threat to computer security would be a document. One of Office 2000's benefits is - "Web-enabled collaboration and information sharing." Link

I can't wait to find out what other "innovation" gems are still out there.

Bill Gates here...

[DreamingReal]

Hello everybody,
My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.

Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.

Enjoy.

Your friend,
Bill Gates

Damn! This was totally true and I missed out!

-------

That's not the half of it.

[TheDullBlade]

They don't know the difference between an app and a document.

A=B=C -> A=C

It logically follows that they don't know the difference between a document and an OS. There is further practical proof of this from the way you can open configuration windows from their help files.

Ergo, the next version of MS-Windows will be called MS-Help. Instead of CTRL-ALT-DEL to log in, you'll use F1. Every time you want to type something in, you'll need to reassure your computer that you are indeed familiar with the operation of a keyboard, and probably still be forced to repeat the "This is the space bar. This is what we call the home row." tutorial every time you reboot.

--------

What /I/ would like to know is

[TheDullBlade]

Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?

It seems to me that it's lazy and irresponsible to require an extra http request.

--------

Re:What /I/ would like to know is

[jamiemccarthy]

"Jamie is a fucking liar."

tealover, I don't see an email address for you in your user info. Because you're misquoting Hemos and saying some pretty outlandish stuff, I suppose you're just trolling. But if you'd like to talk seriously about this, please just email me and I can clear up any questions you might have.

I don't think trying to allay your fears in posts here is going to be very fruitful. I'm not trying to silence you here, though; it goes without saying that any email discussion we'd have about this, you could feel free to post.

Jamie McCarthy

Actually that'd kick ass

[Greyfox]

You could probably hack up some magic stuff to page you when someone opens your resume, too. After all, this technique would really only be effective if you catch them in the act.

Not a real bug

[Fervent]

How is this a problem? Corporations for years have been tracking users opening certain files, and with the built-in features of macros and internet access in most office suites (StarOffice and WordPerfect included) isn't this the same thing?

MS just took the next logical step. They built a feature into the application that programmers had been scripting into it for years.

Re:This isn't much different than Web Pages alread

[po_boy]

phil_reed asked:

Has anybody checked to see if the same thing happens in Excel?

I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.

The article clearly states:

In addition to Word documents, Web bugs can also be used in Excel 2000 and PowerPoint 2000 documents.

So I would imagine that the answer is "yes. Someone has checked."

Re:Why not?

[baka_boy]

What, you meant implement some basic sort of sane security policies to prevent a single user's mistakes from fsck'ing the whole system? Or even design an OS with networking and multiuser access in mind? (Wow, that sure would be awfully tough...fifteen years ago, before it had been done almost every one of the flavors of UNIX.)

Or maybe you mean a more advanced architecture -- one that could apply different security models to code depending on whether it was being executed from a local or remote source, and which put potentially "suspect" applications into a limited sandbox? (Why, that sounds an awful lot like Java, circa the mid-90s...)

Basically, Microsoft, however good they are at UI design, code reuse, or marketing, often drops the ball when it comes to security. They push the envelope of functionality far before they're ready to deal with the vulnerabilities that it can cause. That wouldn't even bother me so much if they didn't try to pass their tools off as "secure by default," and keep problems and risks under wraps until they can be silently patched in the next service pack.

Nope, ZoneAlarm catches Word.

[DHartung]

As well as any other Office applications, when they launch an HTML type of document. It's pretty easy to grant permission this one time only, too -- so you always know if programs that normally shouldn't be net-enabled are trying to slip one past you.

Clearly you don't realize how either the "Internet Explorer component", or ZoneAlarm, works. Though Word uses the same HTML renderer, it is from within its own EXE. Granted, I don't kid myself that this will trap ALL instances of non-obvious internet use, but it goes a long way towards making me feel like I'm still in control.
----

Pot, Kettle, Black

[__aapbgd5977]

Ok, so if the Privacy Foundation is so upset about web bugs in MS Word documents, why does their OWN ADVISORY have a web bug in it? My filter (Guidescope) caught this little sucker: http://www.privacyfoundation.org/graphics/1pix.gif (Awaiting an explanation.)
==
This post sponsored by the American Obstetrics Society:

Re:Pot, Kettle, Black

[Philippe]

It's a spacer gif. Big deal. Web designers use them all the time. Plus, it's not a web bug since it originates on the same server.