Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Documents That "Phone Home"

Posted by jamie on from the don't-open-that-decss.doc-file dept.

ephraim writes "According to The Privacy Foundation, Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found here. While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it." Props to their CTO Richard M. Smith.

Here is what Microsoft had to say about it (emphasis added)...

Vendor Contact and Response

Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

13 of 317 comments (clear)

  1. This would happen with HTML documents too by donutello · · Score: 5

    If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

    --
    Mmmm.. Donuts
    1. Re:This would happen with HTML documents too by Shadowkiller · · Score: 5

      This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!

      Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.

      As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!

      Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.

  2. Well, that makes me feel better. by tycage · · Score: 5
    Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

    Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.

    --Ty

  3. Um. by FascDot+Killed+My+Pr · · Score: 5

    So let me get this straight. Word can:

    -Run arbitrary macros
    -Access your hardware
    -Access the Internet
    -Download and upload data
    -Set and send cookies

    I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.

    Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
    --

    --
    Linux MAPI Server!
    http://www.openone.com/software/MailOne/
    (Exchange Migration HOWTO coming soon)
  4. This isn't much different than Web Pages already.. by LionKimbro · · Score: 4

    We shouldn't be too surprised; Web Pages are already like this.

    I remember the surprise that a friend of mine showed when I showed her "Apache Logs".

    Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

    (This is a particularly paranoid friend of mine.)

    General rule of thumb: If you're doing something on the Internet, you're being logged.

    Do something useful: read "Transparent Society" and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).

  5. How hard is it by Rurik · · Score: 4

    On the topic of Word: How hard is it to just have a simple word processor package?
    WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
    They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?

    1. Re:How hard is it by baka_boy · · Score: 4
      Microsoft, like any software design group, has the right to make a design choice favoring code reusability over security. In my opinion, though, they've screwed up here by not making clear to their users the potential implications of a choice made when designing the application. The "user friendly" interface and widespread distribution of Microsoft productivity applications contributes to their appearance of being "safe", while the flexibility of the components makes them very powerful.

      The average user of MS Office knows their way around the interface, and may even be able to throw together a few quick-and-dirty macros, but they are by no means an experienced object-oriented programmer, or a distributed systems designer. They will not expect to have to check every Word processing document they receive for potential security risks; nor will they automatically run any filtering or TCP/IP monitoring software. Hence, there will continue to be millions of computers comprimised to attackers on a regular basis.

      I have little symphathy for system administrators who fail to take basic precautions like changing default passwords or disabling unneeded services -- that's their job, and they should know better. However, I don't expect the same level of dilligence from an inexperienced user who's trying to type view a business letter sent to them from outside the office. Microsoft distributes even their "basic" productivity applications with all the functionality of a basic operating system, makes that power easy to harness (for whatever purpose), and demonstrates little more to their average user than how easy it makes dragging and dropping a spreadsheet chart into a business report. That's irresposible and misleading.

  6. Re:What I'd like to know is by jamiemccarthy · · Score: 5
    We get this every so often. They're pagecounters, not web bugs. My traditional response is here.

    Jamie McCarthy

    --

    Jamie McCarthy
    jamie.mccarthy.vg

  7. Who's reading my resume? by spudboy · · Score: 5

    Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.

    "Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

    Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.

    --
    -- Real free software sites don't use GIFs.
  8. Word for Unix by Jeffrey+Baker · · Score: 4

    ln -s `which strings` /usr/local/bin/word

  9. Bill Gates here... by DreamingReal · · Score: 5
    Hello everybody,
    My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.

    Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.

    Enjoy.

    Your friend,
    Bill Gates

    Damn! This was totally true and I missed out!


    -------

    --
    We want some answers and all that we get
    Some kind of shit about a terrorist threat
    - Ministry
  10. What /I/ would like to know is by TheDullBlade · · Score: 5

    Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?

    It seems to me that it's lazy and irresponsible to require an extra http request.

    --------

    --
    /.
  11. Re:Emacs too by ink · · Score: 4
    GNU emacs can do all of these things to (including harboring document virii). What's the diff?

    That's not true. Emacs does not execute arbitrary lisp code embedde in a document. It certainly doesn't follow hyperlinks and set up cookies transparently. You have to explicitly do all of these things.

    The wheel is turning but the hamster is dead.

    --
    The wheel is turning, but the hamster is dead.