Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Documents That "Phone Home"

Posted by jamie on from the don't-open-that-decss.doc-file dept.

ephraim writes "According to The Privacy Foundation, Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found here. While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it." Props to their CTO Richard M. Smith.

Here is what Microsoft had to say about it (emphasis added)...

Vendor Contact and Response

Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

8 of 317 comments (clear)

  1. This would happen with HTML documents too by donutello · · Score: 5

    If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

    --
    Mmmm.. Donuts
    1. Re:This would happen with HTML documents too by Shadowkiller · · Score: 5

      This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!

      Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.

      As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!

      Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.

  2. Well, that makes me feel better. by tycage · · Score: 5
    Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

    Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.

    --Ty

  3. Um. by FascDot+Killed+My+Pr · · Score: 5

    So let me get this straight. Word can:

    -Run arbitrary macros
    -Access your hardware
    -Access the Internet
    -Download and upload data
    -Set and send cookies

    I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.

    Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
    --

    --
    Linux MAPI Server!
    http://www.openone.com/software/MailOne/
    (Exchange Migration HOWTO coming soon)
  4. Re:What I'd like to know is by jamiemccarthy · · Score: 5
    We get this every so often. They're pagecounters, not web bugs. My traditional response is here.

    Jamie McCarthy

    --

    Jamie McCarthy
    jamie.mccarthy.vg

  5. Who's reading my resume? by spudboy · · Score: 5

    Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.

    "Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

    Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.

    --
    -- Real free software sites don't use GIFs.
  6. Bill Gates here... by DreamingReal · · Score: 5
    Hello everybody,
    My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.

    Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.

    Enjoy.

    Your friend,
    Bill Gates

    Damn! This was totally true and I missed out!


    -------

    --
    We want some answers and all that we get
    Some kind of shit about a terrorist threat
    - Ministry
  7. What /I/ would like to know is by TheDullBlade · · Score: 5

    Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?

    It seems to me that it's lazy and irresponsible to require an extra http request.

    --------

    --
    /.