Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Security Flaw

Posted by timothy on from the remember-word-viruses-fondly dept.

JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.

8 of 450 comments (clear)

  1. MS-Word and document exchange by Charles+Dodgeson · · Score: 5, Informative

    Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  2. Not True by DaytonCIM · · Score: 5, Informative

    "Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold."

    That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
    However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.

  3. Some clarification by agantman · · Score: 5, Informative

    1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.

    2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.

    3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.

  4. Re:Really another reason to use openoffice? by yorgasor · · Score: 4, Informative
    There is a big difference. Open source software developers rarely dish out patches. They can't, really. Windows software gets patched because they have complete control over the binary and know exactly what was shipped to customers. Open source software could be compiled on a dozen different platforms with who-knows-what kind of optimizations.

    Instead, they release a new version with the bug fixed. Usually code patches are available, but how many people using KDE actually compiled their version?

    Ok, so commercial software and open source software developers really want their users to use the most up to date versions. The difference is, MS wants their users to fork out a few hundred $$$ for their new fixes and gotta-have features. For KDE, you can just download the latest version or get it from a friend. That's why MS is evil for not patching '97. People paid a lot of money for it and expect MS to support it. I personally can't seen any feature worth paying several hundred dollars for an upgrade to Office 2000/XP over '97 and neither can millions of their customers.

    Now you tell me who's looking out for their users.

    --
    Looking for a computer support specialist for your small business? Check out
  5. A Fix! by gspeare · · Score: 4, Informative

    Of course, there's a way to address this problem with...a Word Macro! :)

    Sub AutoOpen()
    '
    ' IncludeTextBarrer Macro
    ' Macro created 9/13/2002 by Geoff Speare
    ' Created for Word 2000, use at own risk, etc.
    '
    Dim count As Integer
    Dim vbFix As VbMsgBoxResult
    Dim blFoundOne As Boolean

    blFoundOne = False
    For count = 1 To ActiveDocument.Fields.count
    If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
    blFoundOne = True
    vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
    "(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
    If vbFix = vbYes Then
    ActiveDocument.Fields(count).Locked = True
    End If

    End If
    Next
    If blFoundOne Then
    MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
    "to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
    "INCLUDETEXT Exploit Detection"
    End If
    End Sub

  6. Re:Check this out... by DeadMeat+(TM) · · Score: 3, Informative
    Sort of. Word has a feature called "fast saves" that only adds revisions on saves (think like GNU diff) rather than going through and rebuilding the file. This was enabled by default until some later Word service pack (2K SP1 IIRC). This is also one of the reasons DOC files tend to have hideously-bloated filesizes.

    There's some other ways of getting weird extraneous data dumped into Office files -- see this Microsoft Knowledge Base document for more info. Fast saves are by far the worst culprit, though.

    If you're really concerned about this sort of thing, the best thing to do (besides using a different office suite) is to pipe public documents through GNU strings first to make sure nothing conspicuous is embedded.

  7. Re: VERY EASY Social Engineering by raresilk · · Score: 3, Informative
    I work for a large law firm that shall remain anonymous. Much of our user population is still using Word 97, and for various reasons I don't agree with, secretaries are actually being trained to use macro based templates to perform relatively simple functions, so everybody has macros turned on. (Don't blame me, I'm a lawyer, not IT. Our IT department sucks like a vacuum, mainly because of a few powerful old farts who miss their quill pens, hate computers, and won't retire.)

    But back to my original point - there are many contexts where it is literally day-to-day routine for lawyers to email Word documents back and forth, with each recipient detaching and saving the file, throwing in a few edits, and sending it back. In some situations, such as court documents that typically are negotiated, then filed jointly (e.g., proposed pretrial and scheduling orders), this interaction occurs among parties who are adversaries in a lawsuit - the farthest thing I can imagine from a trusted exchange.

    This alone allows substantial opportunity for exploitation. Even if you don't know any specific filenames, it seems as though you could easily grab the Registry, which is always named the same thing, and learn at least some path and filename information from it. And also keep in mind that many firms (not ours, fortunately) use a stupid auto-format that appends the path and filename into the footer of a document. Let's say I was an unscrupulous lawyer co-drafting a scheduling order, and knew about this exploit. I might go through the earlier files and records in the case, and look at the briefs my opponent filed. If the filename was in the footer, I could rig the scheduling order to get the brief, which would contain not only the printed text I'd already seen when the brief was filed, but perhaps leftover redlines, comments, those mysterious fragments at the bottom, etc.

    To answer your obvious questions: (1) no, I haven't tried it, and I'm not planning to, so I don't know if it would actually work, and (2) I have sent the Bugtraq link to the one non-worthless person in our IT department, and (3) yes, I realize this is not a macro exploit technically, so turning macros off won't help. But folks, this is really scary, and I am sure that legal practice is not the only line of business where "enemies" or untrusted parties exchange Word documents via email. That is how the world does business these days.

    --
    No, no, no. This is not a sig.
  8. Re:Yet another reason to try OpenOffice.org by Some+Dumbass... · · Score: 3, Informative

    What, you mean linus still produces patches for 1.1.x?

    Actually, there are still new releases to the 2.0 kernel series, which is the "circa 1997" (think "Word 97") kernel series. They're at 2.0.40-pre6 right now.

    Of course, perhaps the original poster meant that people should try OpenOffice not because patches are released for older versions of Open Source software, but rather because the upgrade to the latest, fully patched version is free?