Microsoft Word Security Flaw

JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.

MS-Word and document exchange

[Charles+Dodgeson]

Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats

Not True

[DaytonCIM]

"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold."

That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.

Some clarification

[agantman]

1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.

2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.

3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.

Re:Really another reason to use openoffice?

[yorgasor]

There is a big difference. Open source software developers rarely dish out patches. They can't, really. Windows software gets patched because they have complete control over the binary and know exactly what was shipped to customers. Open source software could be compiled on a dozen different platforms with who-knows-what kind of optimizations.

Instead, they release a new version with the bug fixed. Usually code patches are available, but how many people using KDE actually compiled their version?

Ok, so commercial software and open source software developers really want their users to use the most up to date versions. The difference is, MS wants their users to fork out a few hundred $$$ for their new fixes and gotta-have features. For KDE, you can just download the latest version or get it from a friend. That's why MS is evil for not patching '97. People paid a lot of money for it and expect MS to support it. I personally can't seen any feature worth paying several hundred dollars for an upgrade to Office 2000/XP over '97 and neither can millions of their customers.

Now you tell me who's looking out for their users.

A Fix!

[gspeare]

Of course, there's a way to address this problem with...a Word Macro! :)

Sub AutoOpen()
'
' IncludeTextBarrer Macro
' Macro created 9/13/2002 by Geoff Speare
' Created for Word 2000, use at own risk, etc.
'
Dim count As Integer
Dim vbFix As VbMsgBoxResult
Dim blFoundOne As Boolean

blFoundOne = False
For count = 1 To ActiveDocument.Fields.count
If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
blFoundOne = True
vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
"(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
If vbFix = vbYes Then
ActiveDocument.Fields(count).Locked = True
End If

End If
Next
If blFoundOne Then
MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
"to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
"INCLUDETEXT Exploit Detection"
End If
End Sub