72
Chapter 4
Stuck Inside of Pages with Those Unprintable Blues Again
How typical is this scenario: You receive a 20-page Word document from a
client, and you need to print it. The document contains graphics--in par-
ticular, slides copied from PowerPoint right into the Word doc. But nothing
comes out of the printer. Turn the printer off, restart, and wait for the system
T H I E V E S U S E W O R D T O S T E A L F I L E S
Details about one of the largest security holes in Microsoft Word were first published
on August 26, 2002 to the popular Bugtraq security list, a service hosted by
SecurityFocus, a subsidiary of Symantec.
*
The security hole has still not been
corrected. Essentially, an information thief can steal files from the computer of a
person using Word 97.
If you use Word 97 and an unknown person sends you a document to modify,
be aware that when you return it, the Word document may contain a hidden copy
of files from your computer. The Word document will not be flagged by anti-virus
programs. It will also not appear to Word 97 to contain any macros.
The copied files aren't visible in Word, but they are clearly visible using Notepad
or Wordpad. The copied files could be documents, Excel spreadsheets, or anything
else; they could be located anywhere, even on a secure server. If you have permission
to read a file, and you use Word 97 to edit a document from someone who is secretly
an information thief, that person could grab the file using "spy" code that can scan
for hundreds of files and the INCLUDETEXT field, one of many hidden fields embedded
in Word docs. The only way to prevent a file from being stolen is to manually check
the fields, which you can find in the document's Properties panel.
If you use Word 97, you shouldn't open and modify a document from someone
you don't trust, unless that person will never get the document back. The scheme
works best with Word 97, but Word 2000 and 2002 could also be conscripted into
service if the attacker can persuade a victim to print the document first.
The security hole is outrageous, yet Microsoft has declined to fix older versions
of Word, angering IT professionals. "The only suggestion Microsoft has come up
with--examine field codes in your document manually--is so lame I don't know if I
should laugh or cry . . . or scream," wrote Woody Leonhard, Certified Office Victim
and publisher of the newsletter Woody's Office Watch.
"Can you look at a field
code and know if it will automatically suck in a sensitive file? How can hundreds
of millions of Office users be expected to tell the difference between a safe field code
and a spy?"
Microsoft has also angered the community of bug fixers by complaining that
the details of this security hole should not have been disclosed without Microsoft's
first performing tests. It was only after Woody Leonhard published details in his
newsletter that the mainstream press got a hold of the story. Microsoft was forced to
make a statement about the problem since the Associated Press was about to release
the story to newspapers all over the world. But you have to admire Microsoft's PR
machine--the company managed to convince the press that it had disclosed the
problem voluntarily.
* Gantman, Alex. "Security side-effects of Word fields." Bugtraq Archive. See www.securityfocus
.com/archive/1/289268/2002-09-09/2002-09-15/2. See also Lemos, Robert. "Microsoft
warns of thieving Word docs." CNET News.com. September 12, 2002. See http://news.com
.com/2100-1001-957786.html?tag=fd_top.
Leonhard,. Woody. Woody's Office Watch. September 18, 2002. See www.woodyswatch
.com/office/archtemplate.asp?v7-n44.
jsntm_02.book Page 72 Wednesday, September 28, 2005 1:10 PM
No Starch Press
© 2005 by Tony Bove