Microsoft is investigating a security vulnerability with Word 97 which allows attackers to filch documents from victim's PCs using a craft social engineering attack.

http://www.theregister.co.uk/content/4/27114.html


Hmmm....interesting little exploit. I wonder how many people this has already bitten. I can see it now:

Hey, John can you proof something for me?

Sure, Joe, send it over...

Some more info over at Woody's Office watch... http://www.woodyswatch.com (need to get to the archive and look at the Sept 6 and Sept 12 issues)

I'm tellin' ya, folks, it's the worst Word security hole from WOW Sept 12

Have tried this and it seems to work in Word2000, so it doesn't seem specific to Word97.

However the malicious user would need to know the full path and file name(s) of the file(s) in question and also that the user would not unhide his hidden field and be found out.

So if you do have private/sensitive information, then I agree about not "editing" word documents on a network or returning them to the sender (unless they are completely trustworthy of course).

Incidentally, if you SelectAll (with the field's text both hidden and formatted as white text) and copy then paste into an OE eMail, everything will be copied into an RTF eMail but not into a Plain Text eMail. If the text is of any length it will appear as a lot of "white space" in the eMail (whereas this effect would have been hidden in Word). What I'm getting at is that apart from not returning such docs, also dont agree to copy the contents and paste them into an RTF eMail; hehe, actually a good reason for using a background color. ;)

PS. I may be wrong on this, but as well as editing the document you would also have to "Update Fields" by pressing F9 (or else this would need to be done by a concealed Macro) in order for the embedded field to be updated. Perhaps that's not necessay in Word97, which would make it more vulnerable.

Yes this is a "system trojan" alright and, as GH pointed out in another thread, a good reason for not installing Windows in the default folder but calling it MyWindows or something else.

The one very dangerous thing is that many people use the default names/locations for things....want somebody's address book, who needs to figure out the path! Want the proposals just have it grab proposal1, proposal2, etc...

Under the scenario of "proofing" something the attacker can easily have the victim update the fields...just have some obvious error that the most natural way to fix would involve an update.

One of the most inane, condescending pieces of (expletive deleated) I have ever read.....

Word Fields Vulnerability (http://www.microsoft.com/technet/treeview/default.asp?url=/Technet/security/topics/secword.asp)

Word fields are a feature that provides a way of automatically inserting information into Word documents. This feature is commonly used to insert information such as dates and page numbers in document Headers and Footers. By default the fields are hidden from view so as not to clutter the document when it is being edited, but they can be revealed if necessary.

Yeah, so what, it is a feature.....that can be used to steal documents.

The issue affects all versions of Word to varying degrees, and the complexity on the attacker’s part varies as well since individual attack vectors may be needed for specific versions of Word.

Kind of figured that one out on our own.....

* The attacker would need to know the absolute path to the file that is to be stolen.
* The attacker would need to entice the user into returning the document.
* The user could always view the field codes.
* The attacker would leave a clear audit trail.

For the absolute path and name, well MS so kindly has so many items that could be of interest in default locations, that hardly anybody bothers to change....

Getting the victim to use and return the document isn't really all that much of a problem, most of the places that I have seen this discussed, myself included, imediately thought of the "proofing scenario...

So what....a clear audit trail is meaningless if the attacker has the document and you don't......


Office 97 users should be aware, however, that Office 97 was developed in an era when the security threat was very different, and Office 97 does not include any of the improved security architecture of more recent versions of Office, such as Macro and e-mail attachment security. For best security, we recommend that customers use Word 2002.

Yep, Office97 users, your time is up upgrade or die.....

The customer confusion and speculation around this issue is a clear illustration of the challenges faced when security reports are made public rather than reported to the vendor. Responsible researchers work with vendors to ensure that the priority in dealing with security issues is first and foremost the protection and safety of users. Had this been the priority in this case, much of the confusion, speculation and anxiety that resulted in this case could have been avoided.

Two weeks and nothing until it started getting tossed around in the press.....

For best security, we recommend that customers use Word 2002

Sure - I thought the article said that ALL versions of Word were vulnerable to some extent. :mad:

LOL...notice how this horrible vulnerabity of the "uplddrvr.htm" (ok...didn't take the time to make sure of exact file name) was brought about just as SP1 was being released?

You will download our SP so we can further insert our dominance over you and your files via "our" operating system that you don't own.....yada...yada...

Word 2002 is LESS vulnerable than Word 97 according to MS. But here is the kicker,
MS has NO PLANS TO FIX WORD 97.

Do what I do,


USE WORD PERFECT.

Since I only ever edit my own docs, I'm quite happy with Word, but its good to know about the vulnerability and to be on ones guard for when a request to edit/proof read comes.

Do do what G_H suggested,elsewhere.

DON'T USE DEFAULT INSTALL LOCATIONS!!!!