COMMAND

    MS Word connected to DB/2 (ODBC)

SYSTEMS AFFECTED

	Win9x, NT

PROBLEM

    Klaus Kusche posted  following.  This  was tested under  following
    environment:

        MS NT 4.0
        MS Word 97
        IBM DB2 ODBC Client (and DB/2 on an OS/390 mainframe)

    What to do:

        1.) Create a Word document  referring to the database (e.g.  a
            mass mailing letter accessing a DB/2 address database).
        2.) Connect to  the database, enter  your userid and  password
            for the database server in the dialog.
        3.) Save the document  while the database connection  is still
            established (i.e. while you  can still browse through  the
            data in the database).

    The saved Word document  contains your database server  userid and
    password ***in cleartext***!!! (except for a blank inserted  every
    second character, e.g. "pass"  is stored as "p  a s s").   You can
    check  with  any  ASCII  editor,  e.g.  Notepad.  Not good if your
    documents are  on a  fileshare to  which others  have read access,
    even worse if you attach such a document to an external email!

    It  wasn't  checked  if  the  same  is  true  for  other MS Office
    applications  (Excel,  ...)  and  for  other  databases  requiring
    userids and  passwords, but  there are  no reason  why other  ODBC
    connections should behave better.

SOLUTION

    Nothing yet.