COMMAND

    Word

SYSTEMS AFFECTED

    Word

PROBLEM

    The Privacy Foundation released an advisory on an issue that  they
    discovered earlier this month in Microsoft Word.  They found  that
    it is possible to embedded "Web bugs" in Word documents.  The  Web
    bugs allow  the author  of a  document to  track via  the Internet
    where  a  document  is  being  read.   The  trick could be used to
    monitor leaks  of confidential  documents from  a organization  to
    outsiders as well as detecting copyright violations.  In addition,
    it is also possible to place Web bugs in individual paragraphs and
    detect when the text is copied from one Word document to another.

    The complete advisory is available at the Foundation's Web site:

        http://www.privacyfoundation.org/advisories/advWordBugs.html

    A demonstration "bugged"  document for Word  97 and Word  2000 has
    been set up at:

        http://www.privacycenter.du.edu/demos/bugged.doc

    They also found that  Excel 2000 spreadsheet files  and PowerPoint
    2000 slideshows can be "bugged" in the same manner.

    Exploit also affects .rtf files in MS Word 97 (URL in .rtf: gets
    ignored in MS WordPad, gets error message in Lotus Word Pro 97).

    Testing the demonstration "bugged" documents in MacOS Office 98:

        - Word 98 - works as advertised
        - Excel 98  - image doesn't  load, "file error,  data may have
          been lost".
        - PowerPoint 98 - image doesn't load, but error message  looks
          like it  could work  with minor  tweaking (image "ttp://..."
          couldn't be loaded).

    Microsoft  has  posted  a  response  to  this  advisory,  entitled
    "Cookies and Word Documents", available at

        http://www.microsoft.com/technet/security/cookie.asp

    MS fails to mention some things:
     1. The  "web  bug"--more   aptly  called  the  transparent    GIF
        exploit--has been known  for some time.   They are correct  to
        state  that  it  is  not  just  a Word problem.  However, most
        casual users of Word, like  myself, would never expect such  a
        thing  embedded  in  a  Word  document.   Now you may begin to
        understand why  you received  spam in  the past  that was sent
        attached as a Word document--highly unusual.
     2. Those of us who are  at least somewhat aware of security  will
        be on our  guard when on  the web.   It's a jungle  out there.
        However, the sample Word document still performed as  expected
        when you had it  detached and opened it.   For those with  DSL
        or  cable  modems,  web-connected  LAN's,  or who happen to be
        dialed in to their ISP at the time, this is most insidious.
     3. One  would  expect  that  IE  has distinct features to  handle
        cookies; the web page points this out.  However, despite  MS's
        best efforts to  make it otherwise,  there are other  browsers
        such as Netscape and Opera.
     4. The overall tone of MS's response seems dismissive.  It is not
        MS's job to  educate the masses  on the inner  workings of the
        Internet.   Still,   a  further  discussion   on  what   these
        transparent GIF's can do is warranted.

    This loading  of external  URLs could  also be  used to  cause the
    viewer of the document to visit web sites they did not intent  and
    that they might catch some heat for doing (e.g., porn sites).  Web
    page authors  already have  this ability,  though in  the document
    case, it may be possible to obscure the origin of the document.

    WordViewer is subject  to the bugging  activity, but not  quite in
    the same  way.   In WordViewer,  there is  obviously some function
    lacking  that  does  not  result  in your second "gotcha" display.
    Because of  this failure,  WordViewer makes  repeated accesses  to
    the server.  (If you will check your server logs, you will find  a
    few hundred requests  from the same  address all within  the space
    of a  minute or  two.)   Obviously some  functionality is missing,
    but the combination of WordViewer and Web bugs would seem to  have
    all the makings of a good denial of service attack.  For both  the
    client and the server.

SOLUTION

    Nothing yet.   See MS  URL above.   The Foundation  advisory notes
    that ZoneAlarm  may be  used to  prevent Word  and other  specific
    applications  from  making  network  connections.   It  was   also
    verified  that  Norton  Internet  Security  can  be  configured to
    catch  and  block  (automatically  or  on  a  per-incident  basis)
    connection  attempts  from  WordView;  blocking  other Office apps
    should work just as well.   If NIS is configured in  high-security
    mode, it will catch connections  for which no rule exists  yet, so
    you  don't  have  to  pre-configure  block  rules  for all of your
    Office apps.

    StarOffice 8 seems to be clean.