The Web    Google
Will Users of Word 97 'Bug' Out?

Will Users of Word 97 'Bug' Out?
September 13, 2002

After a new outcry over a flaw that could allow a user to "bug" a Word document being sent to another user for review, Microsoft (Quote, Chart) says it is working on a fix.

In a statement issued Thursday, the Redmond, Wash.-based software giant said it would definitely repair the problem, but was unclear whether it would fix the flaw only for owners of the most recent versions of the software.

While all versions of Word are susceptible to the flaw, the problem is most severe in Word 97. If Microsoft proceeds with a fix only for newer versions of the software, it could leave millions of users of Word 97 hanging in limbo.

The attack, which was recently rediscovered in a report by Qualcom employee Alex Gantman, sends the victim a "bugged" document, which embeds the INCLUDETEXT field into the document. The field results in inclusion of a specified file into the current document.

The document is usually accompanied with a request that the document be revised and returned to the sender.

The attacker would likely make hide the INCLUDETEXT field by using hidden text, small white font, or other tricks. Alternatively, the attacker could embed the INCLUDETEXT field within a dummy IF field that always returns an empty string. In this case, the only way to detect the included file is if to browse through field codes.

When the document is changed and sent back, the file the attacker wants to steal is attached.

According to the Associated Press, Microsoft says an attacker would have to know the exact file name to be stolen and its location. But many critical files an address book or saved e-mails, for example are usually in obvious or predictable places on every Microsoft Windows computer.

Word 97, still widely-used in both the home and small offices, is most susceptible to the attack. According to the AP, Microsoft said it is its policy to no longer repair Word 97, but said the company is still exploring the issue.

According to Gantman's report, the only countermeasure to be taken, if you must send and edit documents, is to manually go through the fields in the document to look for code or write a scanner to search the fields.

  • 7/30: Tompai-A Has Backdoor Functionality
  • 4/8: Cabir-J Worm Affects Symbian Phones
  • Securing the DoJ
  • 4/29: Bropia-AJ Worm Messages IM Users
  • Neoteris Extends Gateway Access
  • 2/28: Elitper-A Worm Uses MAPI
  • 2/8: Wallz Worm Exploits LSAS Flaw
  • Teen Held For Allegedly Swiping Code
  • 6/9: Downloader.GK a 'High Threat'
  • 3/4: Rbot-WV Worm Uses Bad Passwords
  • 11/11: Masteq-H Trojan Runs Silently
  • Compare Security Camera Products