Mobile menu

New MS Word security bug (97, 2K, and 2002)
Thread poster: cheungmo
cheungmo
English to French
+ ...
Sep 16, 2002

I was waiting for an official acknowledgment from Microsoft before posting this here.



A security problem involving hidden field codes in MS Word has recently (Aug 26) been discovered that allows someone to retrieve a file from any PC as long as:

(Word 97) the file is opening, modified, and saved

(Word 2K and 2002) when the file is opened, modified, printed, and saved.



The bug attaches a file that is presently in your computer to the Word file so that when you return the file, the recipient now has a copy of that file.



This assumes, of course, that the recipient knows where, exactly, on your computer, the file is, but most people install software \"as is\" and accept the default settings, including which directory the software is installed (which would provide a competitor - like an agency a translator is working for - an easy way to steal a client list).



Microsoft has finally acknowledged the security problem Friday and has no idea when it will issue a patch or a workaround.



This is a great argument for refusing to accept files from clients that require that a macro be turned on (as well as any other automation in Word...).



Short version of the story here:

http://zdnet.com.com/2100-1104-957786.html





I\'ll post anything new I hear about.





Pierre



ps: you can bitch to Bill at billg@microsoft.com (but I doubt you\'ll get a response)


Direct link Reply with quote
 
Ken Cox  Identity Verified
Local time: 11:35
German to English
+ ...
it's not a bug, it's a feature... Sep 16, 2002

Seriously, this is not a \'bug\' (= something that doesn\'t work properly), but in fact a feature of Word that can be abused.



Also, I\'m not sure that disabling macros or Word automation would be of any help here. The field codes are handled by routines in Word that may be like user-generated macros (I don\'t know this for sure), but they are not the same as user-generated macros.



What might help is to disable updating links and field codes when printing (under Preferences>Printing), since this will prevent Word from including desired \'stealth file\' in the document.



Also, if you suspect that something like this is present in a file, under Preferences>View, enable Display Field Codes and then do a search for Fields. I just tried this with a field code whose font colour is set to white, and it displays quite legibly when selected by the search (in Word 2001 (Mac)). Once you have located such a field, if you think it\'s bogus, just zap it!.



Finally, don\'t just use standard folder and file names -- create your own, and (even better) get a disk partitioning utility and partition your hard disk so you can put your documents on a separate volume. Then they will be \'invisible\' to a hard-coded path name using standard folder and file names.


Direct link Reply with quote
 
Ken Cox  Identity Verified
Local time: 11:35
German to English
+ ...
minor correction to my reply Sep 16, 2002

That should be \'disabling \'Update fields\' and \'Update links\' under Preferences>Print (the naming may be slightly different in the WIndows versions).



Presumably, if your received the original document from someone else, all the links poiny to documents that are not on your system, and as for the fields, you can update the ones you want to update (such as cross references and TOCs) by selecting them and pressing F9.


Direct link Reply with quote
 
cheungmo
English to French
+ ...
TOPIC STARTER
It ain't a feature, its a bug Sep 17, 2002

I\'ve worked with software that updates whatever one is working on from a separate file or files since 1992.



Yes, the concept has been around since that time. Longer, even.



The problem is the way Microsoft does this: the source file is incorporated into the Word file, which is stupid. And for two reasons.



First reason

Incorporating the file causes the problems described in my first post.



Second reason

It defeats the entire purpose of live updates of source files when working within a group. By source files I means files that a document file draws information from (a graphic element, a chart, etc.).



Let\'s say someone modifies the source file *after* the document file has been printed and otherwise modified (changing the text). I then send the document file to my correspondent (a service bureau, let\'s say).



My correspondent does not get the latest version of the document file; he gets the version that includes the source file as it existed at the time I printed it. Not the latest version.



Dumb, dumb, dumb.



Its a bug. A design bug.







Pierre



Direct link Reply with quote
 
Ken Cox  Identity Verified
Local time: 11:35
German to English
+ ...
you're right, but... Sep 17, 2002

I agree that the implementation of incorporating the included text in the Word document is \'dumb\' if what you want is true live updating, but that\'s a separate issue -- and maybe MS were not entirely dumb in making this choice, since the average user is probably more interested in making sure the included text doesn\'t get \'lost\' than in having true live upating.



As far as dealing with someone abusing this feature to surreptiously copy a file, another tip: to easily see whether this trick may be present in a document, open the document in a good editor program (on the Mac, use BBEdit (or the Light version)) and search for the field code (INCLUDETEXT).


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

New MS Word security bug (97, 2K, and 2002)

Advanced search






SDL MultiTerm 2017
Guarantee a unified, consistent and high-quality translation with terminology software by the industry leaders.

SDL MultiTerm 2017 allows translators to create one central location to store and manage multilingual terminology, and with SDL MultiTerm Extract 2017 you can automatically create term lists from your existing documentation to save time.

More info »
WordFinder
The words you want Anywhere, Anytime

WordFinder is the market's fastest and easiest way of finding the right word, term, translation or synonym in one or more dictionaries. In our assortment you can choose among more than 120 dictionaries in 15 languages from leading publishers.

More info »



All of ProZ.com
  • All of ProZ.com
  • Term search
  • Jobs