[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] Office 98 Security Hole: Samples
- To: debate@fitug.de
- Subject: [FYI] Office 98 Security Hole: Samples
- From: Horns@t-online.de (Axel H. Horns)
- Date: Fri, 19 Mar 1999 13:47:53 +0100
- Comment: This message comes from the debate mailing list.
- Organization: Private Site
- Reply-to: horns@t-online.de
- Sender: owner-debate@fitug.de
-------------------------------- CUT --------------------------------
Office 98 Security Hole: Samples
Microsoft/Compaq Samples
Reader Experiences
In researching the long-standing Microsoft Office/OLE security
holes, we took a look at some of Microsoft's own Word documents,
published on its web site long after the release of its security
patch, as well as a Word document posted by Compaq on its web
site. These documents, like millions of other MS Office
documents, contain extraneous data that may unintentionally
reveal sensitive confidential or private information, hidden from
view within Word.
A MacInTouch reader who pointed out one of the files wrote:
"You can easily read the name and directory path of the
original file, any revisions and who did them with full
directory paths (even on the MS server), the directory paths
of all attached graphics, and what appears to be a
registration numbers and passwords associated with each user
that saved the file. With enough documents, you could
concievably construct a full directory structure for the
entire MS network, and have the machine codes to mimic a
computer in the building. Looks like MS has done half of the
hacker's work for them... they are a break-in waiting to
happen."
In each example below, we show hidden information that is
invisible within Word but readily available when the document is
opened with a text editor or utility program, such as John Lamb's
TextBrowser or Bare Bones Software's BBEdit. We did not do an
detailed security analysis of each document, but simply copied
out some interesting hidden material. In each case, it is
unlikely that the document authors intended to reveal the hidden
information in these files, which now are available to millions
of people on the Internet, although this information appears far
more innocuous than the URLs, source code directories, credit
card information and private mail that readers report finding
hidden in their Word documents.
[...]
-------------------------------- CUT --------------------------------