[16485] in bugtraq
Re: Microsoft Word documents that "phone" home
daemon@ATHENA.MIT.EDU (Rob Slade, doting grandpa of Ryan )
Fri Sep 1 15:19:26 2000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Message-ID: <200009011724.NAA26902@hme0.mailrouter03.sprint.ca>
Date: Fri, 1 Sep 2000 10:24:39 -0800
Reply-To: rslade@sprint.ca
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
X-To: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>,
rms@PRIVACYFOUNDATION.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBKGHPMKBKDDGLDEEHGEMCEHAA.rms@privacyfoundation.org>
> Date: Wed, 30 Aug 2000 10:52:51 -0400
> From: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
> The Privacy Foundation has just released an advisory
> on an issue that we discovered earlier this month
> in Microsoft Word. We found that it is possible to
> embedded "Web bugs" in Word documents. The Web bugs
A most interesting ... "function" in Word. I do not use Word, of course,
because of the security problems, and generally rely on WordViewer to check
documents. However, from the detail presented on your Web site, it wasn't
clear whether WordViewer was subject to the same (or similar) bugging activity.
So I tried it.
I downloaded the document, and opened it first in Word, to see what would
happen. Then I tried it in WordViewer. WordViewer is subject to the bugging
activity, but not quite in the same way. In WordViewer, there is obviously
some function lacking that does not result in your second "gotcha" display.
Because of this failure, WordViewer makes repeated accesses to the server. (If
you will check your server logs, you will find a few hundred requests from the
same address all within the space of a minute or two.) Obviously some
functionality is missing, but the combination of WordViewer and Web bugs would
seem to have all the makings of a good denial of service attack. For both the
client and the server :-)
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
Absurdiveness Training: Don't get even, get odd.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
