[16490] in bugtraq
Re: Microsoft Word documents that "phone" home
daemon@ATHENA.MIT.EDU (Charles Sprickman)
Fri Sep 1 16:49:13 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0008311804220.28157-100000@shell.inch.com>
Date: Thu, 31 Aug 2000 18:05:26 -0400
Reply-To: Charles Sprickman <spork@INCH.COM>
From: Charles Sprickman <spork@INCH.COM>
X-To: "Crooks, James" <james.crooks@CA.PWCGLOBAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <8525694C.0000D242.00@intlnamsmtp20.us.pw.com>
Is anyone aware of whether or not other applications capable of opening
word docs are vulnerable. Examples would be StarOffice and Applixware...
Thanks,
Charles
On Wed, 30 Aug 2000, Crooks, James wrote:
> exploit also affects .rtf files in MS Word 97 (URL in .rtf: gets ignored in MS
> WordPad, gets error message in Lotus Word Pro 97) - I'm getting someone to
> verify operation of Word in MS Office 2000...
> /jc
>
>
>
>
> "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG> on 08/30/2000 07:52:51 AM
>
> Please respond to "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
> To: BUGTRAQ@SECURITYFOCUS.COM
> cc:
> Subject: [BUGTRAQ] Microsoft Word documents that "phone" home
>
>
>
> Hi,
>
> The Privacy Foundation has just released an advisory
> on an issue that we discovered earlier this month
> in Microsoft Word. We found that it is possible to
> embedded "Web bugs" in Word documents. The Web bugs
> allow the author of a document to track via the Internet
> where a document is being read. The trick could be used
> to monitor leaks of confidential documents from a
> organization to outsiders as well as detecting
> copyright violations. In addition, it is also
> possible to place Web bugs in individual paragraphs
> and detect when the text is copied from one Word
> document to another.
>
> The complete advisory is available at the Foundation's
> Web site:
>
> http://www.privacyfoundation.org/advisories/advWordBugs.html
>
> A demonstration "bugged" document for Word 97 and Word 2000
> has been set up at:
>
> http://www.privacycenter.du.edu/demos/bugged.doc
>
> We also found that Excel 2000 spreadsheet files and
> PowerPoint 2000 slideshows can be "bugged" in the same
> manner.
>
> Richard
>
> ================================================
> Richard M. Smith
> Chief Technology Officer
> Privacy Foundation
>
> Email: rms@privacyfoundation.org
> http://www.privacyfoundation.org
> ================================================
>
>
>
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity to which
> it is addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any action
> in reliance upon, this information by persons or entities other than the
> intended recipient is prohibited. If you received this in error, please
> contact the sender and delete the material from any computer.
>
