http://www.macintouch.com/o98securitysamp.html
Office 98 Security Hole: Samples
Microsoft/Compaq Samples
Reader Experiences
In researching the long-standing Microsoft Office/OLE security holes, we took a look at some of Microsoft's own Word
documents, published on its web site long after the release of its security patch, as well as a Word document posted by
Compaq on its web site. These documents, like millions of other MS Office documents, contain extraneous data that
may unintentionally reveal sensitive confidential or private information, hidden from view within Word.
A MacInTouch reader who pointed out one of the files wrote:
"You can easily read the name and directory path of the original file, any revisions and who did them
with full directory paths (even on the MS server), the directory paths of all attached graphics, and what
appears to be a registration numbers and passwords associated with each user that saved the file.
With enough documents, you could concievably construct a full directory structure for the entire MS
network, and have the machine codes to mimic a computer in the building. Looks like MS has done half
of the hacker's work for them... they are a break-in waiting to happen."
In each example below, we show hidden information that is invisible within Word but readily available when the
document is opened with a text editor or utility program, such as John Lamb's TextBrowser or Bare Bones Software's
BBEdit. We did not do an detailed security analysis of each document, but simply copied out some interesting hidden
material. In each case, it is unlikely that the document authors intended to reveal the hidden information in these files,
which now are available to millions of people on the Internet, although this information appears far more innocuous than
the URLs, source code directories, credit card information and private mail that readers report finding hidden in their
Word documents.
MSIE 4.5 Reviewers Guide
The names "Linda Sorenson" and "Brian Hodges" do not appear anywhere in the document, when you are using
Microsoft Word, nor do the file names and directories. "Dani Baldwin" is visible if you choose the "Properties" menu
item and view Summary, but it does not appear if you ask Word to "Find" the text.
Dani Baldwin
Microsoft Word 8.0
D:\briansnap\more\Picture 5.GIF
D:\briansnap\more\Picture 4.GIF
D:\briansnap\Picture 2.GIF
D:\briansnap\Picture 3.GIF
Microsoft Internet Explorer 4
Dani Baldwin
Linda Sorensonn2ndMicrosoft Word 8.0E
Waggener Edstrom
Microsoft Internet Explorer 4
D:\briansnap\more\tcrop.gif
D:\briansnap\Picture 55.gif
D:\briansnap\more\Picture 5.GIF
D:\briansnap\more\Picture 4.GIF
D:\briansnap\Picture 2.GIF
D:\briansnap\Picture 3.GIF2
D:\briansnap\more\textclup.gif
D:\briansnap\more\explorer.gif
D:\briansnap\more\favs.gifz!D:\briansnap\more\Picture 16.GIF
D:\briansnap\more\printopt.gif
D:\briansnap\more\Picture 21.GIF
D:\briansnap\more\Picture 20.GIF
D:\briansnap\Picture 56.gif
D:\briansnap\more\Picture 23.GIF
D:\briansnap\more\Picture 2.GIF
D:\briansnap\Picture 6.GIF
D:\briansnap\more\explorer.gif
D:\briansnap\more\favs.gif
D:\briansnap\more\Picture 16.GIF
D:\briansnap\more\printopt.gif
D:\briansnap\more\Picture 21.GIF
D:\briansnap\more\Picture 20.GIF
D:\briansnap\Picture 56.gif
D:\briansnap\more\Picture 23.GIF
D:\briansnap\more\Picture 2.GIF
D:\briansnap\Picture 6.GIF
Dani Baldwin&\\WE-OR2\PROD\MS\BSD\Desktop\MIERG.doc
Dani Baldwin&\\WE-OR2\PROD\MS\BSD\Desktop\MIERG.doc
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd
Linda SorensonC:\windows\TEMP\MIERG.doc
Brian Hodges#C:\WINDOWS\Desktop\MIERG 120898.doc
Linda Sorenson?\\WE-WA2\DATA\LindaS\Macintosh\Press materials\MIERG 120898.doc
MSIE/OE 4.5 Innovation
This example shows information leaks similar to those of the previous example:
\\Macbu\public\maclogo\Maclarge.gif
Prill$C:\WINDOWS\TEMP\MacInnovations22.doc
Linda Sorenson\\WE-WA2\DATA\LindaS\MacInnovations22.doc
Dani Baldwin\\WE-OR2\PROD\MS\BSD\Desktop\InnovaPR.doc
Dani Baldwin\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of InnovaPR.asd
Dani Baldwin C:\temp\AutoRecovery save of InnovaPR.asd
Dani Baldwin C:\TEMP\AutoRecovery save of InnovaPR.asd
Linda Sorenson \\WE-WA2\DATA\LindaS\Macintosh\Press materials\InnovaPR.doc
Brian Hodges C:\WINDOWS\Desktop\InnovaPR new.doc
Linda Sorenson
C:\windows\TEMP\InnovaPR.doc
Linda Sorenson9\\WE-WA2\DATA\LindaS\Macintosh\Press materials\Innova.doc
Microsoft Internet Explorer 4
Linda Sorenson
MSIE 4.5 Fact Sheet
Here we can identify some new people involved in the project, although their names, too, are invisible within
Microsoft Word. Note also the presence of the "GUID" fingerprint:
_PID_GUID_PID_HLINKSAN{2DD3214D-64E7-11D2-9002-0000C0657DF9
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
\\Macbu\public\maclogo\macsmal2.gif
Baldwin\\WE-OR2\PROD\MS\BSD\Desktop\4.5IEFS.doc
Jodi Ropert C:\WINDOWS\TEMP\4.5IEFS.doc
Jodi Ropert C:\WINDOWS\TEMP\4.5IEFS.docDani Baldwin\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save
of 4.5IEFS
Christina Snavely \\WE-OR2\PROD\MS\BSD\Desktop\4.5IEFS.doc
Linda Sorenson:\\WE-WA2\DATA\LindaS\Macintosh\Press materials\4.5IEFS.doc
Brian Hodges C:\WINDOWS\TEMP\AutoRecovery save of 4.asd
Brian Hodges"C:\WINDOWS\Desktop\4.5IEFS new.doc
Linda Sorenson \\WE-WA2\DATA\LindaS\Macintosh\Press materials\4.5IEFS new.doc
Compaq Modem Overview
In the Word document posted by Compaq, we again find the name of the author, even though he is not listed in the
Properties sheet, plus his file and directory names and the GUID information:
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Bretting%C:\My Documents\modem white paper.doc
Greg Brettin %C:\My Documents\modem white paper.doc
Greg Bretting:C:\WINDOWS\TEMP\AutoRecovery save of modem white paper.asd
Terry Durham%C:\My Documents\modem white paper.doc
C:\S&S_dataprep\White Papers\NEW\prt005a0798.doc
_PID_GUID_PID_HLINKSAN{EB8A944A-2068-11D0-BD46-00AA00A42EA1}Al
C:\cpq_logo\REDCPQSM.BMP
More MacInTouch Reader Experiences
From: [MacInTouch reader]
Subject: word98 security issue, it's bigger than you think.
Date: Wed, 10 Mar 1999
I have to remain anonymous about this please, because of the implications this might have.
I am a developer and I occasionally use word98 for reports and such. Reading your report yesterday
about the security issue, I wanted to see if it was true. I opened one of my old word docs in codewarrior
(after changing the file type/creator codes ) and found the there were not only directory listings to
source code I was working on at the time, but also names of specific functions within the source. These
things were not menitioned anywhere within the document I typed, but they are embedded in my file. I
can supply you with the file if you like, but I'd rather not because it has my name in it and I think the
reprecussions of this could be rather large. If you have any questions about this, feel free to send them
to me.
Date: Wed, 10 Mar 1999 12:04:01 -0500
From: Joe Gudac
Organization: Gudac Bowling Lanes
Subject: Word Info
Ric,
After reading about all these problems with the info Word stores with it's files I decided to look at
some of the files I had for my business. I picked a simple file that only had my business letterhead and
address info and business tax id numbers that I had to give to our bank recently.
When looking at the file in canopener I was astonished to find that the file had information from other
files containing my credit card numbers and personal information about myself and my family.
I have tried for the past several years to not be a Microsoft basher and have tried to learn as much
about their software applications to keep myself up to date with the standard business technology, but
this is absurd. This along with some of the testimony that has been presented in their anti trust trial I
am terrified that they are big brother and may be more corrupt than our government. If that isn't a scare.
Enjoy your information and keep up the great web site.
Regards,
Joseph J Gudac Jr
Date: Mon, 15 Mar 1999
From: [MacInTouch reader]
Subject: WORD SECURITY
*** Please keep the following anonymous:
I too have stopped defending Microsoft.
I work for a *major* Internet company at a fairly high level. This morning I too looked at a report I
submitted last week using Notepad. Not ONLY did it have my name and directories on my hard drive,
but it had information on OTHER applications that are totally unrelated to MS Word in it! These apps
are competitors of MS (not that many aren't these days). BUT I think the most disturbing was this: all
my reports have the same filename except for the date (contained in the filename too). The paths to
EVERY report in that directory were there too.
In a world where the economoy is changing (mostly for the better I like to think) it's SAD to think
actions like these undermine the trust people place in companies that work hard. People should be
empowered and educated about technology, not intimidated and afraid because of it. I believe Microsoft
is validating a LOT of people's fears about privacy and security unnecessarily.
--- Concerned.
Date: Mon, 15 Mar 1999 10:52:00 -0500 (EST)
From: Oj Ganesh
To: MacInTouch
Subject: Microsoft security
I read with interest your stories and updates concerning GUID numbers and other personal informaion
being found in documents created by microsoft programs. Thanks for all the updates and keeping with
the story.
Yesterday I finally got around to removing some original software that my imac came with, when I
noticed a control panel called "Configuration Manager". In it was a section called "Cookies", which
(when clicked on) displayed *Some* cookies on my system. Two of the cookies immediately caught my
attention since I had never visited the sites with my imac. They were: microsot.com and msn.com, they
both had the name "MC1" and they were 'enabled'. Double clicking on the cookies brought up the
Cookie Properties box which had this shocking line: "Value: GUID=(my GUID presumably)". I couldn't
believe it! Both cookies were identical (both were also set to expire on "Expires: Wed, Sep 15, 1999
7:00 PM GMT") in every respect.
The "Configuration Manager" control panel is apparetly made by Microsoft (as the about box says)...
Thanks, keep up the good (Mac) work,
-Oj
Date: Mon, 15 Mar 1999 11:10:49 -0600
To: notes@macintouch.com
From: [MacInTouch reader]
Subject: Microsoft Security Issues
Ric,
This may have been reported prior, and it may be less intrusive than the Microsoft issues, but we seem
to be ignoring the fact that many other applications besides those from Microsoft carry artifacts from
files unrelated to the current one. For the most part these are data that we'd rather not be seen by
others.
At the moment, I'm referring specifically to Adobe PageMaker. PageMaker files opened in Can Opener
reveal lots of extraneous data - directory paths, hard drive names, file names that appear to be
unrelated to the current file, and perhaps references to other sensitive data. These are data that are not
visible and cannot be found or expunged by any normal means. In addition to embedding directory paths,
filenames, etc., related to the current file, it seems that whenever you do a "save as" in PageMaker a
lot of data from the original file become permanent and reside in that and all future iterations, or saved
as versions, of that file. The data can compound to become an interesting record in its own right.
Lots of folks transfer lots of data in the form of PageMaker files and I'll wager that few of them are
aware of the nature of some of the data they're "making public" when they do.
Maybe some of the more experienced (than me) sleuths will care to comment on PageMaker too?
Date: Mon, 15 Mar 1999 12:54:31 -0500
Subject: Word Privacy Problems
From: "Jeremy LaCivita"
To: notes@macintouch.com
Unbelievable!
After reading your section on Word privacy issues, I opened up a paper I wrote last week in BBEdit. In
addition to a bunch of paths on my machine (which is somewhat understandable) i found addresses of
all the sites I had visited that night (using Internet Explorer):
3Com/Palm Computing - Macintosh
The Apple Store (U.S.)
The Apple Store (U.S.)
In other documents I found information about my email account like my mail server. Who knows what
other information is hidden in the document mixed in with all of the gibberish.
This really bothers me! The paths to images used in the file in somewhat understandable and relevant,
but this is completely irrelevant, and I really think Microsoft needs to explain themselves.
Jeremy
Date: Tue, 16 Mar 1999 01:46:52 +0100
Subject: word98 security - history recorded
From: altair@bigfoot.de
To: notes@macintouch.com
Encouraged by the interesting reports about security problems in word98 docs I carefully examined
some of my files with a text editor.
Guess what. The complete history of some documents I've been using since one year has been
recorded in the file (different OS versions, different machines to be identified by their owner's names
and different hierachical file structures were all plainly visible).
Obviously previous versions of word (at least word 6) own this special "recording feature", too. Isn't it
nice? Thank you, Big Bill, this is exactly what users needed most.
Date: Mon, 15 Mar 1999 13:05:59 -0700
Subject: Word98
From: "Kanton Budge"
To: notes@macintouch.com
This is absolutely atrocious! I opened a few Word 98 documents I wrote some weeks ago related to my
business. It contained information from cookies found in Internet Explorer about sites I've visited that
day. I also copy and pasted information from an email sent to me via Outlook Express 4.5 into a word
document and found links to information about web links!
This is extremely serious. I could take a document sent to me from a potential employee or business
associate and find out what their registered Office 98 name is, what web sites they've visited, and
potentially what email addresses are related to them!