Security Flaw in Word Traced to Fields

Software developers recently discovered a new security flaw in Word. It seems that in a shared-document environment, it is possible to create a document that includes no macros, but still can "pull" sensitive information from your computer and return it to the document's originator. To exploit the flaw, all you do is send someone a Word document and ask them to edit it, save the changes, and then return the document to you. When the recipient dutifully returns the edited file, other files on the recipient's computer are captured by the document and carried along with it. You end up not only with the document back but also with other data from the recipient's computer. The flaw is rooted in how Word processes several different fields, including the INCLUDETEXT field. As many of you know, many Word documents are rife with fields, although most of them were thought perfectly harmless until now.

Dubbed the "Document Collaboration Spyware" exploit, this security flaw has been widely reported in different media outlets, and author Woody Leonhard has made it the focus of several of his recent newsletters. In fact, in a newsletter that Woody sent out in the middle of this past week, he even offered his readers a "Field Sniffer." This program is supposed to scan your Word documents and point out any suspicious-looking fields before they cause problems.

Unfortunately, the "Field Sniffer" program is lacking somewhat. For example, as of this writing it can't find fields hidden in certain headers and other locations. Fortunately, software developer and Word MVP Bill Coan has come up with a solution that you can use to find fields in all headers and footers and even in draw objects, text boxes, comments, footnotes, endnotes, and other places where a hacker might choose to hide them. This solution will even find the fields that are completely ignored by Woody's "Field Sniffer."

Bill's Hidden File Detector add-in works with Word 97, Word 2000, and Word 2002--the very versions of Word that are at risk. Best of all, Bill's solution is free.

Hidden File Detector allows you to detect files hidden inside a Word document. Such files can contain sensitive information about you, your e-mail, or your organization. In addition to displaying details about each file hidden inside a document, Bill's software can jump to the exact place in a document where a hidden file is stored, unlike Woody's "File Sniffer." Without the software, users could easily miss files hidden in headers and footers, footnotes, endnotes, comments, or drawing objects.

Bill recommends that users not share Word documents with anyone outside their immediate circle of trust until they've addressed the hidden-file security flaw. He has offered the source code for his add-in to Microsoft, but expects Microsoft to proceed carefully before addressing the security flaw because the mechanism used for hiding files in a document has many legitimate purposes.

If Microsoft disables the ability to add external files to a Word document, most legitimate users would be greatly inconvenienced and their productivity and effectiveness would suffer. Despite all the hoopla and calls for immediate fixes, the long-term solution is likely to involve helping users detect hidden files, rather than eliminating entirely the mechanism by which files can be hidden. Bill's Hidden File Detector provides that benefit now.

For more information on the Hidden File Detector, and to get your free download, visit this page on Bill's site:

http://www.wordsite.com/HiddenFileDetector.html

Bill writes good stuff, by the way. (He wasn't named a Word MVP for nothing, you know.) He is the author of several Word add-in programs, including BoilerPlate and DataPrompter, both available at the Vital News Store (http://store.vitalnews.com).