Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Microsoft Word documents that "phone" home
From: Don Halterman <dhalterm () CSC COM>
Date: Thu, 31 Aug 2000 12:15:37 -0400

I read the MS response to this as suggested.  Their page fails to mention
some things:

1.  The "web bug"--more aptly called the transparent GIF exploit--has been
known for some time.  They are correct to state that it is not just a Word
problem.  However, most casual users of Word, like myself, would never
expect such a thing embedded in a Word document.  Now I am beginning to
understand why I have received spam in the past that was sent attached as a
Word document--highly unusual.

2.  Those of us who are at least somewhat aware of security will be on our
guard when on the web.  It's a jungle out there.  However, the sample Word
document   still performed as expected when I had it detached and opened
it.  For those with DSL or cable modems, web-connected LAN's, or who happen
to be dialed in to their ISP at the time, this is most insidious.

3.  I would expect that IE has distinct features to handle cookies (though
I've never used it); the web page points this out.  However, despite MS's
best efforts to make it otherwise, there are other browsers such as
Netscape and Opera--I saw no mitigation notes for those.

4.  The overall tone of MS's response seems dismissive.  It is not MS's job
to educate the masses on the inner workings of the Internet.  Still, a
further discussion on what these transparent GIF's can do is warranted.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]