Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Microsoft Word documents that "phone" home
From: Peter Ilieve <peter () ALDIE CO UK>
Date: Sat, 2 Sep 2000 11:36:49 +0100

Charles Sprickman asked:

Is anyone aware of whether or not other applications capable of opening
word docs are vulnerable.  Examples would be StarOffice and Applixware...

I tried it with StarOffice 5.1 (on a Sun running Solaris 8).
I copied bugged.doc to the Sun's local disk and opened it.
StarOffice put up a dialogue box saying:

 Error opening document file:///path/to/bugged.doc:
 The action could not be completed because you are offline.
 Do you want to activate the Online mode??

If I hit the No button it opened the document but didn't fetch the
image. It had a broken image icon and `Read Error' in red at the
top of a bounding box for the image.

I opened it again and hit the Yes button. This time it did load
the image, showing a count of 21,583 and the Sun's hostname.

If I opened bugged.doc again in offline mode it still displayed
the image, but it didn't fetch it again. It must cache it somewhere.

I don't use StarOffice much so hadn't been aware of its offline and
online modes. It has a button at the right hand end of the toolbar
to control this. It defaults to offline.

I'm a bit baffled by Microsoft's response to this. They seem to have
latched onto the word cookies. The main issue is that a document,
a piece of data to most people, phones home and leaves an entry
in a server log when someone looks at this supposed inert data.


                Peter Ilieve            peter () aldie co uk


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault