Microsoft released a security update for Word 97/2000/2002 last month aimed
at preventing file grabbing fields from automatically updating without
user knowledge.
The update also provides for setting Low, Medium, and High Word field security
using a Registry hack.
I've recently developed an add-in which makes the Registry modifications for
you. If you are interested in the details of the patch and want a free copy
of my add-in read on!
Overview
What field vulnerability you ask?
Certain Word fields could be used to obtain the contents of a file from your
computer without your knowledge.
In a nutshell here's how it works:
Someone emails you a Word document that contains a hidden Word field which includes
the location and file name of a document on your local or network drive.
You modify the document and email it back to the sender without knowing the
field updated and now they have the text from one of your personal files.
October 16th Security Patch
This update is aimed at preventing certain fields from automatically updating
upon opening a document. Those fields are: DDEAuto field, the Link
field if used with the /a switch and the Subscribe field, used
to link early version of MacWord (6 and possibly lower) documents to Word for
the PC.
Once the patch is applied upon opening a document that contains these fields
and if Word is attempting to automatically update them you will be prompted
with the following:
If you answer No the fields will not be updated however the aforementioned
fields and others documented in How
the Behavior of the Word Fields Changes After You Install the Word Update
can still be manually updated.
Important Note! If you have Update automatic links at Open disabled
under the Tools/Options/General then you will not encounter the prompt
since Word is not attempting to automatically update fields.
The patch also changes the behavior of the Update Fields option located
under Tools/Options/Print. Once the patch is applied the documented fields
will not automatically update on printing.
Word Field Security Add-in
While testing the security patch I developed some macros to make the Registry
modifications for me and eventually created the Word Field Security UI (user
interface) add-in.
As previously mentioned, another provision of the patch allows you to modify
Word field behavior using a Registry hack which allows for three levels of field
security:
- Low
No field security.
- Medium
Prompt for confirmation if document contains fields that automatically update
on Open. Allow manual updates. Disable updates on Print.
- High
Prompt for confirmation if document contains fields that automatically update
on Open. Disable manual updates. Disable updates on Print
One drawback is that Word must be restarted before the security level takes
effect but the add-in will prompt you accordingly.
Full Security Measures
Last month Dian
Chapman, Word MVP and TechTrax Editor, wrote about Word MVP Bill
Coan's Hidden File Detector™ add-in for Word 97/2000/2002 in
Security
Flaw in Microsoft Word Documents Solved.
Bill's add-in seeks out any hidden information in your Word documents and pinpoints
the exact location.
The Microsoft patch will notify you if fields are being automatically updated,
but if you want to know what and where those fields are located then Bill's
add-in is a necessity. Not to mention I've put his fantastic utility to work
on my own personal documents in which I've used various fields and his field
detector helped me locate them with ease!
Obtaining the Add-ins
Woody Leonhard, Certified Office Victim and publisher of Woody's
Office Watch, has generously bundled both Bill's Hidden File Detector™
and my Word Field Security UI in one easy download which should available in
a couple weeks. Watch the TechTrax
Update Library for details!
How to obtain the October 16th Security Update
Don't the have October 16th Security update? It's available for download for
Word 2000 and Word 2002:
Word 2002: Overview
of the Word 2002 SP-2 Update: October 16, 2002
Word 2000: Overview
of the Word 2000 SR-1 Update: October 16, 2002
For Word 97 you'll need to contact Microsoft and tell them you are calling
regarding Knowledge Base article Q330080: Word
97 Is Vulnerable to Security Issues That Are Documented in MS02-059.
Don't worry, it's quick and painless. I called (800) 936-4900 and had an email
with the information to obtain the patch sitting in my Inbox in about 5 minutes.
In closing, the possibility of someone exploiting the Word field behavior is
present, but they would need to know specific file names and their locations
in order for this to transpire. Granted there are additional methods one could
use to retrieve a list of files, such as using a macro or additional Word fields,
but the likelihood of this actually happening is rare.
However given the rarity, the simple fact that this issue has had so much public
attention the last few months is cause enough for you to protect yourself.
Update!
Courtesy of Woody's
Office Watch:
Beth Melton's Field Security Thermostat lets you tell the security patch how
to react when it finds certain kinds of potential "spy" fields.
Bill Coan's Hidden File Detector lets you examine a document after Microsoft's
patch alerts you to a problem, and helps you determine whether any potential
"spy" fields are really doing something bad—or if they just set
off Microsoft's alarms unnecessarily.
Both of the utilities are free for all WOW (and TechTrax) readers, and they
come with bundled documentation that explains how (and why!) you need to use
them.
See this link for details and to download your copy of these utilities: http://www.woodyswatch.com/util/FieldSecMan/
|
