Web Informant #301, 26 September 2002:

 How to Bug A Word Document

by A.Lizard


[Ed. Note: This essay was written by correspondent A. Lizard, who is an

independent security and computer consultant.]


Anyone who exchanges Word documents has a new security risk. There's a way

to bug Word documents in a way that is invisible to current virus scanners.

It isn't easy (I couldn't get it to work myself but I am not an expert in

Word), but it relies on using a special feature of Word called field codes

that will automatically grab another file when you open the bugged document

and place it inside the current document.


When you send the revised document to the person who requested it, you

deliver the stolen file.  There are also apparently ways of using these

field codes to alter information within a digitally signed document that

allow altering the content and leaving the signature apparently valid. This

is very bad news indeed.


Field codes are markup codes intended to make it possible for dynamic

content to be added to a document. For instance, adding the {DATE} code

to a document means that today's date will be added into the document

whenever it is opened. You can get detailed information on them here.


While the exploiter needs to know filenames, many filenames in Windows and

other programs store files in known locations, such as "My Documents."

Perhaps someone you're involved with in a business level would find your

correspondence of interest. Just grab the Inbox and Outbox files. In Eudora,

for instance, you can find file attachments typically located at

c:\eudora\attach. Most other applications have standard default

locations in which critical files are stored. When all else fails, remember that

directory lists themselves are just files.


The scary part about this is that all versions from Word 95-Word 2002

are at risk, running in any version of Windows since 95. Those of you that are

running Word 95 and 97 won't be happy to learn that Microsoft won't be

providing any fixes for these "antique" versions. We'll get to what

Microsoft is doing (or more accurately, not doing) in a moment.


Turning off macros doesn't work, because this exploit isn't macro-based.

Saving an infected Word file to .RTF or ASCII won't work because the

unauthorized files will be included automatically when you save.

Conventional virus scanners won't find it, because it looks like ordinary

code inside a Word document. We didn't get any replies from Symantec, Trend

Micro, or Sophos about their plans but hope that some day soon they will

wake up to this threat. Frisk Software did reply but told us they won't deal

with this.


This should not affect other word processors like Star/Open Office and

WordPerfect, but you'll probably want to test to be absolutely sure.


So what should you do, now that you've been alerted?


.       Download the version of FieldSniffer here that matches your OS

and version of Office or stand-alone version of Word from Woody's Office

Watch, a newsletter for MS Office users that has been covering this issue ever since

it was discovered. Woody Leonhard is promising updates of the scanner and

continuing coverage. He also stated that there are a number of exploits he's

discovered that he has described to MS but hasn't published yet, and states

that field code exploits have all sorts of nasty possibilities. I suggest

subscribing to his newsletter as I did to keep up.



.       Or, you can open the documents from WordPad and save them in

Word 6 format and all field codes will be removed. This includes everything

that is actually supposed to be there as well, you lose page numbers, titles and

everything else in the headers.

.       Another option is to manually check the field codes. I'd look

for the command INCLUDETEXT followed by a filename, and check the file to see if the

user intended it to point at something on his own drive, say, a document

intended to be included in what you are reading, or a document on YOUR drive

which he wants included in the document but YOU don't. There aren't any

normal or legitimate reasons for using this specific set of instructions in

normal document footers. To display them in Word, go to: Tools > Options >

View > Field Codes checkbox. You'll want to uncheck the box to allow normal

document viewing after you finish. However, unless you're a Word expert, you

're probably better off using the scanner and keeping it current.

.       Don't accept or use Microsoft Office-based digital signatures

because they might be compromised. Use PGP or some other encryption package instead if

you need this feature.

.       Most importantly, check the document just before sending,

especially if you got a warning from FieldSniffer. You might find your document is far

larger after opening than it was when you got it. The difference could be

new text or binary information you didn't ask for, or a whole lot of blank

space at the end of the document. Highlighting that blank space and changing

the font color to black might show you something interesting.


Permanent Fixes


Patches are supposed to be forthcoming for Word2000 and WordXP. However,

this problem has been known in some form for a month and nothing appears to

have happened yet.


As I said earlier, if you are running earlier versions of Word and are

concerned about this exploit, you should upgrade your software. I recommend

getting a non-Microsoft office suite. Corel's Word Perfect, Open Office

(www.openoffice.org) for Windows, and StarOffice for Windows come to mind,

and compatibility between those applications and MS Office should be

adequate for just about everyone. While Word 97 is admittedly old, this

is a defect that was included with the program from the beginning.  We don't know

whether or not if this exploit hasn't been used before. Automotive

manufactures are regularly forced to implement recalls to repair major

safety defects on legacy products, it is too bad Microsoft can't be held to

the same standards.


For more information:


Woody's Office Watch newsletter:




Microsoft responses, including links to knowledgebase articles:


Digital Signatures and Encryption:

http://www.pgpi.com (freeware)

http://www.pgp.com  (commercial version for business use)


To subscribe, send a blank email to:


To unsubscribe, send a blank email to:



Entire contents copyright 2002 by David Strom, Inc. 

David Strom, dstrom@cmp.com, +1 (516) 562-7151

Port Washington NY 11050

Web Informant is (r) registered trademark with the

U.S. Patent and Trademark Office. 

ISSN #1524-6353 registered with U.S. Library of Congress.