by A.Lizard
[Ed. Note: This essay was written by correspondent A.
Lizard, who is an
independent security and computer consultant.]
Anyone who exchanges Word documents has a new security risk.
There's a way
to bug Word documents in a way that is invisible to current
virus scanners.
It isn't easy (I couldn't get it to work myself but I am not
an expert in
Word), but it relies on using a special feature of Word
called field codes
that will automatically grab another file when you open the
bugged document
and place it inside the current document.
When you send the revised document to the person who
requested it, you
deliver the stolen file. There are also apparently ways of using these
field codes to alter information within a digitally signed
document that
allow altering the content and leaving the signature
apparently valid. This
is very bad news indeed.
Field codes are markup codes intended to make it possible
for dynamic
content to be added to a document. For instance, adding the
{DATE} code
to a document means that today's date will be added into the
document
whenever it is opened. You can get detailed information on
them here.
While the exploiter needs to know filenames, many filenames
in Windows and
other programs store files in known locations, such as
"My Documents."
Perhaps someone you're involved with in a business level
would find your
correspondence of interest. Just grab the Inbox and Outbox
files. In Eudora,
for instance, you can find file attachments typically
located at
c:\eudora\attach. Most other applications have standard
default
locations in which critical files are stored. When all else
fails, remember that
directory lists themselves are just files.
The scary part about this is that all versions from Word
95-Word 2002
are at risk, running in any version of Windows since 95.
Those of you that are
running Word 95 and 97 won't be happy to learn that
Microsoft won't be
providing any fixes for these "antique" versions.
We'll get to what
Microsoft is doing (or more accurately, not doing) in a
moment.
Turning off macros doesn't work, because this exploit isn't
macro-based.
Saving an infected Word file to .RTF or ASCII won't work
because the
unauthorized files will be included automatically when you
save.
Conventional virus scanners won't find it, because it looks
like ordinary
code inside a Word document. We didn't get any replies from
Symantec, Trend
Micro, or Sophos about their plans but hope that some day
soon they will
wake up to this threat. Frisk Software did reply but told us
they won't deal
with this.
This should not affect other word processors like Star/Open
Office and
WordPerfect, but you'll probably want to test to be
absolutely sure.
So what should you do, now that you've been alerted?
. Download the version of
FieldSniffer here that matches your OS
and version of Office or stand-alone version of Word from
Woody's Office
Watch, a newsletter for MS Office users that has been
covering this issue ever since
it was discovered. Woody Leonhard is promising updates of
the scanner and
continuing coverage. He also stated that there are a number
of exploits he's
discovered that he has described to MS but hasn't published
yet, and states
that field code exploits have all sorts of nasty
possibilities. I suggest
subscribing to his newsletter as I did to keep up.
http://www.woodyswatch.com/util/sniff/
. Or, you can open the documents
from WordPad and save them in
Word 6 format and all field codes will be removed. This
includes everything
that is actually supposed to be there as well, you lose page
numbers, titles and
everything else in the headers.
. Another option is to manually
check the field codes. I'd look
for the command INCLUDETEXT followed by a filename, and
check the file to see if the
user intended it to point at something on his own drive,
say, a document
intended to be included in what you are reading, or a
document on YOUR drive
which he wants included in the document but YOU don't. There
aren't any
normal or legitimate reasons for using this specific set of
instructions in
normal document footers. To display them in Word, go to:
Tools > Options >
View > Field Codes checkbox. You'll want to uncheck the
box to allow normal
document viewing after you finish. However, unless you're a
Word expert, you
're probably better off using the scanner and keeping it
current.
. Don't accept or use Microsoft
Office-based digital signatures
because they might be compromised. Use PGP or some other
encryption package instead if
you need this feature.
. Most importantly, check the
document just before sending,
especially if you got a warning from FieldSniffer. You might
find your document is far
larger after opening than it was when you got it. The
difference could be
new text or binary information you didn't ask for, or a
whole lot of blank
space at the end of the document. Highlighting that blank
space and changing
the font color to black might show you something
interesting.
Permanent Fixes
Patches are supposed to be forthcoming for Word2000 and
WordXP. However,
this problem has been known in some form for a month and
nothing appears to
have happened yet.
As I said earlier, if you are running earlier versions of
Word and are
concerned about this exploit, you should upgrade your
software. I recommend
getting a non-Microsoft office suite. Corel's Word Perfect,
Open Office
(www.openoffice.org) for Windows, and StarOffice for Windows
come to mind,
and compatibility between those applications and MS Office
should be
adequate for just about everyone. While Word 97 is admittedly
old, this
is a defect that was included with the program from the
beginning. We don't know
whether or not if this exploit hasn't been used before.
Automotive
manufactures are regularly forced to implement recalls to
repair major
safety defects on legacy products, it is too bad Microsoft
can't be held to
the same standards.
For more information:
Woody's
Office Watch newsletter:
Microsoft
responses, including links to knowledgebase articles:
Digital Signatures and Encryption:
http://www.pgpi.com (freeware)
http://www.pgp.com
(commercial version for business use)
To subscribe, send a blank email to:
informant-subscribe@pez.oreillynet.com
To unsubscribe, send a blank email to:
informant-unsubscribe@pez.oreillynet.com
Entire contents copyright 2002 by David Strom, Inc.
David Strom, dstrom@cmp.com, +1 (516) 562-7151
Port Washington NY 11050
Web Informant is (r) registered trademark with the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.