Type packetstorm
Reporter MacInTouch
Modified 1999-08-17T00:00:00


Office 98 Security Hole: Samples  
Microsoft/Compaq Samples  
Reader Experiences   
In researching the long-standing Microsoft Office/OLE security holes, we took a look at some of Microsoft's own Word  
documents, published on its web site long after the release of its security patch, as well as a Word document posted by  
Compaq on its web site. These documents, like millions of other MS Office documents, contain extraneous data that  
may unintentionally reveal sensitive confidential or private information, hidden from view within Word.   
A MacInTouch reader who pointed out one of the files wrote:   
"You can easily read the name and directory path of the original file, any revisions and who did them  
with full directory paths (even on the MS server), the directory paths of all attached graphics, and what  
appears to be a registration numbers and passwords associated with each user that saved the file.  
With enough documents, you could concievably construct a full directory structure for the entire MS  
network, and have the machine codes to mimic a computer in the building. Looks like MS has done half  
of the hacker's work for them... they are a break-in waiting to happen."   
In each example below, we show hidden information that is invisible within Word but readily available when the  
document is opened with a text editor or utility program, such as John Lamb's TextBrowser or Bare Bones Software's  
BBEdit. We did not do an detailed security analysis of each document, but simply copied out some interesting hidden  
material. In each case, it is unlikely that the document authors intended to reveal the hidden information in these files,  
which now are available to millions of people on the Internet, although this information appears far more innocuous than  
the URLs, source code directories, credit card information and private mail that readers report finding hidden in their  
Word documents.   
MSIE 4.5 Reviewers Guide  
The names "Linda Sorenson" and "Brian Hodges" do not appear anywhere in the document, when you are using  
Microsoft Word, nor do the file names and directories. "Dani Baldwin" is visible if you choose the "Properties" menu  
item and view Summary, but it does not appear if you ask Word to "Find" the text.   
Dani Baldwin  
Microsoft Word 8.0  
D:\briansnap\more\Picture 5.GIF  
D:\briansnap\more\Picture 4.GIF  
D:\briansnap\Picture 2.GIF  
D:\briansnap\Picture 3.GIF  
Microsoft Internet Explorer 4  
Dani Baldwin  
Linda Sorensonn2ndMicrosoft Word 8.0E  
Waggener Edstrom  
Microsoft Internet Explorer 4  
D:\briansnap\Picture 55.gif  
D:\briansnap\more\Picture 5.GIF  
D:\briansnap\more\Picture 4.GIF  
D:\briansnap\Picture 2.GIF  
D:\briansnap\Picture 3.GIF2  
D:\briansnap\more\favs.gifz!D:\briansnap\more\Picture 16.GIF  
D:\briansnap\more\Picture 21.GIF  
D:\briansnap\more\Picture 20.GIF  
D:\briansnap\Picture 56.gif  
D:\briansnap\more\Picture 23.GIF  
D:\briansnap\more\Picture 2.GIF  
D:\briansnap\Picture 6.GIF  
D:\briansnap\more\Picture 16.GIF  
D:\briansnap\more\Picture 21.GIF  
D:\briansnap\more\Picture 20.GIF  
D:\briansnap\Picture 56.gif  
D:\briansnap\more\Picture 23.GIF  
D:\briansnap\more\Picture 2.GIF  
D:\briansnap\Picture 6.GIF  
Dani Baldwin&\\WE-OR2\PROD\MS\BSD\Desktop\MIERG.doc  
Dani Baldwin&\\WE-OR2\PROD\MS\BSD\Desktop\MIERG.doc  
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd  
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd  
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd  
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd  
Dani Baldwin=\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of MIERG.asd  
Linda SorensonC:\windows\TEMP\MIERG.doc  
Brian Hodges#C:\WINDOWS\Desktop\MIERG 120898.doc  
Linda Sorenson?\\WE-WA2\DATA\LindaS\Macintosh\Press materials\MIERG 120898.doc  
MSIE/OE 4.5 Innovation  
This example shows information leaks similar to those of the previous example:   
Linda Sorenson\\WE-WA2\DATA\LindaS\MacInnovations22.doc  
Dani Baldwin\\WE-OR2\PROD\MS\BSD\Desktop\InnovaPR.doc  
Dani Baldwin\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save of InnovaPR.asd  
Dani Baldwin C:\temp\AutoRecovery save of InnovaPR.asd  
Dani Baldwin C:\TEMP\AutoRecovery save of InnovaPR.asd  
Linda Sorenson \\WE-WA2\DATA\LindaS\Macintosh\Press materials\InnovaPR.doc  
Brian Hodges C:\WINDOWS\Desktop\InnovaPR new.doc  
Linda Sorenson  
Linda Sorenson9\\WE-WA2\DATA\LindaS\Macintosh\Press materials\Innova.doc  
Microsoft Internet Explorer 4  
Linda Sorenson  
MSIE 4.5 Fact Sheet  
Here we can identify some new people involved in the project, although their names, too, are invisible within  
Microsoft Word. Note also the presence of the "GUID" fingerprint:   
Jodi Ropert C:\WINDOWS\TEMP\4.5IEFS.doc  
Jodi Ropert C:\WINDOWS\TEMP\4.5IEFS.docDani Baldwin\\WE-OR2\DATA\dbaldwin\winword\AutoRecovery save  
of 4.5IEFS  
Christina Snavely \\WE-OR2\PROD\MS\BSD\Desktop\4.5IEFS.doc  
Linda Sorenson:\\WE-WA2\DATA\LindaS\Macintosh\Press materials\4.5IEFS.doc  
Brian Hodges C:\WINDOWS\TEMP\AutoRecovery save of 4.asd  
Brian Hodges"C:\WINDOWS\Desktop\4.5IEFS new.doc  
Linda Sorenson \\WE-WA2\DATA\LindaS\Macintosh\Press materials\4.5IEFS new.doc  
Compaq Modem Overview  
In the Word document posted by Compaq, we again find the name of the author, even though he is not listed in the  
Properties sheet, plus his file and directory names and the GUID information:   
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Bretting%C:\My Documents\modem white paper.doc  
Greg Brettin %C:\My Documents\modem white paper.doc  
Greg Bretting:C:\WINDOWS\TEMP\AutoRecovery save of modem white paper.asd  
Terry Durham%C:\My Documents\modem white paper.doc  
C:\S&S_dataprep\White Papers\NEW\prt005a0798.doc  
More MacInTouch Reader Experiences  
From: [MacInTouch reader]   
Subject: word98 security issue, it's bigger than you think.  
Date: Wed, 10 Mar 1999  
I have to remain anonymous about this please, because of the implications this might have.   
I am a developer and I occasionally use word98 for reports and such. Reading your report yesterday  
about the security issue, I wanted to see if it was true. I opened one of my old word docs in codewarrior  
(after changing the file type/creator codes ) and found the there were not only directory listings to  
source code I was working on at the time, but also names of specific functions within the source. These  
things were not menitioned anywhere within the document I typed, but they are embedded in my file. I  
can supply you with the file if you like, but I'd rather not because it has my name in it and I think the  
reprecussions of this could be rather large. If you have any questions about this, feel free to send them  
to me.   
Date: Wed, 10 Mar 1999 12:04:01 -0500  
From: Joe Gudac  
Organization: Gudac Bowling Lanes  
Subject: Word Info  
After reading about all these problems with the info Word stores with it's files I decided to look at  
some of the files I had for my business. I picked a simple file that only had my business letterhead and  
address info and business tax id numbers that I had to give to our bank recently.   
When looking at the file in canopener I was astonished to find that the file had information from other  
files containing my credit card numbers and personal information about myself and my family.   
I have tried for the past several years to not be a Microsoft basher and have tried to learn as much  
about their software applications to keep myself up to date with the standard business technology, but  
this is absurd. This along with some of the testimony that has been presented in their anti trust trial I  
am terrified that they are big brother and may be more corrupt than our government. If that isn't a scare.  
Enjoy your information and keep up the great web site.   
Joseph J Gudac Jr   
Date: Mon, 15 Mar 1999  
From: [MacInTouch reader]  
*** Please keep the following anonymous:   
I too have stopped defending Microsoft.   
I work for a *major* Internet company at a fairly high level. This morning I too looked at a report I  
submitted last week using Notepad. Not ONLY did it have my name and directories on my hard drive,  
but it had information on OTHER applications that are totally unrelated to MS Word in it! These apps  
are competitors of MS (not that many aren't these days). BUT I think the most disturbing was this: all  
my reports have the same filename except for the date (contained in the filename too). The paths to  
EVERY report in that directory were there too.   
In a world where the economoy is changing (mostly for the better I like to think) it's SAD to think  
actions like these undermine the trust people place in companies that work hard. People should be  
empowered and educated about technology, not intimidated and afraid because of it. I believe Microsoft  
is validating a LOT of people's fears about privacy and security unnecessarily.   
--- Concerned.   
Date: Mon, 15 Mar 1999 10:52:00 -0500 (EST)  
From: Oj Ganesh  
To: MacInTouch  
Subject: Microsoft security  
I read with interest your stories and updates concerning GUID numbers and other personal informaion  
being found in documents created by microsoft programs. Thanks for all the updates and keeping with  
the story.   
Yesterday I finally got around to removing some original software that my imac came with, when I  
noticed a control panel called "Configuration Manager". In it was a section called "Cookies", which  
(when clicked on) displayed *Some* cookies on my system. Two of the cookies immediately caught my  
attention since I had never visited the sites with my imac. They were: and, they  
both had the name "MC1" and they were 'enabled'. Double clicking on the cookies brought up the  
Cookie Properties box which had this shocking line: "Value: GUID=(my GUID presumably)". I couldn't  
believe it! Both cookies were identical (both were also set to expire on "Expires: Wed, Sep 15, 1999  
7:00 PM GMT") in every respect.   
The "Configuration Manager" control panel is apparetly made by Microsoft (as the about box says)...   
Thanks, keep up the good (Mac) work,  
Date: Mon, 15 Mar 1999 11:10:49 -0600  
From: [MacInTouch reader]  
Subject: Microsoft Security Issues  
This may have been reported prior, and it may be less intrusive than the Microsoft issues, but we seem  
to be ignoring the fact that many other applications besides those from Microsoft carry artifacts from  
files unrelated to the current one. For the most part these are data that we'd rather not be seen by  
At the moment, I'm referring specifically to Adobe PageMaker. PageMaker files opened in Can Opener  
reveal lots of extraneous data - directory paths, hard drive names, file names that appear to be  
unrelated to the current file, and perhaps references to other sensitive data. These are data that are not  
visible and cannot be found or expunged by any normal means. In addition to embedding directory paths,  
filenames, etc., related to the current file, it seems that whenever you do a "save as" in PageMaker a  
lot of data from the original file become permanent and reside in that and all future iterations, or saved  
as versions, of that file. The data can compound to become an interesting record in its own right.   
Lots of folks transfer lots of data in the form of PageMaker files and I'll wager that few of them are  
aware of the nature of some of the data they're "making public" when they do.   
Maybe some of the more experienced (than me) sleuths will care to comment on PageMaker too?   
Date: Mon, 15 Mar 1999 12:54:31 -0500  
Subject: Word Privacy Problems  
From: "Jeremy LaCivita"  
After reading your section on Word privacy issues, I opened up a paper I wrote last week in BBEdit. In  
addition to a bunch of paths on my machine (which is somewhat understandable) i found addresses of  
all the sites I had visited that night (using Internet Explorer):   
3Com/Palm Computing - Macintosh   
The Apple Store (U.S.)   
The Apple Store (U.S.)   
In other documents I found information about my email account like my mail server. Who knows what  
other information is hidden in the document mixed in with all of the gibberish.   
This really bothers me! The paths to images used in the file in somewhat understandable and relevant,  
but this is completely irrelevant, and I really think Microsoft needs to explain themselves.   
Date: Tue, 16 Mar 1999 01:46:52 +0100  
Subject: word98 security - history recorded  
Encouraged by the interesting reports about security problems in word98 docs I carefully examined  
some of my files with a text editor.   
Guess what. The complete history of some documents I've been using since one year has been  
recorded in the file (different OS versions, different machines to be identified by their owner's names  
and different hierachical file structures were all plainly visible).   
Obviously previous versions of word (at least word 6) own this special "recording feature", too. Isn't it  
nice? Thank you, Big Bill, this is exactly what users needed most.   
Date: Mon, 15 Mar 1999 13:05:59 -0700  
Subject: Word98  
From: "Kanton Budge"  
This is absolutely atrocious! I opened a few Word 98 documents I wrote some weeks ago related to my  
business. It contained information from cookies found in Internet Explorer about sites I've visited that  
day. I also copy and pasted information from an email sent to me via Outlook Express 4.5 into a word  
document and found links to information about web links!   
This is extremely serious. I could take a document sent to me from a potential employee or business  
associate and find out what their registered Office 98 name is, what web sites they've visited, and  
potentially what email addresses are related to them!