Bruce Schneier on the vulnerability of Word 97

Bruce Schneier on the vulnerability of Word 97

“Here’s the vulnerability. Alice sends Bob a Word document. Bob edits it and sends it back. Unbeknownst to Bob, the document he sends back can contain any file on his computer. All Alice has to know is the file’s pathname.

To make the vulnerability work, Alice embeds a particular code in the Word document she sends Alice. When Bob opens the document, Word scarfs up the file off his hard drive and embeds it into the Word document. Bob can’t see this happening, and he has no way of knowing it has happened. If he looks at the document in Notepad, though, he can see the snooped file. Then, when Bob saves the document, the file becomes part of the saved document. He sends it back to Alice, and she has successfully stolen the file.

This attack works with any file on Bob’s computer, and any file on another server that Bob currently has access to. It’s not a macro, so turning off macros doesn’t help. It’s not a piece of malware that an antivirus program will catch. It’s just a feature of Word 97 being used in a novel way. And Alice can embed hundreds of these codes into the Word document she sends Bob, so if she doesn’t know the exact filename she can make lots of guesses.

This is an enormous security hole, and one that the user is simply unable to close. All Bob can do is 1) refuse to return Word 97 documents he edits, or 2) manually examine them all in Notepad or WordPad.

Another Microsoft vulnerability…so what? There are hundreds of these a year. Why bother writing about it?

To me, the interesting aspect of this is that Microsoft is no longer supporting Word 97. This means the company has an interesting choice: they can patch the vulnerability, or they can demand that users upgrade to the latest version of Word. Doing the latter is sleazy, but it’s in Microsoft’s best interest for people to upgrade. They might think of this simply as added incentive.

We’re seeing more and more of this: vulnerabilities in products that are no longer supported. When the SNMP vulnerabilities were published earlier this year, many products with the vulnerability were no longer supported. Some were made by companies no longer in business.

I first read about this vulnerability in an e-mail newsletter called “Woody’s Office Watch.” Alex Gantman reported the Word 97 vulnerability on Bugtraq, and Woody Leonhard claims that he has discovered similar vulnerabilities in Word 2000 and Word 2002. He’s keeping them quiet for a while, giving Microsoft a chance to fix them.”

Links: nm/tech_microsoft_word_dc&sid=95573713

En passant, this also illustrates why closed source software is such a nuisance. Nobody can fix this except Microsoft.