An earlier investigation showed no "smoking gun," but we now [June 1998] have confirmed a serious security problem with Microsoft Word 98 on the Mac: Word 98 documents may contain hidden, random snippets of data from elsewhere in your hard disk or memory. That is, Word 98 documents can include, hidden from view, data completely unrelated to the document and never inserted by the user. Sending a Word 98 document to someone else thus can reveal random private information from your computer system without your knowledge.
We opened with BBEdit several Word 98 documents we'd created and documents we'd received. They contained confidential email, URLs, disk directory paths and other information that is invisible within Word 98 and that never should have been in these files. The problem occurs even if Fast Save is disabled (which we recommend), and readers report the problem also involves Windows' Office 97 and earlier versions of Word on the Mac, (including Word 6).
Chuck Shotton describes a problem he says has been around for years:
"[Word] ignores the logical end of file and includes the entire contents of thefinal disk sector in the file. Since that disk sector may have beenpreviously used for things like e-mail or other documents, it is possiblethat the data on the disk will be included in your Word document."
One possible solution, based on Chuck's description, is to use Save As to place your Word file on a newly-erased disk volume (perhaps a RAM disk) before sending it off to someone else. The safest option may be to save the file in RTF format.
A Microsoft Knowledge Base article describes an OLE fix for Windows 95 that addresses the same sort of problem. It notes that Windows versions of PowerPoint, Excel and Word are affected, but says Windows NT avoids the problem by re-initializing disk space when files are deleted.
According to readers, a similar issue affects PageMaker and QuarkXpress files (see below), and some other applications also may behave like this.
In response to our inquiry about the problem, a Microsoft spokesman replied:
"We are aware of the issue reported on MacInTouch concerningWord 98, and are investigating remedies. The problem is caused by theway Word 98 allocates space on a disk for file storage. The Mac OS--likemany other OS' file systems --does not erase files when you delete them,it simply removes a reference to them and marks the space they occupiedas "free". Since Word 98 does not initialize disk space the Mac OSallocates for a File Save operation, a small amount of unused space inthe file may contain random data from previously-deleted files. Thisbehavior affects only data on a disk: the postings suggesting that Wordmight be taking data from memory (RAM) are in error." [Virtual memory, however, puts information from RAM on the disk. -Ric]
"Microsoft takes any reported security issues seriously and weare investigating the appropriate steps to take. In the short term, anycustomer with a security concern has the option of using a number ofthird party disk utilities."
We subsequently examined a Word 98 document that demonstrated the security breach, incorrectly incorporating e-mail that was never inserted or used within the document. The logical end of file marker for this document was positioned far past the actual Word content to include the unrelated, private data. Since everything up to the logical end of file is entirely Word's responsibility, not the responsibility of the operating system or disk utilities, we conclude that responsibility for this security problem, and for its solution, lies solely with Microsoft.
Frank Marien has e-mailed us the results of a RAM test, which shows Word grabbing unrelated private data and saving it from RAM onto disk, contrary to Microsoft's claim.
A MacInTouch reader described the results of an experiment he performed, in which FileMaker data was compromised by Word [we have not confirmed his result]:
"I work in the IT department of a university. Following up on your tipFriday about the security problems in Office 98 I ran a test to see if Icould recreate the problem. I created a new document and saved it. Openedit with BBedit and sure enough random info from my hard drive showed up inthe document. However what happened next was very interesting. I copiedthe file over our ethernet network to another machine, opened it and made achange. I then sent it back to the original machine and once again openedit with BBedit. I found information that I tracked to a Filemaker Prodatabase. It was confidential patient information being entered in anotherpart of the building to a shared database. The database was being servedvia TCP-IP and was password protected. Somehow Word grabbed packets andincorporated them into itself. I find this very concerning and thoughtother readers might like to know about this."
Several readers saw the same security problem with PageMaker documents, and the problem appears to be within PageMaker (or OLE), since the compromised data did not come from files imported into PageMaker.
[James Conner]
"After reading your 26 June report on the Office 98 security issues, I opened a small Pagemaker 6.52 file in BBEdit. Sure enough, toward the end, were parts of an email message I'd received. I then saved the PM file as an Acrobat 3.x PDF file. When I opened the PDF file in BBEdit, the email remnants had disappeared (which does not necessarily mean that saving the file to PDF is a safe workaround)."
[Brad Shute]
"After reading several web postings, on MacInTouch and elsewhere, about thesecurity bug in Microsoft Word and that it may not be limited just to Word, Iplayed around with BBEdit and a few other files. Yikes!
In several PageMaker files I found snippets of text from web pages I hadvisited and from email. There were also URLs of webpages visited long ago." [Brad also notes that the Finder's Desktop DB file had much private information in it.]
[MacInTouch reader]
"I noticed last month that PageMaker 5.0 has the same security flaw as Word98: after examing files with RealView, I found that the data forkscontained random, and often paragraph-long, pieces of miscellaneous otherfiles, such as email, etc. These paragraph-long snippets were oftenpartially overwritten, but still eminently readable.
I don't have the more recent versions of PM and can't say whether the flawpersists. PM upgrades are expensive, and 5.0 was a pretty good version, soit's possible it's still in widespread use.
One thing PM and Word have in common is the existence of a Fast Saveoption. Even though the bug, or is it a feature, still occurs when this isdisabled in Word, and I believe PM too, perhaps there is a common origin.
I suspect this bug may occur in many other apps from both companies, sinceboth are well known for wanting to make as much code as possible in commonacross apps. Perhaps apps from other companies suffer from it as well."
[William Cox]
"From reading the MS docs on the companion PC hole, and from the apps that seemto be reporting this error, I'd more likely blame it on the OLE 2implementation than on Word itself. On the other hand, I've not noticed theerror in any of the Excel documents I've opened.
Both PageMaker 5.0 and Quark XPress use OLE extensively, primarily for thecross-platform benefits (or so they say). I've untested it, but all versionsof PageMaker past 5.0 use the same OLE libraries and are probably subject tothe same fault."
A "hacking guide" from Martin Schwartz talks about OLE storage and trash blocks, apparently related directly to this issue.
Bob Smith notes the operating system's role and describes his tests under the "netatalk" server:
"Regarding the problem of Word including random data in files, this may not bea problem when files are saved to file server volumes. This is certainly truewith servers based on non-Mac platforms like Windows NT or Un*x since in thosecases the underlying OS "blanks out" space allocated to new files. I'm notsure about AppleShare, however, since it is based on MacOS.
In my case, weuse a Linux-based file server running the "netatalk" AFP server; I examinedseveral dozen Word files stored on our server, and the end of the last blockof the file in all cases was filled with nulls, I could find no informationthat shouldn't be there."
On July 7, Microsoft listed the problem as "Office 98 Extraneous Data Issue" promising to deliver a fix the next week.
As of July 18, Microsoft had released its security patch for the "Extraneous Data" problem with MS Office 98. The release notes describe the change as follows:
"This Updater changes the behavior of Microsoft Office and OLE to initialize the disk space before saving to it, thereby erasing any extraneous data.In addition, this Updater includes the update to the file "Visual Basic forApplications", previously made available to address the Memo Wizard/G3 issue.The following files are updated:
* Microsoft Office First Run
* Visual Basic for Applications
* Microsoft PowerPoint
* PP Translator 8-4"
The updater works only on English-language copies of MS Office 98, and the update should be tested after installation to verify that it is functioning correctly. (See the installation notes and try re-installing if it does not work the first time.)
From: [MacInTouch reader]
Subject: word98 security issue, it's bigger than you think.
Date: Wed, 10 Mar 1999
I have to remain anonymous about this please, because of the implications this might have.
I am a developer and I occasionally use word98 for reports and such. Reading your report yesterday about the security issue, I wanted to see if it was true. I opened one of my old word docs in codewarrior (after changing the file type/creator codes ) and found the there were not only directory listings to source code I was working on at the time, but also names of specific functions within the source. These things were not menitioned anywhere within the document I typed, but they are embedded in my file. I can supply you with the file if you like, but I'd rather not because it has my name in it and I think the reprecussions of this could be rather large. If you have any questions about this, feel free to send them to me.
Date: Wed, 10 Mar 1999 12:04:01 -0500
From: Joe Gudac
Subject: Word Info
Ric,
After reading about all these problems with the info Word stores withit's files I decided to look at some of the files I had for my business.I picked a simple file that only had my business letterhead and addressinfo and business tax id numbers that I had to give to our bankrecently.
When looking at the file in canopener I was astonished to find that thefile had information from other files containing my credit card numbersand personal information about myself and my family.
I have tried for the past several years to not be a Microsoft basher andhave tried to learn as much about their software applications to keepmyself up to date with the standard business technology, but this isabsurd. This along with some of the testimony that has been presented intheir anti trust trial I am terrified that they are big brother and maybe more corrupt than our government. If that isn't a scare.
Enjoy your information and keep up the great web site.
Regards,
Joseph J Gudac Jr
Date: Mon, 15 Mar 1999
From: [MacInTouch reader]
Subject: WORD SECURITY
I too have stopped defending Microsoft.
I work for a *major* Internet company at a fairly high level. Thismorning I too looked at a report I submitted last week using Notepad.Not ONLY did it have my name and directories on my hard drive, but ithad information on OTHER applications that are totally unrelated to MSWord in it! These apps are competitors of MS (not that many aren't thesedays). BUT I think the most disturbing was this: all my reports have thesame filename except for the date (contained in the filename too). Thepaths to EVERY report in that directory were there too.
In a world where the economoy is changing (mostly for the better I liketo think) it's SAD to think actions like these undermine the trustpeople place in companies that work hard. People should be empowered andeducated about technology, not intimidated and afraid because of it. Ibelieve Microsoft is validating a LOT of people's fears about privacyand security unnecessarily.
Date: Mon, 15 Mar 1999 10:52:00 -0500 (EST)
From: Oj Ganesh
Subject: Microsoft security
I read with interest your stories and updates concerning GUID numbersand other personal informaion being found in documents created bymicrosoft programs. Thanks for all the updates and keeping with thestory.
Yesterday I finally got around to removing some original software thatmy imac came with, when I noticed a control panel called "ConfigurationManager". In it was a section called "Cookies", which (when clicked on)displayed *Some* cookies on my system. Two of the cookies immediatelycaught my attention since I had never visited the sites with my imac.They were: microsot.com and msn.com, they both had the name "MC1" and theywere 'enabled'. Double clicking on the cookies brought up the CookieProperties box which had this shocking line: "Value: GUID=(my GUIDpresumably)". I couldn't believe it! Both cookies were identical (bothwere also set to expire on "Expires: Wed, Sep 15, 1999 7:00 PM GMT") inevery respect.
The "Configuration Manager" control panel is apparetly made byMicrosoft (as the about box says)...
Date: Mon, 15 Mar 1999 11:10:49 -0600
From: [MacInTouch reader]
Subject: Microsoft Security Issues
Ric,
This may have been reported prior, and it may be less intrusive than theMicrosoft issues, but we seem to be ignoring the fact that many otherapplications besides those from Microsoft carry artifacts from filesunrelated to the current one. For the most part these are data that we'drather not be seen by others.
At the moment, I'm referring specifically to Adobe PageMaker. PageMakerfiles opened in Can Opener reveal lots of extraneous data - directorypaths, hard drive names, file names that appear to be unrelated to thecurrent file, and perhaps references to other sensitive data. These aredata that are not visible and cannot be found or expunged by any normalmeans. In addition to embedding directory paths, filenames, etc., relatedto the current file, it seems that whenever you do a "save as" in PageMakera lot of data from the original file become permanent and reside in thatand all future iterations, or saved as versions, of that file. The data cancompound to become an interesting record in its own right.
Lots of folks transfer lots of data in the form of PageMaker files and I'llwager that few of them are aware of the nature of some of the data they're"making public" when they do.
Maybe some of the more experienced (than me) sleuths will care to commenton PageMaker too?
Date: Mon, 15 Mar 1999 12:54:31 -0500
From: Jeremy LaCivita
Subject: Word Privacy Problems
After reading your section on Word privacy issues, I opened up a paper Iwrote last week in BBEdit. In addition to a bunch of paths on my machine(which is somewhat understandable) i found addresses of all the sites I hadvisited that night (using Internet Explorer):
3Com/PalmComputing - MacintoshThe Apple Store (U.S.)The Apple Store (U.S.)In other documents I found information about my email account like my mailserver. Who knows what other information is hidden in the document mixed inwith all of the gibberish.
This really bothers me! The paths to images used in the file in somewhatunderstandable and relevant, but this is completely irrelevant, and I reallythink Microsoft needs to explain themselves.
Jeremy
Date: Tue, 16 Mar 1999 01:46:52 +0100
Subject: word98 security - history recorded
From: [email protected]
Encouraged by the interesting reports about security problems in word98 docsI carefully examined some of my files with a text editor.
Guess what. The complete history of some documents I've been using since oneyear has been recorded in the file (different OS versions, differentmachines to be identified by their owner's names and different hierachicalfile structures were all plainly visible).
Obviously previous versions of word (at least word 6) own this special"recording feature", too.Isn't it nice? Thank you, Big Bill, this is exactly what users needed most.
Date: Mon, 15 Mar 1999 13:05:59 -0700
From: Kanton Budge
Subject: Word98
This is absolutely atrocious! I opened a few Word 98 documents I wrote someweeks ago related to my business. It contained information from cookiesfound in Internet Explorer about sites I've visited that day. I also copyand pasted information from an email sent to me via Outlook Express 4.5 intoa word document and found links to information about web links!
This is extremely serious. I could take a document sent to me from apotential employee or business associate and find out what their registeredOffice 98 name is, what web sites they've visited, and potentially whatemail addresses are related to them!
