Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem
Microsoft's "hidden field" patch still leaves a back door open. Here's Fred's free two-click solution to close it.
Unless you've been under a rock lately, you've probably heard of the uproar caused by "hidden fields" inside Microsoft Word and Excel documents. The issue affects all versions of Word for Windows and the Mac from 1997 onward, and also affects Excel 2002. (For simplicity, and because it's more of an issue for Word users, we'll focus on that, but the following also applies to Excel 2002.)
Some pundits claimed these fields are a "gaping hole" that place literally every file on your PC at risk. I disagreed, in print, about the severity of the problem (http://www.langa.com/newsletters/2002/2002-10-10.htm#9) because only a minority of users would ever be at risk from these fields, and because there's an ultra-simple, two-click way to avoid the worst of the remaining security issues.
Microsoft has now released a partial patch for this hidden fields problem (http://www.microsoft.com/technet/security/bulletin/MS02-059.asp) but it still leaves a residual kind of "back door" in some documents that could conceivably be exploited. I now anticipate another round of even more frantic diatribes from pundits who will spread needless fear about this issue. But don't be taken in: It's incredibly easy to close this back door.
For example, one well-known author (who made his name writing about Microsoft Office in general, and Word in particular) took issue with me when I originally downplayed the severity of hidden fields (http://www.langa.com/newsletters/2002/2002-10-10.htm#9): To prove how wrong I was, he sent me a demonstration file (with my permission--he wasn't trying to hack me) that contained a hand-crafted hidden field that would secretly lift data from my PC and then surreptitiously relay that data to a distant Web site. (Incidentally, this "phone-home field" vulnerability is not, repeat not, corrected by the new Microsoft patch.)
But guess what? The exploit didn't work, and no data left my system. In fact, this kind of attack simply cannot succeed on my PC because of the way I've set up and use my system: The key security adjustment takes only two mouse clicks, and you can set it up in literally less than a second.
1) The new Microsoft patch is only a partial fix for the hidden fields problem;2) The patch is brand-new, and not yet proven to be reliable; and
3) Even more important, this method of self-protection works against all current and future exploits that use any similar attack strategy, even if they're not covered by the Microsoft patch.
The bottom line is this: Even if you're in the minority of users at risk from hidden fields, you can easily prevent anything bad from happening. The trick is in knowing what these fields are, why they exist, how they work, and how they might be used against you. Once you understand that, you can take simple steps to ensure you'll never, ever have to worry about losing data to this kind of exploit.
Understanding The Problem
In a classic Trojan horse attack, a file that appears to be benign or useful actually contains a secret, hostile payload. If someone used maliciously crafted hidden fields inside a Word document, that document--which might appear totally innocent on the surface--could be used in a Trojan horse attack.
In an "embed and remail" scenario, for example, an attacker could send you a Word document that contains a hidden, self-updating field that would attempt to grab data from your system and store the stolen data inside a hidden field. If you didn't notice the hidden field--it's hidden, after all--and if you then saved the infected document, you'd be saving not only the original document but also whatever was invisibly embedded inside. If you then returned the document to the sender or routed it to the next person on a distribution list, the recipients would get not only the original document, but also whatever was copied from your system. In this somewhat roundabout way, data could be collected from your system and copied to another location, without your knowledge.
Or, in an "instant send" scenario, if the attacker knows or can guess the name and location of a file on your system, he could rig a Word document to send the first few hundred characters from that file (not the whole file, just the first 200 or so characters, due to field size limits) to any given Internet address or site. This action can happen as soon as you open an infected Word document: No saving or manual resending of the document as a whole is needed.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.