Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
Commentary
10/17/2002
01:53 PM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem

Microsoft's "hidden field" patch still leaves a back door open. Here's Fred's free two-click solution to close it.

If you let your imagination run, you can conceive of a multistage attack in which one document or field might use "instant send" to (say) steal the names and locations of files in your "Most Recently Used" history file, and send them back to a malicious outsider who might then use an "embed and remail" attack to obtain the target documents via a hidden field in a document. I'm sure you can imagine other scenarios, too.

But no matter what the details are, an attack by means of hidden fields in a Word document is just another form of Trojan horse attack: Success of any Trojan attack depends on the victim either actively assisting in the attack, or passively failing to take any preventive measures. And that's the key to defusing this whole issue.

Preventing Instant-Send Attacks

Although the instant-send attack described earlier can't transmit a lot of information, it may be the more dangerous of the two because it can happen nearly instantly, as soon as a document is opened. It's also a form of attack that's not--repeat not--addressed by the Microsoft patch. But on your own, you can totally prevent this kind of attack from succeeding with (literally) two mouse clicks.

For example, let's say someone sends you a Word document. We'll assume you have a current, known, good antivirus tool operating, and that the document in question already has passed muster on that score. To prevent a possible instant-send attack (which normally won't be detected by an antivirus tool) all you need to do, before you open the suspect document, is temporarily stop Internet traffic on your PC. You can do this in less than a second:

All the desktop firewalls I know of, even the free ones, have a fast, easy way to block all Internet activity instantly. For example, in ZoneAlarm, right-click the ZA icon near the system clock and select "Stop All Internet Activity." In Sygate Personal Firewall, right-click the icon and select "Block All." In Norton Personal Firewall, right-click and select "Block Traffic." Other firewalls might use other methods, but they all work about the same: In literally less than a second, you can prevent any information from leaving your PC via your Internet connection.

Then, open the Word document normally. If the document contains a malicious field that triggers an instant-send attack, Word won't be able to connect to the Internet due to firewall blocking. Instead, Word will display an error message saying something like "The remote data (WWW_OpenURL) is not accessible. Do you want to start the application IExplore?" Even if you reply "Yes" to the above error message and your browser fires up, you're still safe: No data can leave your PC via your Internet connection until you unblock the firewall.

Firewall blocking ensures that you'll get a very clear indication that something in Word is trying to connect with the outside world either directly or by calling an instance of your browser. It's not subtle, and no guesswork is needed: The two-click trick of temporarily using your firewall to block Internet access lets you easily and obviously detect and defeat this kind of attack.

Next, whether or not you see signs of an instant-send attack, take a moment--literally another few seconds--to examine the suspect document for hidden fields and files: Use Word's built-in "Show Field Code" function (Shift-F9) or use Bill Coan's "Hidden File Detector," a free add-in to Word that helps you identify all hidden fields and objects inside a Word document. It's available for download at http://www.wordsite.com/HiddenFileDetector.html .

Examining the document's hidden fields via (Shift-F9) or with Coan's "Hidden File Detector" not only lets you see if the document is safe, but--if it is infected with malicious hidden field codes--also lets you see what the attacker was attempting to do, and where the gathered information was going to be sent. This forensic data can potentially lead you or security authorities right to the attacker's home base.

Finally, if you do find that a document is infected with instant-attack or other malicious fields, simply exit Word without saving the document (even if prompted to save). Delete the infected document, unblock your firewall, and resume normal operation.

Or, if the document you're checking contains no malicious hidden fields, you can unblock your firewall, and continue working with the document normally.

Preventing Embed-and-Remail Attacks

Although this type of attack theoretically can lift large amounts of data from your system, it's actually rather hard to pull off.

A malicious hacker would (1) have to figure out how to craft this kind of special field to target specific documents, by name, on your system, (2) send the infected document to you, (3) entice you to open the document unguardedly in Word, (4) get you to save (not just close, but actively save) the document so the data collected by the fields would be stored inside the document, and then (5) somehow get you to send the saved copy of the document back to the hacker.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll