Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
01:53 PM
Fred Langa
Fred Langa

Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem

Microsoft's "hidden field" patch still leaves a back door open. Here's Fred's free two-click solution to close it.

Unless you've been under a rock lately, you've probably heard of the uproar caused by "hidden fields" inside Microsoft Word and Excel documents. The issue affects all versions of Word for Windows and the Mac from 1997 onward, and also affects Excel 2002. (For simplicity, and because it's more of an issue for Word users, we'll focus on that, but the following also applies to Excel 2002.)

Some pundits claimed these fields are a "gaping hole" that place literally every file on your PC at risk. I disagreed, in print, about the severity of the problem ( because only a minority of users would ever be at risk from these fields, and because there's an ultra-simple, two-click way to avoid the worst of the remaining security issues.

Microsoft has now released a partial patch for this hidden fields problem ( but it still leaves a residual kind of "back door" in some documents that could conceivably be exploited. I now anticipate another round of even more frantic diatribes from pundits who will spread needless fear about this issue. But don't be taken in: It's incredibly easy to close this back door.

For example, one well-known author (who made his name writing about Microsoft Office in general, and Word in particular) took issue with me when I originally downplayed the severity of hidden fields ( To prove how wrong I was, he sent me a demonstration file (with my permission--he wasn't trying to hack me) that contained a hand-crafted hidden field that would secretly lift data from my PC and then surreptitiously relay that data to a distant Web site. (Incidentally, this "phone-home field" vulnerability is not, repeat not, corrected by the new Microsoft patch.)

But guess what? The exploit didn't work, and no data left my system. In fact, this kind of attack simply cannot succeed on my PC because of the way I've set up and use my system: The key security adjustment takes only two mouse clicks, and you can set it up in literally less than a second.

Even if you have Microsoft's new patch (, it's important to know about this simple method of self-protection for three critical reasons:

1) The new Microsoft patch is only a partial fix for the hidden fields problem;2) The patch is brand-new, and not yet proven to be reliable; and 3) Even more important, this method of self-protection works against all current and future exploits that use any similar attack strategy, even if they're not covered by the Microsoft patch.

The bottom line is this: Even if you're in the minority of users at risk from hidden fields, you can easily prevent anything bad from happening. The trick is in knowing what these fields are, why they exist, how they work, and how they might be used against you. Once you understand that, you can take simple steps to ensure you'll never, ever have to worry about losing data to this kind of exploit.

Understanding The Problem

In a classic Trojan horse attack, a file that appears to be benign or useful actually contains a secret, hostile payload. If someone used maliciously crafted hidden fields inside a Word document, that document--which might appear totally innocent on the surface--could be used in a Trojan horse attack.

In an "embed and remail" scenario, for example, an attacker could send you a Word document that contains a hidden, self-updating field that would attempt to grab data from your system and store the stolen data inside a hidden field. If you didn't notice the hidden field--it's hidden, after all--and if you then saved the infected document, you'd be saving not only the original document but also whatever was invisibly embedded inside. If you then returned the document to the sender or routed it to the next person on a distribution list, the recipients would get not only the original document, but also whatever was copied from your system. In this somewhat roundabout way, data could be collected from your system and copied to another location, without your knowledge.

Or, in an "instant send" scenario, if the attacker knows or can guess the name and location of a file on your system, he could rig a Word document to send the first few hundred characters from that file (not the whole file, just the first 200 or so characters, due to field size limits) to any given Internet address or site. This action can happen as soon as you open an infected Word document: No saving or manual resending of the document as a whole is needed.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll