Commentary
10/17/2002
01:53 PM
Fred Langa
Fred Langa
Commentary

Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem

Microsoft's "hidden field" patch still leaves a back door open. Here's Fred's free two-click solution to close it.



Unless you've been under a rock lately, you've probably heard of the uproar caused by "hidden fields" inside Microsoft Word and Excel documents. The issue affects all versions of Word for Windows and the Mac from 1997 onward, and also affects Excel 2002. (For simplicity, and because it's more of an issue for Word users, we'll focus on that, but the following also applies to Excel 2002.)

Some pundits claimed these fields are a "gaping hole" that place literally every file on your PC at risk. I disagreed, in print, about the severity of the problem (http://www.langa.com/newsletters/2002/2002-10-10.htm#9) because only a minority of users would ever be at risk from these fields, and because there's an ultra-simple, two-click way to avoid the worst of the remaining security issues.

Microsoft has now released a partial patch for this hidden fields problem (http://www.microsoft.com/technet/security/bulletin/MS02-059.asp) but it still leaves a residual kind of "back door" in some documents that could conceivably be exploited. I now anticipate another round of even more frantic diatribes from pundits who will spread needless fear about this issue. But don't be taken in: It's incredibly easy to close this back door.

For example, one well-known author (who made his name writing about Microsoft Office in general, and Word in particular) took issue with me when I originally downplayed the severity of hidden fields (http://www.langa.com/newsletters/2002/2002-10-10.htm#9): To prove how wrong I was, he sent me a demonstration file (with my permission--he wasn't trying to hack me) that contained a hand-crafted hidden field that would secretly lift data from my PC and then surreptitiously relay that data to a distant Web site. (Incidentally, this "phone-home field" vulnerability is not, repeat not, corrected by the new Microsoft patch.)

But guess what? The exploit didn't work, and no data left my system. In fact, this kind of attack simply cannot succeed on my PC because of the way I've set up and use my system: The key security adjustment takes only two mouse clicks, and you can set it up in literally less than a second.

Even if you have Microsoft's new patch (http://www.microsoft.com/technet/security/bulletin/MS02-059.asp), it's important to know about this simple method of self-protection for three critical reasons:

1) The new Microsoft patch is only a partial fix for the hidden fields problem;2) The patch is brand-new, and not yet proven to be reliable; and 3) Even more important, this method of self-protection works against all current and future exploits that use any similar attack strategy, even if they're not covered by the Microsoft patch.

The bottom line is this: Even if you're in the minority of users at risk from hidden fields, you can easily prevent anything bad from happening. The trick is in knowing what these fields are, why they exist, how they work, and how they might be used against you. Once you understand that, you can take simple steps to ensure you'll never, ever have to worry about losing data to this kind of exploit.

Understanding The Problem

In a classic Trojan horse attack, a file that appears to be benign or useful actually contains a secret, hostile payload. If someone used maliciously crafted hidden fields inside a Word document, that document--which might appear totally innocent on the surface--could be used in a Trojan horse attack.

In an "embed and remail" scenario, for example, an attacker could send you a Word document that contains a hidden, self-updating field that would attempt to grab data from your system and store the stolen data inside a hidden field. If you didn't notice the hidden field--it's hidden, after all--and if you then saved the infected document, you'd be saving not only the original document but also whatever was invisibly embedded inside. If you then returned the document to the sender or routed it to the next person on a distribution list, the recipients would get not only the original document, but also whatever was copied from your system. In this somewhat roundabout way, data could be collected from your system and copied to another location, without your knowledge.

Or, in an "instant send" scenario, if the attacker knows or can guess the name and location of a file on your system, he could rig a Word document to send the first few hundred characters from that file (not the whole file, just the first 200 or so characters, due to field size limits) to any given Internet address or site. This action can happen as soon as you open an infected Word document: No saving or manual resending of the document as a whole is needed.



If you let your imagination run, you can conceive of a multistage attack in which one document or field might use "instant send" to (say) steal the names and locations of files in your "Most Recently Used" history file, and send them back to a malicious outsider who might then use an "embed and remail" attack to obtain the target documents via a hidden field in a document. I'm sure you can imagine other scenarios, too.

But no matter what the details are, an attack by means of hidden fields in a Word document is just another form of Trojan horse attack: Success of any Trojan attack depends on the victim either actively assisting in the attack, or passively failing to take any preventive measures. And that's the key to defusing this whole issue.

Preventing Instant-Send Attacks

Although the instant-send attack described earlier can't transmit a lot of information, it may be the more dangerous of the two because it can happen nearly instantly, as soon as a document is opened. It's also a form of attack that's not--repeat not--addressed by the Microsoft patch. But on your own, you can totally prevent this kind of attack from succeeding with (literally) two mouse clicks.

For example, let's say someone sends you a Word document. We'll assume you have a current, known, good antivirus tool operating, and that the document in question already has passed muster on that score. To prevent a possible instant-send attack (which normally won't be detected by an antivirus tool) all you need to do, before you open the suspect document, is temporarily stop Internet traffic on your PC. You can do this in less than a second:

All the desktop firewalls I know of, even the free ones, have a fast, easy way to block all Internet activity instantly. For example, in ZoneAlarm, right-click the ZA icon near the system clock and select "Stop All Internet Activity." In Sygate Personal Firewall, right-click the icon and select "Block All." In Norton Personal Firewall, right-click and select "Block Traffic." Other firewalls might use other methods, but they all work about the same: In literally less than a second, you can prevent any information from leaving your PC via your Internet connection.

Then, open the Word document normally. If the document contains a malicious field that triggers an instant-send attack, Word won't be able to connect to the Internet due to firewall blocking. Instead, Word will display an error message saying something like "The remote data (WWW_OpenURL) is not accessible. Do you want to start the application IExplore?" Even if you reply "Yes" to the above error message and your browser fires up, you're still safe: No data can leave your PC via your Internet connection until you unblock the firewall.

Firewall blocking ensures that you'll get a very clear indication that something in Word is trying to connect with the outside world either directly or by calling an instance of your browser. It's not subtle, and no guesswork is needed: The two-click trick of temporarily using your firewall to block Internet access lets you easily and obviously detect and defeat this kind of attack.

Next, whether or not you see signs of an instant-send attack, take a moment--literally another few seconds--to examine the suspect document for hidden fields and files: Use Word's built-in "Show Field Code" function (Shift-F9) or use Bill Coan's "Hidden File Detector," a free add-in to Word that helps you identify all hidden fields and objects inside a Word document. It's available for download at http://www.wordsite.com/HiddenFileDetector.html .

Examining the document's hidden fields via (Shift-F9) or with Coan's "Hidden File Detector" not only lets you see if the document is safe, but--if it is infected with malicious hidden field codes--also lets you see what the attacker was attempting to do, and where the gathered information was going to be sent. This forensic data can potentially lead you or security authorities right to the attacker's home base.

Finally, if you do find that a document is infected with instant-attack or other malicious fields, simply exit Word without saving the document (even if prompted to save). Delete the infected document, unblock your firewall, and resume normal operation.

Or, if the document you're checking contains no malicious hidden fields, you can unblock your firewall, and continue working with the document normally.

Preventing Embed-and-Remail Attacks

Although this type of attack theoretically can lift large amounts of data from your system, it's actually rather hard to pull off.

A malicious hacker would (1) have to figure out how to craft this kind of special field to target specific documents, by name, on your system, (2) send the infected document to you, (3) entice you to open the document unguardedly in Word, (4) get you to save (not just close, but actively save) the document so the data collected by the fields would be stored inside the document, and then (5) somehow get you to send the saved copy of the document back to the hacker.



Clearly, this is a fairly elaborate set of circumstances. Because of this, it's very easy to prevent this type of attack from succeeding--and in fact, that's just what the new Microsoft patch is designed to do. But with or without that patch, and regardless of how effective the patch is, you still can easily protect yourself from this kind of attack:

If a stranger sends an unexpected document to you, use routine security and basic common sense: Just hit the delete key, and be done with it. Don't open it "just in case" or "just to see." Assume that any unexpected file from a stranger is a security threat, and simply delete it. In the very unlikely event that anything even slightly valuable is lost this way, the sender can always resend it, along with an explanation as to who they are, what's being sent, and why. And then, you'll know what it is--it will no longer be an unexpected document from a stranger.

OK, what if you get a file from someone who's not a stranger? Or, what if you're in an office or collaboration setting, and need to open documents from people you may not know well, or at all. Or what happens if you have to exchange documents with people whom you know to be poor security risks?

Or--let's face it, some people can't resist peeking--what happens if you do get a document from a stranger, and you can't bring yourself to delete it?

In all these cases, the steps under "Preventing Instant-Send Attacks" initially come into play: Use your antivirus tools to verify that the document is basically OK; tell your firewall to suspend Internet traffic; open the document, and use Word's built-in "Show Field Code" function (Shift-F9) or Bill Coan's "Hidden File Detector" (http://www.wordsite.com/HiddenFileDetector.html) to reveal any hidden fields and objects inside the document. Only proceed if the document comes up clean.

Next, before you alter the document in any way, simply close it. If you get a "Save" prompt, that means something inside the document changed. If you didn't make any changes, then you know that something built into the document did, and without your knowledge. Don't save the document, and don't send it to anyone until you know what's going on inside, and why.

Major Risk? Not Hardly

As hidden fields have been built into Word since Word 97, and this issue is just now coming to light, I think any claim that this was a "gaping security hole" was overblown to begin with: If it were that bad, it would have been discovered and exploited long ago. Plus, the new patch greatly reduces the odds of an embed-and-remail attack succeeding, even if you don't take the extra steps we outlined above.

But the key to preventing any--any--kind of Trojan Horse attack is to remember that those attacks require at least some level of complicity, passivity, or carelessness on the part of the recipient for the attack to succeed. With or without any patches or other security enhancements, the general steps above--taking literally a few extra seconds when you first access a new document to stop any instant attacks and to manually scan for other embedded nasties--will help protect you from this and all similar issues with any kind of document, now and in the future.

So: Was this "hidden field" issue a problem? Yes. But it was and is a relatively minor one with risks you easily can reduce to truly insignificant levels. As with most Trojans, a little common sense and caution will go a long way toward keeping you--and your documents--secure.

What's your take? Is Fred underplaying the risk of this problem? What other steps can you take to help prevent this kind of attack from succeeding? Join the discussion!


To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service