Langa Letter: Solving Word's Hidden ''Phone-Home Fields'' Problem

Microsoft's "hidden field" patch still leaves a back door open. Here's Fred's free two-click solution to close it.
Clearly, this is a fairly elaborate set of circumstances. Because of this, it's very easy to prevent this type of attack from succeeding--and in fact, that's just what the new Microsoft patch is designed to do. But with or without that patch, and regardless of how effective the patch is, you still can easily protect yourself from this kind of attack:

If a stranger sends an unexpected document to you, use routine security and basic common sense: Just hit the delete key, and be done with it. Don't open it "just in case" or "just to see." Assume that any unexpected file from a stranger is a security threat, and simply delete it. In the very unlikely event that anything even slightly valuable is lost this way, the sender can always resend it, along with an explanation as to who they are, what's being sent, and why. And then, you'll know what it is--it will no longer be an unexpected document from a stranger.

OK, what if you get a file from someone who's not a stranger? Or, what if you're in an office or collaboration setting, and need to open documents from people you may not know well, or at all. Or what happens if you have to exchange documents with people whom you know to be poor security risks?

Or--let's face it, some people can't resist peeking--what happens if you do get a document from a stranger, and you can't bring yourself to delete it?

In all these cases, the steps under "Preventing Instant-Send Attacks" initially come into play: Use your antivirus tools to verify that the document is basically OK; tell your firewall to suspend Internet traffic; open the document, and use Word's built-in "Show Field Code" function (Shift-F9) or Bill Coan's "Hidden File Detector" ( to reveal any hidden fields and objects inside the document. Only proceed if the document comes up clean.

Next, before you alter the document in any way, simply close it. If you get a "Save" prompt, that means something inside the document changed. If you didn't make any changes, then you know that something built into the document did, and without your knowledge. Don't save the document, and don't send it to anyone until you know what's going on inside, and why.

Major Risk? Not Hardly

As hidden fields have been built into Word since Word 97, and this issue is just now coming to light, I think any claim that this was a "gaping security hole" was overblown to begin with: If it were that bad, it would have been discovered and exploited long ago. Plus, the new patch greatly reduces the odds of an embed-and-remail attack succeeding, even if you don't take the extra steps we outlined above.

But the key to preventing any--any--kind of Trojan Horse attack is to remember that those attacks require at least some level of complicity, passivity, or carelessness on the part of the recipient for the attack to succeed. With or without any patches or other security enhancements, the general steps above--taking literally a few extra seconds when you first access a new document to stop any instant attacks and to manually scan for other embedded nasties--will help protect you from this and all similar issues with any kind of document, now and in the future.

So: Was this "hidden field" issue a problem? Yes. But it was and is a relatively minor one with risks you easily can reduce to truly insignificant levels. As with most Trojans, a little common sense and caution will go a long way toward keeping you--and your documents--secure.

What's your take? Is Fred underplaying the risk of this problem? What other steps can you take to help prevent this kind of attack from succeeding? Join the discussion!

To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post.