Re: Microsoft Word documents that "phone" home

["Rob Slade, doting grandpa of Ryan and Trevor" <rslade () sprint ca>]

> Date:          Wed, 30 Aug 2000 10:52:51 -0400
> From:          "Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>

> The Privacy Foundation has just released an advisory
> on an issue that we discovered earlier this month
> in Microsoft Word.  We found that it is possible to
> embedded "Web bugs" in Word documents.  The Web bugs

A most interesting ... "function" in Word.  I do not use Word, of course,
because of the security problems, and generally rely on WordViewer to check
documents.  However, from the detail presented on your Web site, it wasn't
clear whether WordViewer was subject to the same (or similar) bugging activity.
So I tried it.

I downloaded the document, and opened it first in Word, to see what would
happen.  Then I tried it in WordViewer.  WordViewer is subject to the bugging
activity, but not quite in the same way.  In WordViewer, there is obviously
some function lacking that does not result in your second "gotcha" display.
Because of this failure, WordViewer makes repeated accesses to the server.  (If
you will check your server logs, you will find a few hundred requests from the
same address all within the space of a minute or two.)  Obviously some
functionality is missing, but the combination of WordViewer and Web bugs would
seem to have all the makings of a good denial of service attack.  For both the
client and the server  :-)

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
            Absurdiveness Training: Don't get even, get odd.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade