- Dec 9, 2001
- 11,107
- 0
- 76
Text
Microsoft Flaw May Allow File Theft
Fri Sep 13, 3:03 AM ET
By D. IAN HOPPER, AP Technology Writer
WASHINGTON (AP) - Microsoft's flagship word processor has for years had a security flaw that could allow a criminal to steal computer files by "bugging" a document with a hidden code.
The company said it will definitely repair the problem only for owners of the most recent versions of the software.
That decision ? still left largely up in the air by Microsoft engineers ? may leave millions of users of Word 97 without a fix. All versions of Word are susceptible to the flaw, but the problem is most severe in Word 97.
"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
The attacker sends the victim a bugged document, usually with a request that the document be revised and returned to the sender ? a common form of daily communication. When the document is changed and sent back, the file the attacker wants to steal is attached.
The flaw would most likely occur in the workplace, where Word is the most prominent word processing program. Potential targets for theft are sensitive legal contracts, payroll records or e-mails, either from a hard drive or computer network, depending on the victim's access to files.
Microsoft says an attacker would have to know the exact file name to be stolen and its location. But many critical files ? an address book or saved e-mails, for example ? are usually in obvious or predictable places on every Microsoft Windows computer.
"The issue appears to affect all versions of Microsoft Word," Microsoft said in a statement Thursday in response to questions by The Associated Press. "When the investigation is completed, we will take the action that best serves Microsoft's customers."
Word 97, an earlier version of the program, is most susceptible to the attack. Microsoft said it is its policy to no longer repair Word 97, but said the company is still exploring the issue.
A research firm reported in May that about 32 percent of offices have copies of Word 97 running, according to a survey of 1,500 high-tech managers worldwide.
Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software, but Microsoft should correct the problem because of its severity. "These are paying customers," she said.
Word 97 users may be able to get some help from through Microsoft's telephone technical support, company spokesman Casey McGee said. But, referring to Microsoft engineers, McGee said "there's only so far back they can go."
The flaw involving Word 97 was discovered by Alex Gantman of cellular phone company Qualcomm and was released on the Internet last month.
If the intended target uses Word 2000 or 2002, the most recent versions, the attack will only work if the Word document is printed first before the reply is sent to the attacker.
After seeing Gantman's work on a public security e-mail forum, Leonhard found a similar flaw that affects recent Word versions even when a document is not printed. In this case, the stolen file is visible within the document, although the attacker can make it hard to find.
Microsoft suggests users view hidden codes in every document they open. In Word 2002, the latest version, that can be done by selecting tools, options, then checking the "field codes" box. Many companies, however, use such codes for legitimate and harmless purposes.
Facebook
Twitter