Results 1 to 12 of 12
  1. #1
    New Lounger
    Join Date
    Jul 2001
    Location
    D.C.
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Document Collaboration Spyware (Word 97)

    WOW #7.43 says we know of no way to disable Word to block the "spyware" exploit reported in that issue and in WOW and WOW-MM 7.42. I'm wondering if there is a way (assuming one is for the moment stuck with Word 97) to 'purge' outgoing documents before one sends them anywhere. Is it possible, say, to run a macro that would check for the trick field and delete it? Or at least bring it to a user's attention?

    I'm posting this question now rather than waiting for the follow-up WOW issues because the problem looks urgent for Word 97 users.

  2. #2
    Gold Lounger
    Join Date
    Dec 2000
    Location
    Hollywood (sorta), California, USA
    Posts
    2,759
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    Well, not to contradict Woody or anything... but there is a way to "disable" the "spy"

    The "spyware" is a field code sequence, so you are correct. A macro in a global template could easily search for then delete the field codes.

    You'd have to make sure that the FileSave event code contained your "anti-spy" code. You would probably also want to put it the FileOpen event sub as well not to mention FilePrint. Programming to these "events" is not something most people are interested in. When you click FileSave, Word's FileSave code executes, not your own. But you can always put a by-pass test in there so that the original Word routine executes if for some reason your code can't handle a particular "save" situation.

    I found the field-code-spyware using google, so it's no secret. However, since Woody is reluctant to disclose the "code" at this time, I think I'll not paste it in here. I will however, post a FileSave routine that would do the trick (unless somebody beats me to it!).
    Kevin <IMG SRC=http://www.wopr.com/w3tuserpics/Kevin_sig.gif alt="Keep the change, ya filthy animal...">
    <img src=/w3timages/blackline.gif width=33% height=2><img src=/w3timages/redline.gif width=33% height=2><img src=/w3timages/blackline.gif width=33% height=2>

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Document Collaboration Spyware (Word 97)

    I just posted a macro in a new thread before I read your post. You could hook this into a FileClose macro. It would be too annoying to do it on every save.

  4. #4
    Gold Lounger
    Join Date
    Dec 2000
    Location
    Hollywood (sorta), California, USA
    Posts
    2,759
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    The code below will remove the *spyware*: Rename it to FileSave. Or, see Jefferson's version "FileClose"
    I threw this together, so test, test, test before you put it in production.

    p.s. Edited to include attachment as the posted version might not get the { codes right.

    <pre>Sub FileSaveEx()
    Dim aField As Field

    If Documents.Count = 0 Then Exit Sub
    On Error Resume Next

    With ActiveDocument
    If .ActiveWindow Like "Picture in*" Then 'Account for Edit a picture and close.
    .Save
    Exit Sub
    End If

    For Each aField In .Fields
    If UCase(aField.Code) Like " IF  INCLUDETEXT  IF  DATE  =  DATE*" Then
    MsgBox "Found Document Collaboration Spyware. Click Ok to remove it."
    aField.Delete
    End If
    Next

    With ActiveDocument
    .AttachedTemplate.Saved = True
    .Save
    End With
    ActiveWindow.Caption = ActiveDocument.FullName
    End With
    End Sub
    </pre>

    Attached Files Attached Files
    Kevin <IMG SRC=http://www.wopr.com/w3tuserpics/Kevin_sig.gif alt="Keep the change, ya filthy animal...">
    <img src=/w3timages/blackline.gif width=33% height=2><img src=/w3timages/redline.gif width=33% height=2><img src=/w3timages/blackline.gif width=33% height=2>

  5. #5
    Gold Lounger
    Join Date
    Dec 2000
    Location
    New Hampshire, USA
    Posts
    3,386
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    IMHO, Woody is making a mountain out a mole hill.

    Such fields are NOT security problems.
    Simple solutions are:

    1. Do not distribute Word documents, instead distribute, say, PDF.
    2. Unlink all fields before distribution.
    3. Recipient, LOCK all fields as soon as the file is opened.
    4. Sender, password protect the document against changes, i.e., allow only reading.

    If I write a document that includes, by whatever mechanism, a file path that happens to also exist on the recipient's system, well, that's how the cookie crumbles. The recioient has to be aware of the measures listed above.

    The real security hole is the ability to include, say, AutoOPen, AutoClose macros and document event macros that can gather anything they wish.

    Preventative measures include:

    1. Do not distribute Word documents, instead distribute, say, PDF.
    2. Distribute RTF as that removes macros
    3. Recipient, make th edocument read-only so changes cannot be saved by accident.
    4. Sender, password protect the document against changes, i.e., allow only reading.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Document Collaboration Spyware (Word 97)

    I don't know how serious this is, but I think your proposed remedies are too draconian for the way many people work.

    I regularly request Word documents so I can edit them and track changes; that's how lawyers operate. Trying to do that with a PDF would be an exercise in frustration, even if I had a copy of Acrobat. Having it all re-input into a new document is definitely out of fashion; the time and money to do that no longer exist.

    Maybe RTF would be okay, I'd have to review what gets lost in the process. What definitely is NOT lost in the process, is the majority of field codes, as illustrated in the attached. (And yes, I did close the file after doing a Save As, and re-opened the RTF.)

    I'm not worried about macros from strangers; I just disable them. But if someone has set macro security to low, you're right, they're in much more trouble than accidentally sharing a file.
    Attached Images Attached Images

  7. #7
    Gold Lounger
    Join Date
    Dec 2000
    Location
    New Hampshire, USA
    Posts
    3,386
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    I'm not at all worried about fields such as INCLUDETEXT.
    I can always lock fields.

  8. #8
    4 Star Lounger
    Join Date
    May 2002
    Location
    Australia
    Posts
    549
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    I have been following this discussion about Word 97 out of interest rather than concern as anything I send using Word is always PW protected against editing. However, awareness is a good thing, its great to know you folks are on top of such traps. Thank you for your efforts.

  9. #9
    Platinum Lounger
    Join Date
    Dec 2000
    Location
    Hornsby Heights, New South Wales, Australia
    Posts
    3,822
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    Sorry Kevin,

    That code doesn't do the trick <img src=/S/sad.gif border=0 alt=sad width=15 height=15>, although, it's going in the right direction. Not with the sample that I have received. The beauty about this one is, as usual, that all the "experts" think they know what they are talking about, without having actually seen the real thing. If it was as simple as what appears in this thread, I wouldn't have bothered writing a detection utility for it. Nor would all the major news services have run with the story. <img src=/S/hmmn.gif border=0 alt=hmmn width=15 height=15>, maybe scrap that last sentence <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15>.
    Cheers, Claude.

  10. #10

  11. #11
    New Lounger
    Join Date
    Jul 2001
    Location
    D.C.
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    Folks -- Thanks for the responses!

    How do you "lock fields"? Is this the Ctrl-Shift-F9 command that converts the field results to literal text?

    Rick Ellrod

  12. #12
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Los Angeles Area, California, USA
    Posts
    7,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Document Collaboration Spyware (Word 97)

    Hi Rick:
    It's Ctrl+F11 & will prevent updates unless & until it's unlocked (Ctrl+Shift+F11). You can find a keyboard shortcut by going to Tools/Customize/keyboard & choosing All commands under catagory. Then scroll to the command (some of them are obscure, but this one is called lockfields). You'll see the shortcut listed.
    Cheers,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •