Re: Security side-effects of Word fields

[Woody Leonhard <woody () wopr com>]

In-Reply-To: <20020826212322.1137.qmail () mail securityfocus com>

Alex -

You've come up with a very clever application of field codes - one that I 
had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP-
2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using 
Word 97. So far, here's what I've been able to pin down:

The "Document collaboration spyware" attack is, as you describe, far more 
ominous if the {INCLUDETEXT} field fires automatically. 

Apparently, Word 97 behaves precisely as you describe - in particular, if 
the 

{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" }  \* 
MERGEFORMAT  } = "" "" \* MERGEFORMAT } 

field is the last field in a document, it's automatically updated when 
the document is opened. That's a huge security hole, in my opinion.

Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the 
later versions, I can only get two fields to update automatically: {DATE} 
and {TIME}. They're updated automatically when the document is opened, no 
matter where they sit in the document. I couldn't get any combination of 
{if {date}...} or {includetext {date} ...} fields to update automatically 
in 2000 or 2002.

That said, I did stumble onto a weird combination of fields that seems to 
pull some outside text into the document automatically, even in Word 2000 
and Word 2002. I've contacted Microsoft about the problem - going to give 
them a chance to solve it before I talk about it - and will keep you 
posted as I learn more.

The "oblivious signing" attack you describe can be similarly triggered 
automatically using judicious combinations of {if} and {date} fields - 
but only in Word 97. There may be a way to do it automatically in Word 
2000 and/or 2002, but I haven't been able to come up with a combination 
that works.

If you have to rely on the victim manually updating all the fields in a 
document, the threat is much less ominous (in my opinion, anyway). But 
it's worth noting that printing a document in any version of Word will 
trigger an update of all the fields in the document, unless the user has 
specifically clicked Tools | Options | Print | Printing Options and 
unchecked the box marked "Update fields". 

I'll be following this security hole closely in "Woody's Office Watch" 
over the next few weeks.

- Woody