Word 97 bug lets thieves steal any of your files

HOME
TOPICS
ABOUT ME
MAIL

Microsoft never noticed such an immense flaw in the six years since it created Word 97. The latest fiasco seems to indicate that Microsoft is incapable of finding serious security flaws on its own.

technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

Word 97 bug lets thieves steal any of your files

Sept. 22, 2002

By Al Fasoldt
Copyright © 2002, Al Fasoldt
Copyright © 2002, The Post-Standard

   Thieves can steal virtually any file from your Windows PC through a devastating bug recently discovered in Microsoft Word 97, one of the most common word processors among Windows users worldwide.
   The flaw is the worst Microsoft bug I've ever encountered. It was uncovered by independent experts a few weeks ago and confirmed by Microsoft a few days later. Microsoft says it is working on a fix.
   It's not known whether the same kind of bug exists in Microsoft's other versions of Word. It's also not clear how the bug got into Word 97. The bug does not affect versions of Microsoft Word for Apple's Macintosh computers.
   It seems inconceivable that that Microsoft itself never noticed such an immense flaw in the six years since it created Word 97. Microsoft has repeatedly asked independent Windows experts to ease up and hold off revealing bugs so it will get a chance to fix them first, but the latest fiasco seems to indicate that Microsoft is incapable of doing this on its own.
   The bug allows malicious users to copy information from home and office PCs by inserting hidden code in a Word 97 document. If the document is sent for collaborative work -- in other words, if someone sends you such a Trojan Horse document and asks you to add your own comments and send it back by e-mail -- that person will receive the contents of any files the thief wants to steal.
   Any file a Word 97 user has access to, whether it is located on a desktop PC or on a network, can be stolen this way. Because Word 97 has no built-in security, the thief has all the access rights that Word 97 users have.
   You have no way to check for malicious instructions and no way to know if your personal files have been copied. A tainted Word 97 document will appear normal in every way.
   If you have any doubts about the integrity of a Word 97 document (or any other file) you've received by e-mail, don't open it. If it came from a stranger, trash the entire message, including the attached document, and immediately empty the trash. (Right clicking on the trash icon in Windows and most mail software produces a menu option to get rid of the contents of the trash folder.)
   I advise individuals and companies who do collaborative work by e-mail to stop using any of the three modern versions of Microsoft Word for such projects. These versions -- Word 97, Word 2000 and Word 2002 (Word XP) -- are so similar that they should be considered untrustworthy at this time.
   Companies, schools and individuals can get a safe word processor compatible in most ways with Microsoft Word in the free OpenOffice.org suite of programs (www.openoffice.org) and in the low-cost StarOffice suite (wwws.sun.com/software/star/staroffice/6.0).
   I've used both these programs and have come to prefer the word processor in these two suites (it's basically the same) over Microsoft Word. Both are free from the Word 97 bug.