PDA

View Full Version : Has anyone heard of this MS Word vulnerability



Bruce Meyer
06-03-08, 08:40 AM
Whikle trying to determine the source of a leak, one of my colleagues
said he thought he had read of the following:

If I create an MS Word Document, and save it. Then later open it back
up and delete a specific paragraph prior to publishing that document
on a web site, a user with a tool designed for this, can recover the
deleted text as it is actually still inside that document.

I had never heard of this.

Can anyone verify if this is correct, and if so, how to go about
viewing that deleted paragraph to prove to others that yes, this could
be how info is being extracted from published documents?

Thanks either way,
Bruce D. Meyer

Leythos
06-03-08, 08:49 AM
In article <f46878ca-c024-425f-aa93-3a35737b7222
@l42g2000hsc.googlegroups.com>, bdmeyersc@gmail.com says...
> If I create an MS Word Document, and save it. Then later open it back
> up and delete a specific paragraph prior to publishing that document
> on a web site, a user with a tool designed for this, can recover the
> deleted text as it is actually still inside that document.

While not exactly as you state, unless you SAVE AS the file will contain
edits and other pieces that you've removed - this has been known for
YEARS.

Always publish documents to PDF so that you don't have to worry about
it.

If you are going to publish text from a word document, do just that,
publish the text.

If you want to make the document downloadable, but they don't need to
edit it, your only safe method is to convert to PDF and digitally sign
the document.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Arthur T.
06-03-08, 10:29 AM
In
Message-ID:<f46878ca-c024-425f-aa93-3a35737b7222@l42g2000hsc.googlegroups.com>,
Bruce Meyer <bdmeyersc@gmail.com> wrote:

>If I create an MS Word Document, and save it. Then later open it back
>up and delete a specific paragraph prior to publishing that document
>on a web site, a user with a tool designed for this, can recover the
>deleted text as it is actually still inside that document.
>
>I had never heard of this.
>
>Can anyone verify if this is correct, and if so, how to go about
>viewing that deleted paragraph to prove to others that yes, this could
>be how info is being extracted from published documents?

There are a lot of examples of this that have been in the
news. And, it's not just deleted text; sometimes the metadata
(properties) can leak data.

M$ has a free download, the "remove hidden data" tool, for
Office. Get it and use it.

I was going to tell you how to view the hidden data, but I
find I'm uncomfortable stating even this minor bit of cracking
info in a public forum. I *will* say that it's dead simple.

One of the 3-letter agencies has a policy that the only way
they'll make a document available electronically is to print it,
scan it, and make the scan available.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

Jim Watt
06-03-08, 12:49 PM
On Tue, 3 Jun 2008 06:40:51 -0700 (PDT), Bruce Meyer
<bdmeyersc@gmail.com> wrote:

>Whikle trying to determine the source of a leak, one of my colleagues
>said he thought he had read of the following:
>
>If I create an MS Word Document, and save it. Then later open it back
>up and delete a specific paragraph prior to publishing that document
>on a web site, a user with a tool designed for this, can recover the
>deleted text as it is actually still inside that document.
>
>I had never heard of this.
>
>Can anyone verify if this is correct, and if so, how to go about
>viewing that deleted paragraph to prove to others that yes, this could
>be how info is being extracted from published documents?
>
>Thanks either way,
> Bruce D. Meyer

Its old news, and along with macro virus's a reason
why publishing word documents on the Internet is
unwise.

I believe .rtf's are generally safe.
--
Jim Watt
http://www.gibnet.com

Moe Trin
06-03-08, 03:10 PM
On Tue, 3 Jun 2008, in the Usenet newsgroup alt.computer.security, in article
<f46878ca-c024-425f-aa93-3a35737b7222@l42g2000hsc.googlegroups.com>, Bruce
Meyer wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Whikle trying to determine the source of a leak, one of my colleagues
>said he thought he had read of the following:
>
>If I create an MS Word Document, and save it. Then later open it back
>up and delete a specific paragraph prior to publishing that document
>on a web site, a user with a tool designed for this, can recover the
>deleted text as it is actually still inside that document.

Yeah, that has been a "feature" of MS Word for at least 18 years,
probably as long as MS Word has existed (~25 years).

>I had never heard of this.

Well, you're posting from a search engine - did you ever think to use
it for the purpose it was originally created for (other than providing
targeted advertising that is). Even the wonkypedia discusses the
problem. "comp.risks" is a Usenet newsgroup that mirrors the Risks
Digest from the ACM. If you were to search for keywords like 'redact'
'delete' and 'Microsoft Word' (or MS Word)
in the last three years, you should get at least a dozen hits. It's
been used by law enforcement to catch criminals with some regularity.
You'd think people might learn, but that means reading a manual, and
that's way to hard.

>Can anyone verify if this is correct, and if so, how to go about
>viewing that deleted paragraph to prove to others that yes, this could
>be how info is being extracted from published documents?

You mention the word "leak" above, and are posting from a South Carolina
state address block. Rather than tell you, and have you contaminate the
evidence because you don't know what you are doing, contact your designated
law enforcement agency. Yes, the method is trivial, and many how it's
done. The so-called tool is ordinary software found on most computers.

Old guy

Moe Trin
06-03-08, 03:11 PM
On Tue, 3 Jun 2008, in the Usenet newsgroup alt.computer.security, in article
<MPG.22af15f9d002e21d9898b9@adfree.usenet.com>, Leythos wrote:

>While not exactly as you state, unless you SAVE AS the file will contain
>edits and other pieces that you've removed - this has been known for
>YEARS.

I'm amazed that that "feature" is still here, what - twentyfive years
after MS-Word 1.0. I mean it's not as if we're still running on a
4.77 MHz 8088 using floppy drives as mass storage.

>Always publish documents to PDF so that you don't have to worry about
>it.

Owww, maybe _you_ want to spend some time with a search engine - the
Usenet newsgroup comp.risks would be nice, and search for the keyword
'redact' - which will bring up issue 24.14 through 24.17 (1Q2006)

PDF documents can leak image data (Geoff Kuenning)

NSA on redacting Word and PDF documents (dmagda)
NSA explains how to redact documents electronically (Steven M. Bellovin)

Re: "NSA on redacting Word and PDF documents" (Matt Jaffe)

Some risks can be good for you, Re: redacting (Richard Karpinski)

or issue 24.34 and 24.35 (Jul 2006)

Yet another example of accidental disclosure of redacted info (Aaron Emigh)

Re: Yet another example of accidental disclosure of redacted info
(Amos Shapir)

or issue 24.83 (Sept 2007)

FIA blunder reveals secrets: obscured material viewable (Ben Moore)
Redacted material still viewable (Ben Moore)

That's just looking at Volume 24. There are others in other volumes.

Old guy

David H. Lipman
06-03-08, 03:47 PM
From: "Bruce Meyer" <bdmeyersc@gmail.com>

| Whikle trying to determine the source of a leak, one of my colleagues
| said he thought he had read of the following:
|
| If I create an MS Word Document, and save it. Then later open it back
| up and delete a specific paragraph prior to publishing that document
| on a web site, a user with a tool designed for this, can recover the
| deleted text as it is actually still inside that document.
|
| I had never heard of this.
|
| Can anyone verify if this is correct, and if so, how to go about
| viewing that deleted paragraph to prove to others that yes, this could
| be how info is being extracted from published documents?
|
| Thanks either way,
| Bruce D. Meyer

Yes. This is relatively "well known". PowerPoint and Excel also suffer from this.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Arthur T.
06-03-08, 05:56 PM
In Message-ID:<bv0b4493p5o32igfpe99o90pp7v0r43ja3@4ax.com>,
Jim Watt <jimwatt@aol.no_way> wrote:

>I believe .rtf's are generally safe.

Want to open up an RTF from me in Word and see what kind of
havoc I can cause?

It's fairly simple to create an RTF with malicious effect,
but, again, I won't tell how in a public forum.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

Jim Watt
06-03-08, 06:23 PM
On Tue, 03 Jun 2008 18:56:31 -0400, Arthur T. <arthur@munged.invalid>
wrote:

>In Message-ID:<bv0b4493p5o32igfpe99o90pp7v0r43ja3@4ax.com>,
>Jim Watt <jimwatt@aol.no_way> wrote:
>
>>I believe .rtf's are generally safe.
>
> Want to open up an RTF from me in Word and see what kind of
>havoc I can cause?

Fair enough, but an advantage of them is they are cross
platform and don't contain macros. The rtf's on my sites
are safe, and I suspect unless the content is carefully
crafted, so are most other peoples. However on this
occasion I shall decline the offer :)

I seem to remember thare was a rather explosive .zip
file which turned into umpteen gigabytes.
--
Jim Watt
http://www.gibnet.com

Arthur T.
06-03-08, 09:23 PM
In Message-ID:<i5kb44l1ap0410a1749nlgeqjjdbnrk08l@4ax.com>,
Jim Watt <jimwatt@aol.no_way> wrote:

>Fair enough, but an advantage of them is they are cross
>platform and don't contain macros.

If you want to give me your edress, I'll reply to this
off-list.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

Klunk
06-05-08, 11:04 AM
On Tue, 03 Jun 2008 19:49:42 +0200, Jim Watt passed an empty day by
writing:

> Its old news.....

As is the Apache 2.0.51 vulnerability affecting your Website on that VPS.