AgentSun
04-02-2004, 03:39 PM
Word flaw a window into Microsoft
Fri Apr 2, 6:46 AM ET
By Mike Langberg, Mercury News
You'd think the people who make Microsoft Word understand enough about the program to avoid embarrassing themselves with unintended disclosures of internal information.
You'd be wrong.
Michal Zalewski, a 23-year-old computer security specialist in Warsaw, Poland, pulled off a clever bit of online sleuthing last month. In a delicious piece of irony, he found about 500 Word documents on Microsoft's own Web site that hadn't been purged of revisions made during the editing process.
My favorite: In a 2002 white paper refuting the value of the upstart Linux (news - web sites) operating system, an anonymous Microsoft author wrote "Microsoft is an enduring company . . ." Apparently a cooler head then prevailed on the author to remove the second part of the sentence: "that's not going out of business (unlike many Linux vendors)."
What Zalewski uncovered is a classic example of how Microsoft often plows ahead with new features and only later stops to think about the consequences.
Recent versions of Word and other applications in the Office suite, such as Excel and PowerPoint, have been packed with "collaboration" features that allow work teams to edit documents.
A supervisor, for example, can put questions in the margins, insert highlighted text or make deletions by making strikethrough lines. When the original author accepts the changes, the final version of the document shows only the edited results. But the history of all those changes remains hidden in the document file, and anyone receiving the document only has to hit a button to open a "reviewing pane" to reveal the document's life history.
Microsoft has never given Word users an easy and obvious way to create a final document purged of hidden changes. Indeed, many Word users aren't even aware of the problem.
This gaping flaw has caused more than a few red faces. Last month, the technology Web site News.com uncovered an apparent last-minute legal strategy switch by SCO Group, a small Utah company that is asserting patent rights to parts of Linux. By looking at hidden changes in the Word file of a lawsuit filed by SCO against DaimlerChrysler, News.com discovered extensive plans to also sue Bank of America.
In February 2003, the British government was forced to admit that an official report on the threat posed by Iraq (news - web sites) had largely been culled from magazines and academic journals rather than Britain's intelligence agencies. Hidden changes in the Word file showed where the report's author had cut and pasted from some of the outside sources.
Zalewski was browsing through Microsoft's Web site when he found a Word document with change-tracking information intact. Curious, he launched a "spider" program that examined all the Word documents -- about 10,000 -- posted on Microsoft's site. About 5 percent contained deleted text hiding just out of sight.
There were no smoking guns. Zalewski didn't unearth any trade secrets or top-secret plots that would excite antitrust regulators. But he did find lots of amusing examples of how press releases, white papers and other documents evolve.
His results are in "Strike that out, Sam" on his Web site (http://lcamtuf.core dump.cx/strikeout). The article got a global audience Monday, when it was mentioned on the techie news and gossip site Slashdot (www.slashdot.org).
Here, with deleted text in italic and added text in bold, are a few more gems Zalewski found:
• A case study citing a pharmaceutical company using Microsoft's Tablet PC design gets scaled back. "Aventis is deploying has evaluated the Tablet PC . . . Clinical trial associates are using participated in a pilot to compare the Tablet PC with their regular notebook PCs."
• From the same white paper I mentioned, responding to a step-by-step story in CIO Magazine advocating Linux, magazine writer Scott Berinato comes under heavy but ultimately invisible attack. "Berinato has no point in this step, nor does he have anything that remotely resembles a fact . . . This step is where Berinato's lack of analytic rigor becomes painfully obvious."
• Near the end of the white paper, some hot-button words for a company often accused of running an illegal monopoly are removed. "What has been proven is that Microsoft dominates leads in price/performance benchmarks, owning currently holding the top ten slots."
I asked Microsoft's vast PR machine for a response and, after two days, got the following statement:
"The distributed publishing model of Microsoft.com encourages people across Microsoft to quickly publish and distribute timely information for customers and partners. Unfortunately, the necessary steps to ensure documents are in a final format are not always taken. We recognize and are working on improving the checks and balances of our process."
If you want to improve your own checks and balances, Microsoft provides a small program for free called "Remove Hidden Data" that does just that for Office XP and Office 2003 documents. Go to the Microsoft Download Center (www.
microsoft.com/
downloads) and type "remove hidden data" in the keyword field.
Zalewski is a former high school computer whiz kid who worked for a computer security firm in the United States for three years -- including a few months in San Jose -- before returning home to Poland a year ago. No Starch Press of San Francisco is publishing his first book, called "Silence on the Wire," in August.
"He's going to be one of the leading lights of computer security for some time to come," says Scott Blake, Zalewski's former boss at BindView, a Houston consulting firm.
You heard it here first.
Contact Mike Langberg at mike@langberg.com or (408) 920-5084. Past columns may be read at www.langberg.com.
Fri Apr 2, 6:46 AM ET
By Mike Langberg, Mercury News
You'd think the people who make Microsoft Word understand enough about the program to avoid embarrassing themselves with unintended disclosures of internal information.
You'd be wrong.
Michal Zalewski, a 23-year-old computer security specialist in Warsaw, Poland, pulled off a clever bit of online sleuthing last month. In a delicious piece of irony, he found about 500 Word documents on Microsoft's own Web site that hadn't been purged of revisions made during the editing process.
My favorite: In a 2002 white paper refuting the value of the upstart Linux (news - web sites) operating system, an anonymous Microsoft author wrote "Microsoft is an enduring company . . ." Apparently a cooler head then prevailed on the author to remove the second part of the sentence: "that's not going out of business (unlike many Linux vendors)."
What Zalewski uncovered is a classic example of how Microsoft often plows ahead with new features and only later stops to think about the consequences.
Recent versions of Word and other applications in the Office suite, such as Excel and PowerPoint, have been packed with "collaboration" features that allow work teams to edit documents.
A supervisor, for example, can put questions in the margins, insert highlighted text or make deletions by making strikethrough lines. When the original author accepts the changes, the final version of the document shows only the edited results. But the history of all those changes remains hidden in the document file, and anyone receiving the document only has to hit a button to open a "reviewing pane" to reveal the document's life history.
Microsoft has never given Word users an easy and obvious way to create a final document purged of hidden changes. Indeed, many Word users aren't even aware of the problem.
This gaping flaw has caused more than a few red faces. Last month, the technology Web site News.com uncovered an apparent last-minute legal strategy switch by SCO Group, a small Utah company that is asserting patent rights to parts of Linux. By looking at hidden changes in the Word file of a lawsuit filed by SCO against DaimlerChrysler, News.com discovered extensive plans to also sue Bank of America.
In February 2003, the British government was forced to admit that an official report on the threat posed by Iraq (news - web sites) had largely been culled from magazines and academic journals rather than Britain's intelligence agencies. Hidden changes in the Word file showed where the report's author had cut and pasted from some of the outside sources.
Zalewski was browsing through Microsoft's Web site when he found a Word document with change-tracking information intact. Curious, he launched a "spider" program that examined all the Word documents -- about 10,000 -- posted on Microsoft's site. About 5 percent contained deleted text hiding just out of sight.
There were no smoking guns. Zalewski didn't unearth any trade secrets or top-secret plots that would excite antitrust regulators. But he did find lots of amusing examples of how press releases, white papers and other documents evolve.
His results are in "Strike that out, Sam" on his Web site (http://lcamtuf.core dump.cx/strikeout). The article got a global audience Monday, when it was mentioned on the techie news and gossip site Slashdot (www.slashdot.org).
Here, with deleted text in italic and added text in bold, are a few more gems Zalewski found:
• A case study citing a pharmaceutical company using Microsoft's Tablet PC design gets scaled back. "Aventis is deploying has evaluated the Tablet PC . . . Clinical trial associates are using participated in a pilot to compare the Tablet PC with their regular notebook PCs."
• From the same white paper I mentioned, responding to a step-by-step story in CIO Magazine advocating Linux, magazine writer Scott Berinato comes under heavy but ultimately invisible attack. "Berinato has no point in this step, nor does he have anything that remotely resembles a fact . . . This step is where Berinato's lack of analytic rigor becomes painfully obvious."
• Near the end of the white paper, some hot-button words for a company often accused of running an illegal monopoly are removed. "What has been proven is that Microsoft dominates leads in price/performance benchmarks, owning currently holding the top ten slots."
I asked Microsoft's vast PR machine for a response and, after two days, got the following statement:
"The distributed publishing model of Microsoft.com encourages people across Microsoft to quickly publish and distribute timely information for customers and partners. Unfortunately, the necessary steps to ensure documents are in a final format are not always taken. We recognize and are working on improving the checks and balances of our process."
If you want to improve your own checks and balances, Microsoft provides a small program for free called "Remove Hidden Data" that does just that for Office XP and Office 2003 documents. Go to the Microsoft Download Center (www.
microsoft.com/
downloads) and type "remove hidden data" in the keyword field.
Zalewski is a former high school computer whiz kid who worked for a computer security firm in the United States for three years -- including a few months in San Jose -- before returning home to Poland a year ago. No Starch Press of San Francisco is publishing his first book, called "Silence on the Wire," in August.
"He's going to be one of the leading lights of computer security for some time to come," says Scott Blake, Zalewski's former boss at BindView, a Houston consulting firm.
You heard it here first.
Contact Mike Langberg at mike@langberg.com or (408) 920-5084. Past columns may be read at www.langberg.com.