In-Reply-To: <20020826212322.1137.qmail@mail.securityfocus.com> Alex - You've come up with a very clever application of field codes - one that I had never considered. I'm working with Word 2000 SR-1a and Word 2002 SP- 2. I've had a chance to converse with Dr. Vesselin Bontchev, who's using Word 97. So far, here's what I've been able to pin down: The "Document collaboration spyware" attack is, as you describe, far more ominous if the {INCLUDETEXT} field fires automatically. Apparently, Word 97 behaves precisely as you describe - in particular, if the { IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* MERGEFORMAT } = "" "" \* MERGEFORMAT } field is the last field in a document, it's automatically updated when the document is opened. That's a huge security hole, in my opinion. Word 2000 SR-1a and Word 2002 SP-2 don't behave the same way. In the later versions, I can only get two fields to update automatically: {DATE} and {TIME}. They're updated automatically when the document is opened, no matter where they sit in the document. I couldn't get any combination of {if {date}...} or {includetext {date} ...} fields to update automatically in 2000 or 2002. That said, I did stumble onto a weird combination of fields that seems to pull some outside text into the document automatically, even in Word 2000 and Word 2002. I've contacted Microsoft about the problem - going to give them a chance to solve it before I talk about it - and will keep you posted as I learn more. The "oblivious signing" attack you describe can be similarly triggered automatically using judicious combinations of {if} and {date} fields - but only in Word 97. There may be a way to do it automatically in Word 2000 and/or 2002, but I haven't been able to come up with a combination that works. If you have to rely on the victim manually updating all the fields in a document, the threat is much less ominous (in my opinion, anyway). But it's worth noting that printing a document in any version of Word will trigger an update of all the fields in the document, unless the user has specifically clicked Tools | Options | Print | Printing Options and unchecked the box marked "Update fields". I'll be following this security hole closely in "Woody's Office Watch" over the next few weeks. - Woody
