Information about Reported Microsoft Word Fields Vulnerability

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

September 13, 2002

A posting to a security forum regarding Microsoft Word fields has led to some confusion and speculation. As with every report of a security issue in a Microsoft product, the Microsoft Security Response Center immediately investigated this issue and we’d like to take a minute to update our customers on the issue and our plans for addressing it.

The report describes a method by which an attacker could potentially create a document that when opened would use Word fields to view the contents of a user’s document. Word fields are a feature that provides a way of automatically inserting information into Word documents. This feature is commonly used to insert information such as dates and page numbers in document Headers and Footers. By default the fields are hidden from view so as not to clutter the document when it is being edited, but they can be revealed if necessary.

In order for an attacker to take advantage of this vulnerability, the attacker would have to craft a malicious Word document, pass this to the user and then entice the user to return the document. In doing so, the user could unknowingly be including the contents of a file he or she had access to through the use of a specially crafted Word field. The issue affects all versions of Word to varying degrees, and the complexity on the attacker’s part varies as well since individual attack vectors may be needed for specific versions of Word.

Microsoft is continuing to investigate this issue thoroughly and will be providing fixes for all supported versions of Word. In the meantime, the continued observance of the best practice of not replying or responding to unsolicited, untrusted or suspicious documents or e-mails can protect concerned users. In addition there are a number of reasons why this issue would be difficult to actively exploit:

  • The attacker would need to know the absolute path to the file that is to be stolen. The attacker would need to include the name and path to the file of interest. If the correct path were not presented, the attack would fail and the user would be presented with an error message.

  • The attacker would need to entice the user into returning the document. No information would be revealed unless the user returned the document to the attacker.

  • The user could always view the field codes. The field codes used in the attack can be revealed, as they are only hidden to prevent cluttering the document when it is being viewed or edited. A method of checking documents for additional undesired information is described later.

  • The attacker would leave a clear audit trail. Since the field codes can be viewed, even if an attack is successful, the attacker would leave clear evidence in the document in the form of the stolen information and the malicious field codes used. This evidence could be used by law enforcement agencies if required.

An additional element of the report suggested a scenario where this issue could be used to forge a document which has been digitally signed. Microsoft has evaluated this scenario and found that if this attack vector was followed, the digital signature on the forged document would be invalidated and this would be evident from inspecting the digital signature. Even if the attacker were to somehow manage to find a way to present the user with a valid digital signature, as discussed above, there would still be a clear evidence trail that could be followed and handed over to law enforcement agencies if necessary.

There are a number of articles that already exist in the Microsoft Knowledgebase that discuss how to ensure a Word document does not contain additional undesired information, including how to inspect and remove field codes. These can be found at:

This issue has also raised questions about Microsoft’s support for Office 97. Microsoft continues to offer support on Office 97 through assisted support from Microsoft Product Support Services (PSS). Information on how to contact PSS can be found at: Office 97 users should be aware, however, that Office 97 was developed in an era when the security threat was very different, and Office 97 does not include any of the improved security architecture of more recent versions of Office, such as Macro and e-mail attachment security. For best security, we recommend that customers use Word 2002.

The customer confusion and speculation around this issue is a clear illustration of the challenges faced when security reports are made public rather than reported to the vendor. Responsible researchers work with vendors to ensure that the priority in dealing with security issues is first and foremost the protection and safety of users. Had this been the priority in this case, much of the confusion, speculation and anxiety that resulted in this case could have been avoided.

Note: This issue has been resolved. Please see Microsoft Security Bulletin MS02-059.