[Previous entry: ""] [Main Index] [Next entry: ""]

12/06/2003 Archived Entry: "MS Word leakage"

Go to Google, type in the words "miserable failure," and click "I'm Feeling Lucky." According to The Inquirer, the campaign to establish this link began here only a week ago. I'm happy to help.

If you deal with secure or confidential documents, beware Microsoft Word. Your documents are stuffed with hidden content such as the names of the authors, your organization, filenames on your computer, deleted text, and even text from unrelated documents.

The problem is this: Word documents contain a lot of "metadata" which is not visible when you edit the file, but can be extracted. Even text from previous drafts can remain in the file. Publishing such a document on the web can be embarassing, as the Blair government found out with their Iraq dossier. Just last week, SCO made the same blunder with an "open letter" purportedly from their CEO.

Publishing in another document format may not save you. In response to a Freedom of Information Act request, the U.S. Justice Department released a heavily censored report in PDF format. Those stalwart folks at The Memory Hole promptly discovered that the blacked-out text was still inside the report, and easily revealed. Oopsie.

With a lot of care, you can clean up Word documents for publication. But if you work in an office where privacy is a concern -- or a legal requirement -- you might want to consider an alternative word processor like Open Office. And publish your documents in open formats like HTML. Of course, I encourage government agencies to continue using MS Word, and to publish as many government documents as they can in this format. How else will we find out what they're up to?

(Thanks to our friends the Millers for telling us about this report.)

Lest you get the impression that all the world's security problems begin with Microsoft -- an easy conclusion to reach -- here's a few security warnings for Linux users:

If you run a server or have untrusted local users, you should upgrade to the 2.4.23 kernel. There's a vulnerability which can give local users root privileges. This is not an Internet exploit, and home and desktop users need not worry. Someone must have a login account on your machine to exploit this.

Of greater concern is this latest vulnerability in rsync. This can be exploited over an Internet connection, so make sure you close port 873/tcp in your firewall.

Better still, close all unused ports. The Inquirer has some excellent suggestions for firewall policies.

Powered By Greymatter