TUCoPS :: Macintosh :: word.htm

MS Office 98 - Read Sensitive Files

    MS Office 98 (Word98 vulnerability described)


    MacOS With MS Office 98


    Mike Morton found following:

        1.  Open a few documents, work on your Macintosh for a while.
        2.  Open word 98 and  compose a message, then save it  to your
        3.  Attach the document to an email, and send it.
        4.  open  the  resulting  document  from  the  email when  you
            receive it in BBEdit.

    The  file  can  be  read  plain  text  with  all  sorts  of  juicy
    information  like  passwords,  URLS,  document locations, etc, all
    from the origionating computer.  We have been able to successfully
    gleam  passwords  and  logins  from  the  file, IN PLAIN TEXT.  It
    contains  information  that  is  MONTHS  old  from  the orginating
    computer.  This was tested  only on the Macintosh version  of Word
    98, and the  emails were sent  via Eudora.   Btw, if you  open the
    saved  document  on  your  harddrive  -  you get the same results!
    This is reproducable from Word 2.0 version.  While the  likelihood
    of revealing sensitive information is low, if this file were  then
    sent  to  another  user,  it  could  possibly  expose  data from a
    previously deleted file on the sender's system.

    The problem is caused  by the way Office  98 allocates space on  a
    disk for local  file storage. The  Mac OS --  like many other  OS'
    file systems  -- does  not erase  files when  you delete  them, it
    simply removes  a reference  to them  in the  disk's catalog,  and
    marks the space they occupied as "free."  Office 98 does not clear
    the disk space  when the Mac  OS allocates it  during a File  Save
    operation.  Instead, Office 98 simply writes the file contents  to
    the  allocated  disk  space,  overwriting  any  random  data  that
    physically existed on  the disk.   Since the Mac  OS allocates the
    disk space  in set  chunks, called  clusters, the  small amount of
    unused space  at the  end of  the file's  last cluster may contain
    random data  from previously-deleted  files.   The data  cannot be
    viewed when  opened as  a native  Office file.   However, an ASCII
    text editor can be used to view the extraneous data.


    Microsoft  recommends  that  customers  using  Office  98  for the
    Macintosh install  the available  Office 98  update, which  can be
    downloaded from the Office 98 for the Macintosh web site at:


    Previous versions of  Office for the  Macintosh are not  affected.
    Customers  who  cannot  apply  the  hot  fix can use the following
    workarounds to temporarily address this issue:

    - This  problem  can  be  eliminated  by using a third party  disk
      utility for the Mac OS that completely erase files when they are
    - Users can save files to freshly formatted floppy disks to ensure
      that there is no unwanted data included with the file.
    - This  issue  only  affects  files  that  are  saved  to a  local
      Macintosh volume.  By performing  a "Save  As..." operation from
      Office 98 and  saving the file  to network volume,  such a to  a
      Windows NT  Server running  Services for  Macintosh, any  random
      data at the end of the file will be removed.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH