Microsoft discloses software glitch
By D. Ian Hopper
Associated Press
WASHINGTON — Microsoft's flagship word processor has a security flaw that could allow the theft of computer files by "bugging" a document with a hidden code, the company disclosed yesterday.
It said it was exploring how to fix the problem and whether to extend the repair to an older version of the software still used by millions.
The attack begins when a bugged document goes out, usually with a request to be revised and returned to the sender — a common form of daily communication. When the document is changed and sent back, the targeted file accompanies it.
"It has the potential of allowing people to get at data that they are explicitly not allowed to get to," said Woody Leonhard, who has written books on Microsoft's Word and Office software.
The flaw would most likely occur in the workplace, where Word is the most prominent word processing program. Potential targets for theft are sensitive legal contracts, payroll records or e-mails, either from a hard drive or computer network, depending on the victim's access to files.
"The issue appears to affect all versions of Microsoft Word," Microsoft said in a statement. "When the investigation is completed, we will take the action that best serves Microsoft's customers."
Word 97, an earlier version of the program, is most susceptible to the attack. Microsoft said it is its policy to no longer repair Word 97, but said the company is still exploring the issue.
A research firm reported in May that about 32 percent of offices have copies of Word 97 running, according to a survey of 1,500 high-tech managers worldwide.
If the intended target uses Word 2000 or 2002, the most recent versions, the attack will only work if the Word document is printed first before a reply goes out to the attacker.
Microsoft says that in both security flaws, an attacker would have to know the exact file name to be stolen and its location. But experts said many critical files — an address book or saved e-mails, for example — are usually in obvious or predictable places on every Microsoft Windows computer.
