OK...so we can all clearly see that Greg is extremely concerned about security issues...and well he should be, he'd constantly fighting them with network issues and spends days and sometimes nights fixing servers that need to be updated due to security issues. And yes, he DID stand there and tell top MS VP that security needs to be # 1 and that he's sick and tired of having to deal with all the hole in MS systems...and they need to get down to reengineering some of the root issues! (Hey...see pics http://www.mousetrax.com/01summit.html) But the digital signature is not just a problem here...that's why it's not used, legally, yet...because none of the technology is yet secure and there are just too many outstanding issues of theft related to digital signatures on legal documents. You can find tons of arguments all over the web regarding the pros and cons...and ideas of how to solve these issues. Sorry Greg...I know this is all a sore spot, but regarding this particularly issue...it's been a known fact for years and I personally consider it more of an issue such as Master Docs. It SHOULD work as expected, but doesn't...never has. So it's not like some big mystery that Woody has just uncovered...since he and many of use have know about it before...this "bug" with IncludeText has been a sidelines issue for years! Dian Chapman Technical Consultant, Instructor, Microsoft MVP & TechTrax Editor Word AutoForm/VBA eBook: http://www.mousetrax.com/books.html Tutorial web site: http://www.mousetrax.com/techpage.html TechTrax Ezine: http://www.mousetrax.com/techtrax/ -----Original Message----- From: mso-bounce@xxxxxxxxxxxxx [mailto:mso-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Chapman Sent: Friday, September 13, 2002 10:52 PM To: mso@xxxxxxxxxxxxx Subject: [mso] Re: Microsoft Word flaw may allow file theft Well, Woody has been reporting this publicly for a couple weeks now. It is a pretty serious hole and the problem with it is what the black hats will develop to take advantage of it, not the flaw itself. The thing that ticks me most about it, though, is that I (and Dian was there to hear it) told MS Word engineers that something like this was going to show up and that it would allow hackers to even steal 'signed' credentials. So when I digitally sign a Word template for distribution and the safety tag is there that says "Greggie's signature is on this template, do you trust him?" someone else can steal that sig and use it to pass unsage code. Suddenly, those keyed signatures are valueless and we're right back where we started on this Word macro virus problem. This passage is not reassuring: "An additional element of the report suggested a scenario where this issue could be used to forge a document which has been digitally signed. Microsoft has evaluated this scenario and found that if this attack vector was followed, the digital signature on the forged document would be invalidated and this would be evident from inspecting the digital signature. Even if the attacker were to somehow manage to find a way to present the user with a valid digital signature, as discussed above, there would still be a clear evidence trail that could be followed and handed over to law enforcement agencies if necessary." That's from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/ topics/secword.asp . The reason it's not reassuring, is much more serious than what the news bunnies are reporting and invalidates the whole idea of signed macros is the fact that it can be done and that the trail to the attacker will not be distinct because the key to making the whole thing work is the same old solution; social engineering. Enticing people to view a document, accept the changes, ad infinitum is actually the simplest part of making a viral payload go. Here's an example from the "I love you" virus. One of the admins I work with was checking his shared family account from the office one day. He noticed a piece of mail intended for his wife from one of the family's close female friends. When he saw the subject (I love you!), his curiosity meter pegged ("Why is this woman suddenly telling my wife she loves her?!?!). As he clicked on the message, his co-workers heard his loud, too late, cry of "Oh Sh**!". Yes the finger is faster than the mind, once distracted.<g> He knew better and he even knew before his finger arose from the mouse that he'd been had. The damage had already been done, though. They can play with includetext fields all they want, but I want the built in security measure to be solid. There's no way this sig should ever be able to be stolen/forged and, despite warnings from little geeks like me, the ball has been dropped across all versions of Word, post ver 97. Greg ----- Original Message ----- From: "Charles R. Buchanan" <crbgfblab@xxxxxxxxxxxxx> To: "MS Office Mailing List" <mso@xxxxxxxxxxxxx> Sent: Friday, September 13, 2002 2:12 PM Subject: [mso] Microsoft Word flaw may allow file theft > > I'm not certain this pertains to MS Word within MS Office, if not then > forgive the off topic post! > > > > > http://www.cnn.com/2002/TECH/ptech/09/13/microsoft.word.bug.ap/index.h > tml > --- > Look OUT you varmits, This msg is Virus Free! > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002 > > > ************************************************************* > You are receiving this mail because you subscribed to > mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx > > To send mail to the group, simply address it to mso@xxxxxxxxxxxxx > > To Unsubscribe from this group, send an email to > mso-request@xxxxxxxxxxxxx?Subject=unsubscribe > > Or, visit the group's homepage and use the dropdown menu. This will > also allow you to change your email settings to digest or vacation (no mail). > //www.freelists.org/webpage/mso > > To be able to use the files section for sharing files with the group, > send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: > http://www.smartgroups.com/vault/msofiles > ************************************************************* > ************************************************************* You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx To send mail to the group, simply address it to mso@xxxxxxxxxxxxx To Unsubscribe from this group, send an email to mso-request@xxxxxxxxxxxxx?Subject=unsubscribe Or, visit the group's homepage and use the dropdown menu. This will also allow you to change your email settings to digest or vacation (no mail). //www.freelists.org/webpage/mso To be able to use the files section for sharing files with the group, send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: http://www.smartgroups.com/vault/msofiles ************************************************************* ************************************************************* You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx To send mail to the group, simply address it to mso@xxxxxxxxxxxxx To Unsubscribe from this group, send an email to mso-request@xxxxxxxxxxxxx?Subject=unsubscribe Or, visit the group's homepage and use the dropdown menu. This will also allow you to change your email settings to digest or vacation (no mail). //www.freelists.org/webpage/mso To be able to use the files section for sharing files with the group, send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: http://www.smartgroups.com/vault/msofiles *************************************************************