The Privacy Foundation, which supports an Internet privacy research institute at the University of Denver, today published a report demonstrating how Word documents can be planted with "Web bugs" that can pass information about the use of the file back to the author. Web bugs can also be embedded in Excel spreadsheets and PowerPoint slide show files, according to the report, which was authored by Privacy Foundation chief technology officer Richard Smith.
"What this means basically is that if an author of a document for whatever reason cares about who is reading it, he can bug it and then monitor it," Smith said. "They can find out the IP address and host name of whoever is reading the document."
A Web bug works by planting a Web address into a document. The bugs can take up just a single pixel on a computer screen, making them invisible to a viewer.
Smith said that at this point, he knows of no instances in which documents are being bugged in this way, but he described a number of scenarios in which it could be used. Companies might embed bugs into confidential documents to detect leaks or to determine copyright infringement, for example.
Microsoft product manager Lisa Gurry downplayed the Privacy Foundation's discovery, saying that such capabilities exist for all Web-based applications and have for some time.
"We actually believe this is much ado about not much," Gurry said. "There is no evidence that anyone is exploiting that to potentially try and manage cookies through Word documents."
Gurry added that people can prevent this scenario by disabling the cookie feature on their Web browsers.
The surveillance method described by Smith is possible because Word allows authors to embed image locations rather than actual images as a space-saving move. As the document communicates with the remote server where the image sits, the author can monitor where the document goes and how often it is opened.
Cutting and pasting portions of Word documents into other files could also transfer the bugs.
Smith also raised the specter of Word Web bugs reading and writing Internet Explorer browser cookies.
"Cookies could allow an author to match up the computer viewer of a Word document to their visits to the author's Web site," Smith warned in the advisory.
Marketers have long used Web bugs to track the whereabouts of Internet users and to track whether email messages are opened and read, according to Smith. The ability to embed Web bugs into Microsoft Word, Excel and PowerPoint documents adds the possibility of tracking an array of file formats.
While there may be talk, Smith could not cite any examples of such tracking on MP3 files or Microsoft Word files.
One security analyst questioned whether the Web bug should be thought of as a bug or as a legitimate feature prone to abuse.
"The problem is that it's often possible to take well-meaning features such as this linking and use them for less honorable purposes such as the monitoring of user activity for copyright enforcement or marketing purposes," wrote SecurityFocus.com analyst Elias Levy. "The feature itself is agnostic; it's how you put it to use that becomes an issue."
Levy said Microsoft could respond in one of two ways: disabling the feature entirely, or letting consumers decide when it can be used.
"The latter would entail modifying Word to warn the user when an embedded link is in the document, similarly to how it warns users of embedded macros, or like Internet Explorer can warn users of cookies," Levy wrote.
In his advisory, Smith recommended that Web browser cookies be disabled within Word documents and other non-browser applications, but he stopped short of calling for Microsoft to remove the Web bug capabilities. He recommended that concerned consumers use personal firewall software to monitor when "unauthorized" programs like Word are accessing the Internet.