From: Ross Johnson [mailto:[EMAIL PROTECTED]] > >Ash Nallawalla wrote: >> >> From: Rick Welykochy >> >> > The Privacy Foundation has just released an advisory >> > on an issue that we discovered earlier this month >> > in Microsoft Word. >> >> Office 97 was Web-enabled, so haven't these "Web Bugs" been >around for a >> while? >> >> See: http://www.tiac.net/users/smiths/privacy/index.htm > >The Star Office suite also allows image URLs to be included >in documents, spreadsheets and presentations, which means that it >also has the capacity to host web bugs. I would guess that most >similar application suites have the same capability. > >Star Office of course runs on Linux, Solaris, and Windows. My >checking was done on a Linux machine. It depends on where StarOffice gets its cookies from. Basically there are two "problems" here: i) An embedded <A HREF...> in a Word document will cause a web connection to the appropriate site. On receiving this connection, a suitably engineered web page or web server could record the IP address (or proxy IP address) of the person reading the document. ii) Word invokes IE to do all its internet access (via WinInet APIs) and so the remote site can read/write any cookies on your local machine as if you were browsing it with IE (which in fact you are). This is actually the case for embedded <A HREF> tags in HTML email, Excel documents, and any other "web enabled" application that uses IE/WinInet to access the web. I guess the privacy concern is that someone may give you a word document on a floppy, or other non-net related transfer mechanism and the author can subtly notice that someone is reading their document without the person knowing. Using cookies they can be sure not to count a machine twice. I'm not sure how StarOffice does its web access - whether it uses its own web browser as a component, whose cookies it accesses and how it behaves with a "bugged" document. (I hate the term 'bug' in this context - makes me think of a programming error or something). Obvious solution to the cookies is to turn them off. Not sure about how to stop the net access, but as our document processors become more and more "Internet aware" we'll see the possibility of this type of activity become more readily available - Windows, Linux or MacOS. Do you really want your applications that use a common HTML renderer (including your web browser) asking you every time they access an image tag? Seems like a tough question to me. John Wiltshire -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
