Originally created 04/18/99

Melissa may do more damage from creators capture



Here's the good news: Melissa the virus had her 15 minutes of fame. The cops say they've arrested her creator, and they say he'll probably go to jail.

Here's the bad news: When they tracked the suspect down, investigators exploited a feature (or flaw) in Microsoft Word that exposes everyone who uses the program to potentially embarrassing invasions of privacy.

The secret is that Word not only tracks the creator of every document, but also records every change you or anyone else has made. You can't see the information on your screen, but it's there -- hidden in what Microsoft calls "metadata," stored on your disk and transmitted with the file when you e-mail it to someone or post it on the Web.

Now there are good reasons for tracking revisions and additions to a document, particularly in a collaborative environment. In fact, this capability is one of Word's strong points. Instead of printing reports and circulating paper copies, Word users are increasingly e-mailing the original files to one another because it's more convenient. That's how Melissa -- a virus written in Word's programming language -- spread so quickly.

The sleuths who helped investigate Melissa used the hidden data to help identify the alleged author, David L. Smith of Aberdeen Township, N.J. They say they found his name, the ID code of his computer and other information hidden in several Microsoft Word documents related to Melissa.

It doesn't take a great leap of the imagination to see how this kind of information could be embarrassing to honest folks, too. For example, if you e-mail a bid to a customer, would you want him to see evidence that you'd changed your prices five times? If you jot down unkind comments about a colleague in a note and then think better of it, would you want your original words hanging around for anyone to see?

You don't need a Ph.D. to find this buried information. There are plenty of free or inexpensive viewers that will show you the entire contents of a Word file or any other document. If the file is small enough, you can even use Windows' Notepad utility to peek inside.

The first security hole was discovered in March by Richard Smith (no relation to David Smith), president of Phar Lap Software in Cambridge, Mass. He found that Windows 95/98 generates a Globally Unique Identifier, or GUID, for every computer based on the ID number built into its network adapter card. Microsoft collected this information when users registered Windows online -- a practice the embarrassed company said it has stopped.

Smith also discovered that Microsoft Word, Excel and PowerPoint use the GUID to create a unique ID number hidden in each document. Rishi Khan, a University of Delaware computer engineering major who helped Smith and other investigators track Melissa, said the information can tell snoopers which computer created each document and when it was created -- which in most cases points to a specific user.

But according to Khan -- and I've been able to confirm it by peeking at my own documents -- Word goes much further. When you first run the program, Word asks for your name, which it embeds in each file's metadata. If you pass a document on to a colleague for editing, his or her name is added to the file. Word even keeps track of the directory in which the file was stored.

If you have Word's Fast Save feature turned on, which most people do, Word doesn't replace the existing file with a new version when you save it. It records only the changes you've made, so everything you've already written -- and erased -- is still there.

How hard is it to find the hidden information? I had no trouble using Inso's Quick View Plus, the enhanced, commercial version of a file-viewing utility that comes packaged with Windows (www.inso.com). Among its other useful features, QVP lets you see the raw data in any file by opening it in "text" mode. When you view a Word file this way, you'll see the metadata, much of which appears as garbage on the screen. But if you scroll through the document, you'll find the GUID and all the revisions you've made in plain text.

How can you avoid security problems with these features? One way is to avoid e-mailing entire Word documents. You can copy the text of most short letters and notes directly into the body of an e-mail message. This is probably more convenient for your correspondent anyway, and it saves bandwidth.

To avoid exposing revisions of Word documents to prying eyes, you can copy the entire text of a letter or report into a new Word document and send the new file to your recipient. This will include only the latest version.

But your best bet is to modify Windows and Office 97 programs to eliminate the problem. Microsoft has posted a Web page with links to programs that will purge the GUID from your system and show you how to modify Word's settings to eliminate unnecessary information. You'll find it at http://officeupdate.microsoft.com/Articles/privacy.htm.

If you use Word and value your privacy, do it now.