By publishing Microsoft Office documents on the web or by sending them via e-mail, you are at risk of information disclosure.
Since Microsoft Office is so widely accepted, Microsoft Office documents are an extremely popular way of Business-To-Business information exchange. While it is important to provide your partners or customers with extensive and easily accessible information, every company always has private information that shouldn't go outside and is intended for company employees eyes only.
Numerous case studies suggest that most of the companies that use Microsoft Documents, are not aware of the potential threats contained in the files they send outside or publish on the Internet. Let's do a simple experiment: Start Microsoft Word, create a new document and type "Hello, World!". Save it and take a look at the file size. I've got 20 kilobytes with my MS Word 2003. How is it that 13 characters of text require a 20 thousand character file to be saved on your disk? What are the other thousands of characters used for?
Every Microsoft Office document is a Structured Storage, a universal data format developed by Microsoft. Structured Storage may contain various pieces of textual and binary data. This is how they save images and text into the same file, for example. In addition to your text, its formatting, images and embedded objects, your Microsoft Word documents also contain technical info that is usually referred to as metadata.
You can get a very simple example of the information contained in your documents metadata by taking a look at the Document Properties Dialog (Main Menu: File/Properties). As you can see, some of the fields in this dialog are automatically filled in and automatically saved with your document: Title, Author, Company, Last Saved By, etc. Even these, the most basic metadata examples, may put your company into an embarrassing situation. You may not want to publish the names of your subcontractors, or unveil your information sources, etc. But, you should also know that this is just the tip of the iceberg. Most of the information contained in your documents is normally not shown. Yet, it can be easily extracted by your recipients with metadata extraction utilities or simply by turning on specific options in the Microsoft Office applications.
Metadata may also contain your company employees notes, corrections and even previous versions of the document that were for some reason rejected. Office documents incrementally collect info about the authors, correctors, editors and their contributions. Normally, your comments and the rejected versions of a document are not intended for the document recipient's eyes. However, a person that is sending out your documents or publishing them on the web may not be aware of the additional info contained in the metadata. Typically, you do not create agreements, contracts, invoices, reports and more from scratch. You use another document as a template. This way you can easily unveil the details of the contract that were used as a template. In some cases, this may cause serious financial or legal problems to your company.
OK. Now, you are aware of the problem. But is there a standard workaround? Unfortunately, no. Microsoft does not provide a standard feature to clear the metadata. There are guides available on the net that teach you how to check and clear the most threatening pieces of metadata. I think this is not a good idea. Manual processing takes time and there are no guaranties that you haven't missed something important.
Recently, I've came across a 30 dollar utility that can potentially save you millions by protecting your company from getting sued by your customers or beaten by your competitors who could use the metadata from your office documents against you. Smart PC Solutions offers for $30 their Document Trace Remover...the product that inspired this article. This utility is a great leap in securing your office documents. The program automatically analyzes your documents and allows you to either remove certain pieces of metadata or substitute them with the info that you would like to present to your recipients. Document Trace Remover can also operate in a batch mode. This allows you to easily check and secure multiple files at once.
I believe it is a good idea to start checking your documents immediately. Visit the Smart PC Solutions web site for more info about Document Trace Remover:
http://www.smartpctools.com/trace_remover
or use the following link to download the program directly:
http://www.smartpctools.com/files/dtrsetup.exe
It is a free download. They offer a 30 day trial.
Thursday, July 24, 2008
Microsoft Office Users are at Risk of Information Disclosure
by: Mykola Rudenko