A security vulnerability that hides unique identifiers in Microsoft Office documents may affect files created by other software applications, according to the programmer who identified the breach.
Other Office documents and browser cookies, and possibly even software from other companies, can store the unique identity codes, according to Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts, who first reported the security glitch on Sunday.
Smith discovered that Excel and Word applications fingerprint files with an identifying number. That number is used by the hardware that connects a PC to a local area network. The 32-digit numbers were designed long ago by developers of networking hardware to identify individual machines.
"These things are slippery. These [numbers] are floating around -- it's hard to say where they're showing up," said Smith.
Microsoft was not available for comment.
The identifying number is trapped in the Windows registry file as a Globally Unique Identifier, or GUID, and embedded in a hidden part of documents created using Office, including Word, Excel, and PowerPoint.
"I got email for someone mentioning that GUIDs are also put in Web-browser cookies. I did a quick scan on my Netscape cookies file and found a number of Web sites that were indeed using GUIDs for identification purposes," Smith said.
It goes to show the ubiquity of the ID numbers, he said. "Anyone writing applications can use them. [The privacy issue] is an unintended side effect."
The unique number can be easily traced to a person by searching for the number in documents known to be created by that person, according to Smith. Unknown documents could also be associated with that person using the identification number.
"If you're in some really weird office-politics situation -- who knows?" he said.
He plans to explore whether other Windows applications, such as software for creating Web pages, use the ID numbers. He's also interested in the behavior of the company's Outlook email software.
Smith said users can easily find their own network address, then search their hard-disk content for documents containing the ID number to determine where it is surreptitiously stored.
Users can find the number by selecting the Run command under the Windows Start menu and typing winipcfg to launch the Windows IP configuration utility. One of the fields appearing in the dialog box contains the user's "network adapter" address.
"All I did was have a search utility scan the hard disk for occurrences of the Ethernet address," he said.
Smith used one called Grep. "Anyone can do that and see how common it is."
