Word, Excel and PowerPoint docs can phone other computers and report information when a shortcut is used for including images in e-mail messages. The bug hasn't bitten -- yet.
SEATTLE -- Documents created with some Microsoft software can be rigged to "phone home" to another computer and report where and how often a document is read, a privacy organisation said Wednesday.
The technique known as a "Web bug" takes advantage of a shortcut for including images in Microsoft Word, Excel and PowerPoint, Privacy Foundation said on its Web site.
But the group's chief technology officer, Richard Smith, added that there was no evidence that anyone had exploited the setup, and he did not recommend that users disable the features in their software.
Because images can take up a lot of memory in a document and make them difficult to send through e-mail, the creator of a document can simply insert an Internet address in the document that then calls up the image from a host computer when the document is opened by somebody else.
However, when one computer asks another for something like an image, it routinely sends along data about its own location on the Internet, called an Internet protocol (IP) address.
"Because a linked Web image must be fetched from a remote Web server, the server is in a position to track when a Word document is opened and possibly by whom," Smith wrote.
Web bugs could be as small as a single pixel, or dot, on a computer screen, making them nearly invisible, Smith said.
"In most cases, the reader of a particular document will not know that the document is bugged, or that the Web bug is surreptitiously sending identifying information back through the Internet," Smith said.
Cookies and bugs
The Web bug could also allow a "cookie" -- a small program used extensively by Web sites to track usage and other data -- to be placed on the document reader's computer, Smith said.
Examples of how Web bugs could be used include advertising companies that want to see who receives an ad and how the ad spreads, or by companies that could place a bug in a confidential document to track in the event it was leaked.
Microsoft said it was unlikely any personal information could be tracked using the Web bug and noted that cookies could be rejected by changing options in the user's Web browser.
On a scale of one to five, with five being the most severe privacy concern, the Privacy Foundation rated it a two.
"It's really a lot to do about very little," Eric Schultze, program manager for Microsoft's security response centre, said in an interview about the report.
"These are not in any way specific to Microsoft or any other vendor; they are Internet issues," Schultze said. "This could happen on any Web-enabled application or on any vendor's operating system."
Smith of the Privacy Foundation agreed that any software -- not just Microsoft's -- that uses automatic links to Web pages could be vulnerable to the same problem.
