Old MS Office bug still leaking your data?

The Google search engine reports that there are over half a million Microsoft Word .doc files available for download from various Web sites. Of these, a small but significant percentage have been created using versions of the software known to create "leaky" documents.

First discovered in 1998, the bug causes random fragments of data from previously deleted files to be included in areas of a document that are otherwise unused. This random data can contain anything that might have once been stored on the creator's computer, including passwords, sections of other documents and correspondence.

Anyone downloading affected documents and browsing them with a hex editor--a program that allows a user to look at code--can easily view this extra information, although it otherwise remains invisible.

The applications responsible for producing these potentially leaky documents were Microsoft Word 6.0 and 7.0, plus version 7.0 of PowerPoint and Excel. Although a patch was quickly released to plug the hole, documents created before the patch was applied, and not subsequently edited, may still contain the unexpected snippets of sensitive data.

U.S. government Web sites also appear vulnerable to these potential leaks, with some 240,000 Word documents and 32,000 PowerPoint files listed by Google under the .gov domain. A small sampling indicates that up to 5 percent of these documents may have been created with the buggy versions of the software.

The problem appears to be a global one, although it is more pronounced in areas where the Net was in common use before the flaw was uncovered. Potentially leaky documents have been discovered on the government Web sites of a number of other countries, including Canada, France, Australia and New Zealand.

ZDNet Australia's Bruce Simpson reported from Sydney.