If Office XP's So Great, How Come Microsoft Uses Word 97?

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
11 Feb 2002, 10:49 AM CST

A white paper that describes security enhancements in Office XP was created by Microsoft on a word processor that is two generations old, a security expert said.
The document, posted at the Microsoft site in recent weeks and entitled "Microsoft Office XP Security," was composed using Word 97, according to an analysis of the file's header information by Richard M. Smith, an independent security and privacy consultant.

Word 97 for Windows has been superseded by Word 2000 and Word 2002, which is part of the Office XP suite released last year.

Microsoft officials were not immediately available for comment.

Smith made the observation using a tool he developed for viewing the "metadata" hidden in Office documents.

The tool previously enabled Smith to discover that a Word version of Microsoft's 1999 annual report posted to the company's Web site was created on a Macintosh rather than on a Windows PC.

Smith said the latest incident underscores his belief that Word 97 is still in wide use and that Microsoft should consider making available to Office 97 users some of the security improvements in Office 2000 and Office XP.

"People apparently haven't felt a need to upgrade to the latest versions," said Smith, who added that Microsoft should not use security enhancements as a carrot to coax users to purchase its latest software.

Six security features touted by Microsoft in Office XP are digital signatures, code signing, access controls, privacy and confidentiality, Outlook security enhancements and improved data recovery.

According to the Computer Emergency Response Team at Carnegie Mellon University, the notorious Melissa virus of 1999 targeted unpatched versions of Word 97 that enabled some macros to execute without warning.

The author of the Office XP security white paper appeared to follow the company's recommendations for minimizing the amount of metadata that is contained within Word documents.

According to Microsoft, metadata stored in Word documents may include the author's name, company, computer name, network or hard disk name, document revisions, hidden text and comments.

The Summary window in the document's Properties menu contained no personal information. It did however show that while the security white paper's title page said the document was created in March, 2001, the file was last modified Jan. 29, 2002.

According to Smith, many Word documents posted on the Web, including some at U.S. government sites, have not been well sanitized of metadata by their authors.

"It's great for doing forensics," he said.