[luau] Exercise Your Due Diligence & Throw Away Microsoft Word

[W. Wayne Liauh]

It appears that the "spyware" with Microsoft Word is much worse than 
what I feared.  See the following report:

. . .

"More bad news: in the past couple of days I've cobbled
together a "spy" document that automatically retrieves the
full file names of all documents which are already open
when the "spy" document gets opened. (You'll recall that
Alex's exploit requires the attacker to know the precise
name and location of the file that's being spied upon.)

"The very bad news: that new file name retrieval "spy"
technique works automatically and silently in all versions
of Word - 97, 2000, or 2002 (the version in Office XP).
Microsoft says "For best security, we recommend that
customers use Word 2002." I don't buy it. Microsoft got
lucky when it changed the way certain fields were updated
in Word 2002 - Alex's original exploit doesn't work
automatically in Word 2002. But they weren't looking at
Word fields from a security point of view when they sent
Office XP out the door, and they missed at least one gaping
hole.

"I've sent seven exploits to Microsoft in the past two
weeks. A couple of them are no more than parlor tricks - so
far - but most of them look ominous. Several of them work
automatically in all versions of Word: Word 97 ain't the
only version with its tail hanging out. Microsoft assures
me that they're on top of all of the problems I've sent so
far. I sure hope so. '

http://www.wpuniverse.com/vb/showthread.php?s=&threadid=7070