[woody@wopr.com: Office XP document numbers can be linked to individual machines]

Bugtraq email that seemed on-topic for forensics as well.

• Forwarded message from Woody Leonhard <woody@wopr.com> -----

Date: 13 Nov 2002 14:10:47 -0000
From: Woody Leonhard <woody@wopr.com>
To: bugtraq@securityfocus.com
Subject: Office XP document numbers can be linked to individual machines

When you use Outlook 2002 to attach a document, spreadsheet or presentation to an email message, Outlook sticks four items in the document?s File | Properties | Custom dialog box. They?re called:

_AdHocReviewCycleID
_AuthorEmail
_AuthorEmailDisplayName
_EmailSubject

The last three entries are pretty straightforward: Outlook 2002 grabs your email address, your name, and the message?s subject, and sticks them in the document. (See http://www.woodyswatch.com/office/archtemplate.asp? v7-n50 )

The _AdHocReviewCycleID entry had me stumped until Beth Melton pointed me to a footnote on her ?Do You Want to Merge Changes? page at http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=107 . Here?s what?s happening.

When you attach a document to an email message in Outlook 2002, Outlook assigns it a ten-digit number ? let?s call it a document number - then updates a file on your PC called AdHoc.rcd with the name of the document, its location, and that document number.

AdHoc.rcd is an old-fashioned .ini file. My copy is stored in c:\Documents and Settings\Woody\Application Data\Microsoft\Office. AdHoc.rcd appears to store the document numbers and full document path for the last 99 documents that were attached to email messages.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So you send out an Office document, attached to an email message. It?s branded by Outlook 2002 with a specific (apparently more or less randomly generated) ten digit _AdHocReviewCycleID. The recipient saves the file, makes her edits, attaches it to another email message, and shoots it back to you. Outlook 2002 is smart enough to NOT overwrite the
_AdHocReviewCycleID in the document if one is already present, I believe,
so when you get the document back, the original document number is intact.

When you open the document in Word, Excel, or PowerPoint ? doesn?t matter if you save the document first, and then open it, or if you open it directly while you?re looking at the email message ? the application is smart enough to look for _AdHocReviewCycleID, look it up in AdHoc.rcd, and hit you with the grating message

?Do you want to merge changes in ?WOW751.doc? back into ?c:\Documents and Settings\Woody\My Documents\SomeFolder\WOW751.doc?? Yes | No | No, And don?t ask again

if there?s a match on _AdHocReviewCycleID.

For example, when I sent the last issue of Woody?s Office Watch to Peter Deegan for editing, I used Outlook 2002 to attach it to an email message. Outlook created a section that looks like this in my AdHoc.rcd file:

[1294394770]
Path=C:\Documents and Settings\Woody\My Documents\WOW\WOW751.doc Slot=Doc93

If I look back at the copy of WOW751.doc that I sent to Peter last week, sure enough, the File | Properties | Custom box contains

_AdHocReviewCycleID 1294394770

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If I open the copy of WOW751.doc that I attached to the message I sent to Peter, I get that grating question.

And that explains why I can send a file to my editor, he can make changes ? even change the file name ? and send it back to me, and when I open it, Word will still pop up with that grating message.

This near-unique branding of documents with ten digit numbers leads to some interesting questions. For example, if you have a document with a specific _AdHocReviewCycleID, can you tell which machine it originated on? Granted, you?d have to look at the AdHoc.rcd file on any suspect machines. But how is this any better (or worse) than the old Office 97 document ?unique identifier? problems?

(If you weren?t around for that controversy several years ago, check out

http://news.com.com/2100-1001-222876.html?legacy=cnet or 
http://www.byte.com/documents/s=146/byt19990906s0012/index3.htm or 
http://www.woodyswatch.com/office/archtemplate.asp?v4-n12 for a 

More than that, why does Word use these document numbers even when you uncheck the Tools | Options | Security | ?Store random number to improve merge accuracy? box?

Or am I missing something?

• End forwarded message -----

-- 
http://sardonix.org/