Date: Sat, 2 Sep 2000 22:32:40 -0600 From: Kurt Seifried <listuser@SEIFRIED.ORG> Subject: Sun StarOffice documents that "phone home" and other interesting To: BUGTRAQ@SECURITYFOCUS.COM I'm surprised no-one has yet posted this to Bugtraq, so here goes. StarOffice 5.2, downloaded from Sun. Simply insert a graphic, for filename give the URL. I simply used a gif from one of my websites, and watched the logfile while loading the document/etc. HTML document: it phones home, no warning, not unexpected. StarWriter document (version 5), it phones home, no warning. StarSpreadsheet (name?), it phones home, no warning. StarImpress (presentation ala powerpoint software), it phones home, no warning. Opening these documents in Linux, same results. The weirdest thing is when I ran strings on them I saw bits of data from other What concerns me even more is this: under Windows I created a new spreadsheet, inserted an image (http://blahblah), saved it and exited, then ran it through strings, and saw some data from an email I sent a while ago. WTF??? Closed outlook, tried it with starwriter, nothing, tried it again with starcalc, wasn't able to recreate it... Needless to say StarOffice raises some rather interesting issues, and seems to have some problems/glitches, if anyone can confirm this I would love to know. As for a warning dialog before downloading internet components that might be nice, something like: "do you wish to retrieve http://www.example.org/trackingimage-091919.gif?" But I doubt Sun will add that in. Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/