Office XP document numbers can be linked to individual machines

From: Woody Leonhard (woody@wopr.com)
Date: 11/13/02


Date: 13 Nov 2002 14:10:47 -0000
From: Woody Leonhard <woody@wopr.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

When you use Outlook 2002 to attach a document, spreadsheet or
presentation to an email message, Outlook sticks four items in the
document’s File | Properties | Custom dialog box. They’re called:

_AdHocReviewCycleID
_AuthorEmail
_AuthorEmailDisplayName
_EmailSubject

The last three entries are pretty straightforward: Outlook 2002 grabs
your email address, your name, and the message’s subject, and sticks them
in the document. (See http://www.woodyswatch.com/office/archtemplate.asp?
v7-n50 )

The _AdHocReviewCycleID entry had me stumped until Beth Melton pointed me
to a footnote on her “Do You Want to Merge Changes” page at
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=107 . Here’s
what’s happening.

When you attach a document to an email message in Outlook 2002, Outlook
assigns it a ten-digit number – let’s call it a document number - then
updates a file on your PC called AdHoc.rcd with the name of the document,
its location, and that document number.

AdHoc.rcd is an old-fashioned .ini file. My copy is stored in
c:\Documents and Settings\Woody\Application Data\Microsoft\Office.
AdHoc.rcd appears to store the document numbers and full document path
for the last 99 documents that were attached to email messages.

So you send out an Office document, attached to an email message. It’s
branded by Outlook 2002 with a specific (apparently more or less randomly
generated) ten digit _AdHocReviewCycleID. The recipient saves the file,
makes her edits, attaches it to another email message, and shoots it back
to you. Outlook 2002 is smart enough to NOT overwrite the
_AdHocReviewCycleID in the document if one is already present, I believe,
so when you get the document back, the original document number is intact.

When you open the document in Word, Excel, or PowerPoint – doesn’t matter
if you save the document first, and then open it, or if you open it
directly while you’re looking at the email message – the application is
smart enough to look for _AdHocReviewCycleID, look it up in AdHoc.rcd,
and hit you with the grating message

“Do you want to merge changes in “WOW751.doc” back into “c:\Documents and
Settings\Woody\My Documents\SomeFolder\WOW751.doc”?
Yes | No | No, And don’t ask again

if there’s a match on _AdHocReviewCycleID.

For example, when I sent the last issue of Woody’s Office Watch to Peter
Deegan for editing, I used Outlook 2002 to attach it to an email message.
Outlook created a section that looks like this in my AdHoc.rcd file:

[1294394770]
Path=C:\Documents and Settings\Woody\My Documents\WOW\WOW751.doc
Slot=Doc93

If I look back at the copy of WOW751.doc that I sent to Peter last week,
sure enough, the File | Properties | Custom box contains

_AdHocReviewCycleID 1294394770

If I open the copy of WOW751.doc that I attached to the message I sent to
Peter, I get that grating question.

And that explains why I can send a file to my editor, he can make
changes – even change the file name – and send it back to me, and when I
open it, Word will still pop up with that grating message.

This near-unique branding of documents with ten digit numbers leads to
some interesting questions. For example, if you have a document with a
specific _AdHocReviewCycleID, can you tell which machine it originated
on? Granted, you’d have to look at the AdHoc.rcd file on any suspect
machines. But how is this any better (or worse) than the old Office 97
document “unique identifier” problems?

(If you weren’t around for that controversy several years ago, check out
http://news.com.com/2100-1001-222876.html?legacy=cnet or
http://www.byte.com/documents/s=146/byt19990906s0012/index3.htm or
http://www.woodyswatch.com/office/archtemplate.asp?v4-n12 for a
description of the way Office 97 would brand documents with a unique
identifier.)

More than that, why does Word use these document numbers even when you
uncheck the Tools | Options | Security | “Store random number to improve
merge accuracy” box?

Or am I missing something?