MS Word wants to open a port on your machine... wait what?

| Comments (8) | Outstanding! SYSSEC
Even the most diehard TeXhead has moments when he needs to read some Word document. Tonight was such a night and I have Office 2004 on my machine for just such an eventuality (Please don't write in to tell me that I should run Pages. As I said, I don't want to run either of them, but I also don't want to deal with Pages/Word incompatibility.) Anyway, I boot up Word and the Leopard firewall asks me if I'd like to let Word listen for network connections. I go to click no and either manage to click it or raise some other window or something. The dialog disappears and when I check the firewall it sure does say to block MS Word. So, that's OK, I guess.

And then I get to thinking, "Why is Word opening up TCP listening ports anyway?" So, I run netstat -a | grep LISTEN and get:

[49] /usr/sbin/netstat -a | grep LISTEN
tcp4       0      0  *.3369                 *.*                    LISTEN
...

Hmmm. What's 3369? Google doesn't know, so that's not good. I close Word and the port goes away and lsof confirms it's Word:

[52] /usr/sbin/lsof -i TCP:3369

COMMAND  PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
Word    8198  ekr   16u  IPv4 0x6c4d66c      0t0  TCP *:3369 (LISTEN)

I shut down Word and my WiFi and restart it, but it's not listening now. Maybe I need the network on. Sure enough, I bring the WiFi back up and restart Word and now it's listening, but on a different port: 3828 this time. Stranger and stranger. Now ordinarily this would only be about a 4.0 freakout on a scale of 1 to 10, but it turns out that I only recently installed Office on this machine and was unaware of the following delightful property of MS AutoUpdate: it only installs one update at a time, no matter how many updates are pending. So, when you have 10-20 updates to install, and you're just letting update run itself, it takes forever to get uprev. The consequence of this is that I was loading random people's documents with some two year old (and vulnerable) version of Word. Who knows what malware I've had the joy of installing. This jacks things up to a freakout factor of about 6.2.

Next step: compare to another machine. It shows up on my other Mac, which is a little comforting, but of course that machine could be infected too. I double check with Hovav, who is about as paranoid as I am, and his copy of Office is is listening, but on some other random port. That's sort of comforting. This is starting to look a lot less like malware and a lot more like a feature of Word. A little more digging tells us the process name that is actually doing the listening. It's Word (as I knew) but with some wacky argument starting with -psn_0_.... Searching on this, we find out that I'm not the only person who has had this question.

If you close UDP 2222, then no other computers will know which TCP port your copy of word has chosen to listen to (in the 3000-3999 range), because that info is broadcasted in the UDP packets. The protocol is thus: Your copy of word spews it's serial number (encoded) and the TCP port it is listening on in a packed on UDP 2222. Other copies of word on the network get this packet and then respond the your copy of word on the specified TCP port if they have the same serial. Then one copy shuts down.

I guess it was malware after all. Outstanding!

8 Comments

Wow! So a program that listened on port 2222 and simply played back the serial number reports could effectively disable Word across an entire network? Brilliant!

Given the Office monoculture, this could actually be a somewhat effective means of commercial sabotage/economic warfare.

Yes, it sounds like malware of a sort, but I suspect it's the one built into Office by Microsoft. Quoting from an old MS security bulletin: "Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) [...]"

Allan, I think that was EKR's point. He was being sarcastic.

Oh. Can't one be sarcastic with fewer words than that?

The sarcastic part was, "I guess it was malware after all." The rest of it was purely narrative.

I guess you could also say the rest of it was the dramatic setup and the second to last sentence was the sarcastic punch line.

Either way, I think the moral of the story is that malware is in the eye of the beholder.

If you look at your process table, you'll see -psn_* arguments everywhere. The Mac runtime tags them onto the processes underlying GUI apps; the interwebs say it's a "process serial number."

(PS: Comment preview is broken: "Publish error in template 'Comment Preview Template': Error in tag: Error in tag: The MTCommentFields tag is no longer available; please include the Comment Form template module instead.")

Yeah -- this is all a part of the Office copy protection scheme. More that a few people have been irritated by this over the years.

http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml

You can certainly prevent it from listening with local firewall rules. The only thing you will break is the anti-piracy mechanism. Ah, shucks!

I've found if you compromise the feature with local firewall rules that sometimes Word hangs for a while. I used to think this was a function of Word just hanging, but allowing the stupid network spamming seems to provide anecdotal evidence that it reduces the occurrences.

I actually found this in the US Airwarys Club room in Philadelphia, when my computer was promiscuously engaging in public unsafe emission exchanges with 20 of my closest (non)friends and I was worried that I would get arrested for a wide stance.

Leave a comment