source: http://www.securityfocus.com/bid/5586/info

The Microsoft Word and Excel INCLUDETEXT Field Code may be used to insert an arbitrary local file into a document. The INCLUDETEXT Field Code is reported to, under some circumstances, present a security threat.

If the INCLUDETEXT Field Code is included in a document and references a file on the local system of the recipient, then the file will also be included when the document is sent out. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated.

The recipient of the malicious document must still pass along the updated version of the document for the attacker to receive the imported local file.

** Reports indicate that using a 'dde' link group field may be able to bypass the functionality of the Microsoft patch for this issue.

Inserting the following field structure into the footer of the last page of the document will steal the contents of c:\a.txt on the target's computer:

{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\\a.txt" "c:\\a.txt" } \* MERGEFORMAT } = "" "" \* MERGEFORMAT }

(The curly braces above represent Microsoft Word field braces.)
源链接

Hacking more

...