The case against using .doc files

Do you really need all the bells and whistles of the .doc format? John McCormick says you can make your life easier by using .rtfs. Read on to learn about the simplest security fix you'll make this year.

You use Microsoft Word. I use Microsoft Word. Practically everyone uses Microsoft Word. But that can be a problem.

Why? Many users, and some IT pros, are too trusting. Me? I’m constantly aware of security threats, and therefore I never open a .doc file sent by a stranger. I enforce this practice in my small company to the extent that we don't even save files in .doc format. In fact, I mostly have Word installed only because some of my clients use it to send me documents. Even if they didn't, I have to keep abreast of potential security problems, and these days MS Word is one of the biggest potential threats around.

Do you need all those extras?
Some people will tell you they have to use .doc files to keep all that fancy formatting. Personally, I don't want, need, or like strange fonts, borders, or other unusual formatting in what should be simple text documents. If you really require such formatting, you can share almost everything—minus the prevalent macro viruses—simply by using the .rtf, or Rich Text Format file extension, instead of saving files in .doc format.

Word lists dozens of features not supported by .rtf that would be contained in .doc files, and I suggest you take a look at the list, if only to see an example of things you really don't need. (To find the list, choose Contents and Index from Word's Help menu, click the Find tab, search for Word 97 & 6.0/95-.rtf format, and then choose the topic "What happens when I save a Word 97 document in Word 97 & 6.0/95-.rtf format?".) Office suites have become incredibly bloated, but just because publishers provide thousands of seldom-used features doesn't mean you have to risk virus attacks just to support them all in your business.

Like me, you probably don't need animated text, character borders, or floating pictures with word wrap in every single document you create, at least not badly enough to risk running across a Melissa variant. Of course, you also lose Word macros created in Visual Basic, but that's the whole point!

Adopting another default file format is the prudent thing to do in many situations. Then, when you really need those fancy formatting options saved in a particular file, you can save that file with the .doc extension. Remember: The fewer .doc files you deal with, the smaller the likelihood of macro virus infection.

Changing file formats may seem a bit drastic—and in the vast majority of cases, it will prove unnecessary. Of course, most security steps are unnecessary most of the time; that's why it's so difficult to enforce good procedures. But if you stop creating, sending, and opening .doc files, at least you know you aren't going to get bitten by Word macro viruses.

Macro virus havoc
The biggest problem with macro viruses isn't just that they can clog your own systems the way traditional viruses can, costing you time and money to clear them out and restore your files. Infections from .doc files can be more dangerous than other viruses because they are easily sent accidentally to clients and vendors, which opens you to legal action and damaged relationships. Your victims might even decide that doing business with you in the future isn't a good risk.

Most viruses have to be sent in some executable form, and our daily e-mail communications over the Internet or intranets just don't transmit these infections. But you can infect others with macro viruses just by sending them a simple document.

There is more to the macro virus threat than just the chance you can infect a recipient. Even if you have a policy of never sending .doc files as attachments to external e-mail addresses, merely opening a .doc file can be dangerous. You probably never considered the possibility that something as simple as a Word macro virus might broadcast the most sensitive of internal company documents, but it could happen to you.

Disney Corp. learned just how dangerous macro viruses can be when, in the middle of November, a variant of the Melissa macro virus sent an open Word document containing an internal memo to members of the press. Many companies have never given any thought to this sort of problem. They didn't know it was even possible—but it is.

How would you like to have a document you are still writing sent to everyone on your company's mailing list? How about just distributing a list of potential promotions to everyone inside the company? Or a list of salaries? You probably use Microsoft Word to create rough sketches of numerous memos containing sensitive information, or even just blue sky ruminations that you fervently hope will never see the light of day. People write some strange things in what they expect to be "eyes-only" internal memos, and they can come back to haunt you days, months, or even decades later. Just ask Oliver North or any of the big tobacco companies if you don't believe me.

Because antivirus protection always lags behind the creation of new viruses, a company relying entirely on antivirus software is taking a big risk. Having confidential information broadcast to the press or even vendors can be catastrophic.

If you must use Word and can't enforce a change to the .rtf file format instead of the risky .doc format, there is still a way to protect your secrets, and it works to block even intentional sharing of confidential data. Elron Software's Message Inspector monitors e-mail, FTP sites, and newsgroup message traffic for confidential data and blocks its transmission.

And Message Inspector doesn't just protect confidential information. Because it works by conducting string searches for keywords, you can configure it to help reduce server spam congestion. You can also set it to watch for and block potentially offensive comments, thus reducing legal liability.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?
If you'd like to share your opinion, please post a comment below.


Editor's Picks

Free Newsletters, In your Inbox