Microsoft Word is broadcasting on my network!

While performing some basic traffic analysis on my home wireless network, I noticed the folllowing broadcast traffic:

$ tcpdump -i en1 broadcast or multicast
15:51:25.761928 IP (tos 0x0, ttl 64, id 28912, offset 0, flags [none], proto: UDP (17), length: 180) 192.168.1.10.52330 > 255.255.255.255.2222: UDP, length 152
15:52:25.765492 IP (tos 0x0, ttl 64, id 28951, offset 0, flags [none], proto: UDP (17), length: 180) 192.168.1.10.52331 > 255.255.255.255.2222: UDP, length 152
15:53:25.769116 IP (tos 0x0, ttl 64, id 28989, offset 0, flags [none], proto: UDP (17), length: 180) 192.168.1.10.52332 > 255.255.255.255.2222: UDP, length 152

Gak! I disabled rendezous on my laptop to avoid polluting the ether, and the applications that were running shouldn’t be broadcasting messages! I was curious to see what was causing this, so I went into discovery mode. After reviewing ktrace, netstat and lsof data, I realized that the traffic was coming from Microsoft Word. It turns out that Microsoft Word sends broadcast messages to ensure that a license is only being used on a single node. This is *supposed* to help combat piracy, but I didn’t agree to this when I signed the EULA. This was extremely annoying, and what made it worse is the fact that Microsoft Word also listens on a TCP port:

$ lsof -i | grep Microsoft

Microsoft 1208 matty   19u  IPv4 0x0283a590      0t0  TCP *:3797 (LISTEN)

Last week Microsoft released several critical Office patches for the Windows paltform (I am not sure if these apply to OS X yet, so I don’t want Microsoft office application blindly sending or accepting data). My laptop now uses a selectively allow and deny everything else firewall policy, which stops this cruft from meandering throughout my home network. If you don’t feel like mucking with the default firewall policy, you can add an ipfw rule similar to the following to block this traffic:

$ /sbin/ipfw add deny udp from any to any 2222 out

I reckon it’s time to switch to Pages for word processing.

5 thoughts on “Microsoft Word is broadcasting on my network!”

  1. it’s not just microsoft…
    adobe and quark too- our old appletalk network was filled with licensing junk spewing from workstations.

  2. Do I copy and paste “$ /sbin/ipfw add deny udp from any to any 2222 out” into terminal to add a firewall rule that blocks MS Word? (Sorry, just switched over so I have no clue!)

Leave a Reply

Your email address will not be published. Required fields are marked *