Microsoft Word is broadcasting on my network!

While performing some basic traffic analysis on my home wireless network, I noticed the folllowing broadcast traffic:

$ tcpdump -i en1 broadcast or multicast

15:51:25.761928 IP (tos 0x0, ttl 64, id 28912, offset 0, flags [none],
proto: UDP (17), length: 180) > UDP, length 152
15:52:25.765492 IP (tos 0x0, ttl 64, id 28951, offset 0, flags [none],
proto: UDP (17), length: 180) > UDP, length 152
15:53:25.769116 IP (tos 0x0, ttl 64, id 28989, offset 0, flags [none],
proto: UDP (17), length: 180) > UDP, length 152

Gak! I disabled rendezous on my laptop to avoid polluting the ether, and the applications that were running shouldn’t be broadcasting messages! I was curious to see what was causing this, so I went into discovery mode. After reviewing ktrace, netstat and lsof data, I realized that the traffic was coming from Microsoft Word. It turns out that Microsoft Word sends broadcast messages to ensure that a license is only being used on a single node. This is supposed to help combat piracy, but I didn’t agree to this when I signed the EULA. This was extremely annoying, and what made it worse is the fact that Microsoft Word also listens on a TCP port:

$ lsof -i | grep Microsoft

Microsoft 1208 matty 19u IPv4 0x0283a590 0t0 TCP *:3797 (LISTEN)

Last week Microsoft released several critical Office patches for the Windows paltform (I am not sure if these apply to OS X yet, so I don’t want Microsoft office application blindly sending or accepting data). My laptop now uses a selectively allow and deny everything else firewall policy, which stops this cruft from meandering throughout my home network. If you don’t feel like mucking with the default firewall policy, you can add an ipfw rule similar to the following to block this traffic:

$ /sbin/ipfw add deny udp from any to any 2222 out

I reckon it’s time to switch to Pages for word processing.

This article was posted by Matty on 2006-08-13 11:31:00 -0400 EDT