Michael Horowitz
Home => Word 2016 spying on users?
[Formatted for Printing] From the personal web site of  Michael Horowitz

Is Word 2016 spying on users?

May 4, 2019

When you start watching network traffic, you never know what will turn up.

As noted below, Word 2016 is pretty chatty on the Internet, when all its doing is editing a file on your computer. Here is another example of this. As before, the logging of outbound connections was done with the TcpLogView program by Nir Sofer. The computer was running Windows 7.

Tracing the Internet activity of Word 2016 again
Again, tracing Internet activity from Word 2016

What we see above is every connection opened by Word to a computer out on the Internet. The timestamp shows most of these 23 connections occurred in the same second (literally); the first connection was 11 seconds prior to the big rush.

Word phoned home to four different computers (4 different IP addresses), making multiple connections to two of them. Every connection was to port 443 (reserved for HTTPS), so the data traveling between the Windows 7 PC and these remote computers at Akamai was encrypted. As shown below, three of the computers Word contacted have the same name, cdn.odc.officeapps.live.com. This is a normal occurrence.

IP address Computer Name
104.70.71.2
104.94.252.240
23.62.171.158
52.109.20.3
cdn.odc.officeapps.live.com
cdn.odc.officeapps.live.com
cdn.odc.officeapps.live.com
officeclient.microsoft.com
Word 2016 phones home

The big question is why does Word 2016 need to make 23 connections to computers on the Internet? Twenty [expletive] three. What data is it uploading? What data is it downloading?

Imagine what I might find, if I did this often.

 

First Observation

April 18, 2019

I recently installed Office 2016 and have been watching its network activity. My initial intention was to prevent the automated installation of bug fixes. Yes, bug fixes are usually good things, but I have an important need for the apps not to change at all, without my being aware of it. I may need to go months before there is a window for patching. But, that's me.

In tracing network activity from Office, I noticed that Word 2016 phoned home and eventually focused on that.

I run two traces using free portable Windows software from Nir Sofer, available at nirsoft.net. His TcpLogView program shows every time a process creates and closes a connection to a computer on the Internet. His DNSQuerySniffer shows all DNS requests on the system. Combining the two, gives a great perspective on network activity.

Below are traces of Word 2016 Internet activity from these two programs. I opened Word, created a new blank document with a single sentence and saved that document locally on the computer. Word was running on Windows 10 service pack 1803 with bug fixes as of March 2019.

Tracing the Internet activity of Word 2016
Tracing Internet activity of Word 2016

Word phoned home to these four computers.

Computer Name IP address
config.edge.skype.com
templateservice.office.com
cdn.odc.officeapps.live.com
nexusrules.officeapps.live.com
13.107.3.128
23.78.176.77
23.10.92.205
52.109.124.18
Word 2016 phones home

In addition it made a DNS request for officeclient.microsoft.com (at 52.109.2.16) but it never opened a connection to that computer.

My first reaction was that Word is awfully chatty. I don't expect to ever know why Word made connections to these four computers but I do not like it.

My second reaction was to Skype. What the heck? Why is Word concerned with Skype in any way?

My third reaction had to do with nexusrules.officeapps.live.com at IP address 52.109.124.18. According to iplocation.net this is Microsoft in Singapore. Yes, Singapore.

At least the outbound connections were to port 443, so whatever data Word sent back to Microsoft was encrypted. Not that I feel safe. Many Microsoft employees, plus, no doubt, US spy agencies have access to whatever data was sent.

All this just supports my existing opinion to use LibreOffice when at all possible.

 

Office Phoning Home

November 27, 2020

I just ran across this document from Microsoft Office 365 URLs and IP address ranges that documents both the domains and the IP addresses that Office wants and needs to connect to. It was last Updated October 28, 2020.

 

 

 @defensivecomput TOP Home => Word 2016 spying on users?   
 michael--at--michaelhorowitz.com   Last Updated: November 27, 2020 5 PM  
  License Plate
Copyright 2001-2024
Copyright 2001-2024  
Printed at:   March 28, 2024 12:01pm   ET
Viewed 18,574 times since April 18, 2019 (10/day over 1,806 days)