1

Background: Our procurement team is considering using Pincites to review contracts made with vendors. For Pincites to review the Word document where the contract is written, it needs the procurement team user to install the Pincites Add-in to his/her MS Word. Once added, Pincites will review the contract written and 'redlines' any phrases or terms that is not in line with the contract playbook the procurement team creates.

Question: The contract does not contain any confidential data or terms, so the company is not concerned about an external entity reading the contract. We also understand that the Add-in can also read the contents of a Word document even if it is not a contract. But are there any other risks that we should consider when installing third-party Add-in in the MS Word?

Improve this question

2 Answers 2

Reset to default
2

At the minimum this would allow the addin to read any word documents that the user opens. But you should also consider that:

  • Depending on the type of addin and whether Word is doing sandboxing, it may allow them to read any file (or perform any action) under the context of the user.
  • If the installer for the addin needs local administrators rights to run, then you're giving it full control over the user's system (and all data on it).
  • If it has automatic update functionality, then the vendor can add new features at any point.

So you should treat it the same as any other third party software that you're looking to install on endpoints.

Improve this answer
2

Assuming you mean a Microsoft Office Word add-in - the kind that is installed on a user's computer, not in a cloud service - those are essentially just programs that run when Word does. They can do anything that the host program could, in theory, do. Create, read, edit, or delete arbitrary files. Make requests over the network, or listen for incoming ones. Start, list, and stop processes. Change user or system settings for other programs including the operating system. Log keystrokes (even in other programs), access sensors such as location/microphone/webcam, capture screen contents, and/or display arbitrary screen contents.

Note that Word (and thus, the add-in) doesn't necessarily have permission to do all of that. While Word usually runs as a "full trust" process - meaning it can do anything that any other process running under the same user could do - a low-privilege user would generally not be able to do stuff like change system settings, or access other users' files. It's also possible to run Word in a sandbox, where its permissions are severely limited, regardless of the user's privileges. However, I'm not sure if any of the versions that normally run sandboxed allow installing add-ins; those are mostly the mobile (phone/tablet) versions.

Bottom line:

Treat MS Office add-ins like any other desktop software, and only install them (on machines with any kind of sensitive access) if you fully trust the vendor.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.