Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

2 of 438 comments (clear)

  1. Oh, this bodes well. by The+I+Shing · · Score: 0, Flamebait

    There'll be a patch for this coming sometime this year, I'm sure. Maybe by March.

    I wonder if Microsoft was warned about this before this information was posted.

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
  2. This is all a bit silly by JackAsh · · Score: 0, Flamebait

    I mean, honestly.

    What the author is complaining about here is that someone can take a WORLD OPENABLE FILE and modify it.

    This is the exact same thing that we see on Slashdot every other day regarding DRM files. Repeat after me: If you can open it, you can change it. Heck, you can probably cut and paste the contents into a new unprotected Word document!

    The only news here is that you can "reinsert" the password into the document. Big whooptie doo. Because if I were to publish a form in a public location I would not keep a protected backup elsewhere for it.

    What's next?

    "A researcher has discovered that by opening a document on one PC he can retype the document on the PC to his right in an unprotected format. The style of the document needed a little tweaking to match the original, but it was doable".

    I mean, SERIOUSLY. These files merely have a small protection against being overwritten accidentally. If you want real protection in the Microsoft world, use EFS, share permissions, something else.

    Word has a couple levels of protection:

    1) Change protection. This is merely a stupid password to make sure you don't accidentally change the document, make sure you can only write in certain fields, etc. It's a poor man's DRM.

    2) Read protection. This is true encryption. It was really poor under Office 95, but from Office 97 and forwards it has been significantly strengthened, to the point where it's now a pure brute force attack. Pick a line from a song as a passphrase and you won't break the document open in a million years.

    Office 2003 is supposed to have some magical DRM properties that go even beyond these capabilities in that you can permission a document to be readable but not printable, you can forward only within an organization or you can expire the document in three days. When we see an article on how to break that (beyond digital camera and OCR) I'll be impressed.

    -Jack Ash