Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

6 of 438 comments (clear)

  1. Nothing New by digitalvengeance · · Score: 5, Informative

    There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

    What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
    Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

    So, if such passwords can easily be bypassed anyway - what does this really change?

    I should note that I'm using a Passware product called Office Key.

    This crack just takes what has been commercially available for quite some time and moves it into the public arena.

    Josh

    --
    How many roads must a man walk down? 42.
    1. Re:Nothing New by Stavr0 · · Score: 5, Informative
      The word doc doesn't store the password, but a one-way checksum.

      The passware product merely computes a password that matches the checksum found in the word doc.

  2. RTFA... It's hilarious by h4rm0ny · · Score: 5, Informative

    According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

    I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

    But for those of you who never RTA, here is what was the highlight for me:
    1.) Open a protected document in MS Word
    2.) Save as "Web Page (*.htm; *.html)", close Word
    3.) Open html-document in any Text-Editor
    4.) Search "" tag, the line reads something like that: ABCDEF01

    --

    Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
  3. Re:No messy Dell battle by vasqzr · · Score: 5, Informative


    Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

    You've obviously never been in the real world.

    To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

    Here's a list of things I've seen people use MS Word for:

    Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

    Creating GIANT tables and using them for inventory, rather than an Access database

    Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....

  4. The article is troll-ish by _RiZ_ · · Score: 5, Informative

    I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

    They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

    To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.

  5. Re:Oh, this bodes well. by zdislaw · · Score: 5, Informative
    I wondered exactly the same thing. For about three seconds. The I RTFA.

    2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com

    2003-11-27 confirmed receipt from: secure microsoft com

    2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
    Targetting beginning of January 2004 for release of this advisory.
    from: "Magnus"

    2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
    from: "Magnus"

    --
    bad sig...no donut.