Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

8 of 438 comments (clear)

  1. No messy Dell battle by MikeXpop · · Score: 4, Insightful
    This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.
    Basically meaning the submitters comments about Dell are wrong, as Dell wouldn't use that kind of protection.

    Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?
    --
    Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
  2. And this is a good thing by Smack · · Score: 4, Insightful

    The fact that it can't determine your actual password is a good thing. Not for the security of that particular document, obviously, but for the security of other things you may have used the same password for.

  3. Re:Just how far should they go? by TwistedSquare · · Score: 4, Insightful
    It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time

    I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

  4. Re: Just how far should they go? by Black+Parrot · · Score: 4, Insightful


    > OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

    So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

    --
    Sheesh, evil *and* a jerk. -- Jade
  5. Re:RTFA... It's hilarious by Kevin+Stevens · · Score: 5, Insightful

    The locks on these files are very similar to locks found on standard filing cabinets. They are there to prevent tampering, keeping people out of places they really shouldnt be- sensitive, but not absolutely secret stuff. Secure they are not. I have used these things before, and I can tell you, its pretty clear they are not using any heavy duty security. I do not see how anyone intelligent could really see them as otherwise. You dont have to read a EULA to realize there is no watermarking, no digitial signature, no complex scheme of any sort behind it. I put last year's tax records in a filing cabinet, but I wouldnt keep the deed to my house or my the account number to my secret account in the cayman's in there, I would buy a safe. Same concept here.

  6. DRM in Office 2003 is unaffected by kylef · · Score: 5, Insightful

    First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features in Office 2003 as the Microsoft-approved method to secure Office documents.

    In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.

    In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.

    It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.

  7. Re:RTFA... It's hilarious by Skater · · Score: 4, Insightful

    Reminds me of an electrician I knew that always worked on wires live. That way, he claimed, he was certain to be careful.

    He was pretty old, too, so I guess it worked...

    --RJ

  8. Signed PDF by Qrlx · · Score: 4, Insightful

    This came up at work. What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference.

    We decided to send out digitally signed PDFs instead.