Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

2 of 438 comments (clear)

  1. Re:RTFA... It's hilarious by Kevin+Stevens · · Score: 5, Insightful

    The locks on these files are very similar to locks found on standard filing cabinets. They are there to prevent tampering, keeping people out of places they really shouldnt be- sensitive, but not absolutely secret stuff. Secure they are not. I have used these things before, and I can tell you, its pretty clear they are not using any heavy duty security. I do not see how anyone intelligent could really see them as otherwise. You dont have to read a EULA to realize there is no watermarking, no digitial signature, no complex scheme of any sort behind it. I put last year's tax records in a filing cabinet, but I wouldnt keep the deed to my house or my the account number to my secret account in the cayman's in there, I would buy a safe. Same concept here.

  2. DRM in Office 2003 is unaffected by kylef · · Score: 5, Insightful

    First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features in Office 2003 as the Microsoft-approved method to secure Office documents.

    In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.

    In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.

    It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.