Microsoft Word Forms Passwords Hacked

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Other Variants

[skroz]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

DMCA anyone

[Ubi_NL]

As SF.com is located in the US, isn't this exactly something covered under the DMCA: publishing a method to circumvent a protect mechanism.
In that case, what are the chances of them getting into trouble?

Re:DMCA anyone

[Chagatai]

As one of the previous posters mentioned, the password scheme, as described by Microsoft, is not designed to be a means of protection of data, but more of a way to deter users from accidentally modifying Word documents. I suppose the poor man's version of this would be the copy protect tab on a VHS tape. You could tape over it in order to record over something, but it prevents accidental modification.

Ergo, if this password crack is constituted a breach of the DMCA, me taping over my neighbor's wedding and video of his kid's first steps with that weird Swedish adult channel I get on the dish must also be a violation of the DMCA, too. Stupid neighbor.

Now way for such a thing to be secure

[osgeek]

Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

So what?

[soluzar22]

If you use this feature and expect it to be secure in my opinion you're just asking for trouble. Of course this is M$'s fault, but really! Is this a surprise to anyone. I mean, anything can be hacked in time, but a password-protected word document? I've forgotten passwords myself in the past and decrypted the file in about a half-hour, and I'm hardly what you'd call a l33t d00d! I mean FFS! It's a word processor. Two answers to this. A) Don't let anyone but you have access to the file. Protect your PC and it's harddrive. B) Use something like steganos, or something better to securely encrypt your files. Don't trust in the MS. Anyway, everyone should be using AbiWord.

Just how far should they go?

[WIAKywbfatw]

OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?

Re:Nothing New

[pegr]

That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

The shame's in the design not the hack

[dnoyeb]

If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.

I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???

shame.

Cryptographic signing

[Peaker]

If you don't want your document to be changed by others, why don't you crypto-sign it?

Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.

NOT a feature, clearly a BUG.

[GillBates0]

The article references this advisory page in the Microsoft Knowledgebase which was presumably added after the author contacted "Magnus" at Microsoft Security.

The page is titled: "Overview of Office Features That Are Intended to Enable Collaboration and That Are Not Intended to Increase Security", and reeks of hindsight. Microsoft notes that these features were never intended to increase security, but were designed to encourage collaboration.

But on the other hand, they also say:
"Information About Strong Passwords To reduce the chances of someone guessing your password, use only strong passwords.
For a password to be a strong password, it should meet all the following criteria:
* Be at least seven characters long. Longer passwords are more secure.
"...etc.

Why would users be encouraged to use strong passwords, not easily guessed by malicious users etc, when they were just intended to avoid accidental modifications? The document is clearly a lame attempt my M$ to coverup a serious vulnerability by suggesting that the feature was not designed to provide security. However, I bet they would not have hesitated to tout it as a "security feature" in Microsoft Word, had the vulnerability not been found.

Re:And this is a good thing

[cyb97]

Well run the password checker long enough and it'll come up with several possibilities. If your main concern is that you've used the same password elsewhere, I guess any good blackhat will be able to spot which one you've used or spend enough time to try them all.

Re:Nothing New

[ryen]

>I can see why you would do that for /authentication/, but not for /encryption/.
.. because this isn't encryption. this is for mom&pops keeping their special docs away from the kids. trouble is, most kids know more than their parents anyways and probably already have this tool to break into the docs.

there are many other tools that could probably encrypt and secure Word documents just as good, if not better, than using Office to "secure" it half-assly as shown here.

Re:Nothing New

[Anonym0us+Cow+Herd]

The word doc doesn't store the password, but a one-way checksum.

It is a checksum. But it must not be a very one-way checksum. If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result. (Well, it might be possible, but who has time to wait longer than the life of the universe.)

Quotes are offers and subject to negotiation

[coyote-san]

A while back I read an article on the legality of manually changing the HTML form used by some shopping cart software. Is it legal to change the price of a plasma screen TV to $250 instead of $5000? Could you force the seller to honor the adjusted price?

The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any counteroffer and insist on the original price. The company can either pay to have somebody check the prices in counteroffers (or to have somebody automate that check), or it can absorb the loss when it automatically accepts such counteroffers.

So this is where we publish our hacks?

[PetoskeyGuy]

From http://www.scalabium.com/faq/dct0153.htm

Today I want to show how you may load some xls-file that is password-protected, and how to save xls into another file but without protection.

var
xls, xlw: Variant;
begin
{load MS Excel}
xls := CreateOLEObject('Excel.Application');

{open your xls-file}
xlw := xls.WorkBooks.Open(FileName := 'd:\book1.xls', Password := 'qq',
ReadOnly := True);
{save with other file name}
xlw.SaveAs(FileName := 'd:\book2.xls', Password := '');

{unload MS Excel}
xlw := UnAssigned;
xls := UnAssigned;
end;

Just replace there file names and password Not sure if it works on the latest version. Office Automation - coming soon to a worm near you.

Re:RTFA... It's hilarious

[hikerhat]

The difference between computer security and meat space security is cost. A good physical lock costs much more than a lock on a standard file cabinet. We simply can't afford to put all our physical documents in safes. It is also obvious to most people that a flimsy file cabinet is much less secure that a safe.

Computer security costs the same if you use some lame hack like MS is doing, or use real cryptography. The cost is nothing. Cryptography algorithms are freely available, and modern processors can handle the encryption without serious inconvenience to the user.

And it is not obvious from looking at the interface to a program how secure it is. You enter a password either way. Most people, for better or worse, have an innate trust in computers and other people. If they have to enter a password they assume their data is secure. Programmers know that. If you supply software that asks for a password and you have no real security behind it you are committing fraud, if not by a legal definition then certainly by an ethical definition. Personally I believe developers should be required by law to provide scientifically sound security in any application that prompts a user for a password.

I'll even bite on your little "most intelligent people" bit of trolling. Most intelligent people don't know what watermarking or digital signatures are, and it is not at all clear what application is secure and what is not. Most intelligent people have better things to do than dink around on computers and read about computer security. They hire people to do that for them or buy software that appears to do that for them. Unfortunately in this case the people they hired are lying scumbags and they purchased software from lying scumbags.

Irreproducible?

[major.morgan]

Myself and others have tried to reproduce the bypass and cannot. I have created several forms documents as well as found existing ones to try it on. Whenever I save as HTML, the w:UnprotectPassword tag is not present. Initially I had problems with the HTML compatibility settings, which I got worked out, but even after using every logical combination of settings I still do not get the tag. I have tried different methods of protecting the document, still no password hash in the HTML.

I can easily bypass the document protection, but not in a way that is not noticible.

What am I missing or has anyone successfully reproduced?

Try this

This will work to crack in excel. Maybe word too? Just goes to show how cake these passwords are to crack!

Sub PasswordBreaker()
'Author unknown

Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126

ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
MsgBox "One usable password is " & Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
ActiveWorkbook.Sheets(1).Select
Range("a1 ").FormulaR1C1 = Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next

End Sub

How about this one?

[whterbt]

KB article 189126, two clicks away from the article referenced in the parent, offers this nugget of wisdom:

The password-protection systems built into Microsoft programs are designed to be unbreakable; there would be no point in including a password-protection system that could be broken.

Well, then, Microsoft, why is there a breakable password system in your product?!

Stinging indictment of Dell.

[i_r_sensitive]

Really the thing I think we all should be taking from this is that Dell has some real morons making some rather important decisions...

Why anyone would choose to use a Word document for the purpose Dell used it is completely beyond me. Are they so brainwashed over there that there was no exploration of the alternatives? Particularly in view of the fact that the app vendor (M$) specifically does not promote the use of that feature for securitys sake.

Really Dell, STFU, your precious relationship with Microsoft does not preclude using your brains when making software selections for sensitive processes like binding quotes...

On the plus side, I'm sure I've got a Dell quote somewhere in the office... Hmmm, laptop for $15 anyone?

the article was a joke

[BubbleNOP]

This article is false. I just tried this in Word 2000 with a protected document. When I try to save it as HTML it brings up a dialog box saying that "some of the features in this document aren't supported by Web browsers" and "Password to unprotect document for tracked changes, comments and forms will be lost". In the resulting .html there is nothing about the password.

Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"

Word is insecure crap, anyway

[Safety+Cap]

Woody's Office Watch had a good writeup (and followup) as to why you shouldn't use Word for anything sent out to the public. The problem he sites is that Word stores all kinds of things that you probably shouldn't disclose to just anyone, such as...

1. Last document editor's name, initials, and company
2. Computer name last edited on
3. Path (incl server name) of last save (Remember all those hacks that require the miscreant to know specific file path & names?)
4. Previous editor's names
5. Number of revisions and versions
6. Template name and path
7. Any hidden text
8. Comments

This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.

Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.