Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

12 of 438 comments (clear)

  1. Other Variants by skroz · · Score: 4, Interesting

    If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

    --
    -- Minds are like parachutes... they work best when open.
  2. DMCA anyone by Ubi_NL · · Score: 3, Interesting

    As SF.com is located in the US, isn't this exactly something covered under the DMCA: publishing a method to circumvent a protect mechanism.
    In that case, what are the chances of them getting into trouble?

    --

    If an experiment works, something has gone wrong.
    1. Re:DMCA anyone by Chagatai · · Score: 3, Interesting
      As one of the previous posters mentioned, the password scheme, as described by Microsoft, is not designed to be a means of protection of data, but more of a way to deter users from accidentally modifying Word documents. I suppose the poor man's version of this would be the copy protect tab on a VHS tape. You could tape over it in order to record over something, but it prevents accidental modification.

      Ergo, if this password crack is constituted a breach of the DMCA, me taping over my neighbor's wedding and video of his kid's first steps with that weird Swedish adult channel I get on the dish must also be a violation of the DMCA, too. Stupid neighbor.

      --
      --Chag
  3. Now way for such a thing to be secure by osgeek · · Score: 5, Interesting

    Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

    The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

    --
    Why are you letting these clowns ruin our country?
  4. Just how far should they go? by WIAKywbfatw · · Score: 3, Interesting

    OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

    And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?

    --

    "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  5. Re:Nothing New by pegr · · Score: 5, Interesting

    That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

    Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

  6. The shame's in the design not the hack by dnoyeb · · Score: 4, Interesting

    If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.

    I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???

    shame.

  7. Cryptographic signing by Peaker · · Score: 3, Interesting

    If you don't want your document to be changed by others, why don't you crypto-sign it?

    Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.

  8. Re:And this is a good thing by cyb97 · · Score: 3, Interesting

    Well run the password checker long enough and it'll come up with several possibilities. If your main concern is that you've used the same password elsewhere, I guess any good blackhat will be able to spot which one you've used or spend enough time to try them all.

  9. Re:RTFA... It's hilarious by hikerhat · · Score: 3, Interesting
    The difference between computer security and meat space security is cost. A good physical lock costs much more than a lock on a standard file cabinet. We simply can't afford to put all our physical documents in safes. It is also obvious to most people that a flimsy file cabinet is much less secure that a safe.

    Computer security costs the same if you use some lame hack like MS is doing, or use real cryptography. The cost is nothing. Cryptography algorithms are freely available, and modern processors can handle the encryption without serious inconvenience to the user.

    And it is not obvious from looking at the interface to a program how secure it is. You enter a password either way. Most people, for better or worse, have an innate trust in computers and other people. If they have to enter a password they assume their data is secure. Programmers know that. If you supply software that asks for a password and you have no real security behind it you are committing fraud, if not by a legal definition then certainly by an ethical definition. Personally I believe developers should be required by law to provide scientifically sound security in any application that prompts a user for a password.

    I'll even bite on your little "most intelligent people" bit of trolling. Most intelligent people don't know what watermarking or digital signatures are, and it is not at all clear what application is secure and what is not. Most intelligent people have better things to do than dink around on computers and read about computer security. They hire people to do that for them or buy software that appears to do that for them. Unfortunately in this case the people they hired are lying scumbags and they purchased software from lying scumbags.

  10. the article was a joke by BubbleNOP · · Score: 3, Interesting
    This article is false. I just tried this in Word 2000 with a protected document. When I try to save it as HTML it brings up a dialog box saying that "some of the features in this document aren't supported by Web browsers" and "Password to unprotect document for tracked changes, comments and forms will be lost". In the resulting .html there is nothing about the password.

    Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"

  11. Word is insecure crap, anyway by Safety+Cap · · Score: 3, Interesting
    Woody's Office Watch had a good writeup (and followup) as to why you shouldn't use Word for anything sent out to the public. The problem he sites is that Word stores all kinds of things that you probably shouldn't disclose to just anyone, such as...
    1. Last document editor's name, initials, and company
    2. Computer name last edited on
    3. Path (incl server name) of last save (Remember all those hacks that require the miscreant to know specific file path & names?)
    4. Previous editor's names
    5. Number of revisions and versions
    6. Template name and path
    7. Any hidden text
    8. Comments
    This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.

    Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.

    --
    Yeah, right.