Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

4 of 438 comments (clear)

  1. Other Variants by skroz · · Score: 4, Interesting

    If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

    --
    -- Minds are like parachutes... they work best when open.
  2. Now way for such a thing to be secure by osgeek · · Score: 5, Interesting

    Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

    The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

    --
    Why are you letting these clowns ruin our country?
  3. Re:Nothing New by pegr · · Score: 5, Interesting

    That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

    Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

  4. The shame's in the design not the hack by dnoyeb · · Score: 4, Interesting

    If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.

    I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???

    shame.