Microsoft Word Forms Passwords Hacked

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Nothing New

[digitalvengeance]

There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

So, if such passwords can easily be bypassed anyway - what does this really change?

I should note that I'm using a Passware product called Office Key.

This crack just takes what has been commercially available for quite some time and moves it into the public arena.

Josh

Re:Nothing New

[Stavr0]

The word doc doesn't store the password, but a one-way checksum.

The passware product merely computes a password that matches the checksum found in the word doc.

Re:Nothing New

[Violet+Null]

Word probably uses a hash function to test the password (just like Linux doesn't store passwords, but hashes, in /etc/password). There's some function, you put the "password" in, it spits a hash out, and that is compared to the stored hash.

Hashes are more secure than storing the password, because they tend to be pretty one way -- it's trivial to get a hash from a password, but much less trivial to get a password from the hash.

However, hashes can collide; the smaller the hash returned, compared to the possible keyspace, the more likely this is. For instance, if I have a hash function that returns a one byte hash that I use to hash my password, then there is a 1/256 chance that _any_ gibberish I send in will return the same hash, and thus match.

Microsoft is probably using a very small hash, and your "tool of choice" probably just brute forces the thing until it finds a match.

If your tool of choice continued through the keyspace, it would inevitably come up with test, too.

Re:Nothing New

[pegr]

That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

Re:Nothing New

[GoofyBoy]

>Some sort of odd math that makes more than one password work?

Really really simple dumbed down of an explination of what could be happening.

I set the password to "011". Word takes the sum of the digits (0 + 1 + 1 = 2) and stored the result.

When I want to unlock it Word takes the password I enter and sums the digits and sees if they match with the stored result from step 1. So "011" would work and so would "020" and "110".

Of course it would be more complex math. Hope this gives you a bit understanding how it could happen.

Re:Nothing New

[pegr]

If your hack program only returns gobbledy-gook type passwords, how do you go about re-locking the document in such a way that your changes are undetected?

um, if your bruted password gens the same hash, why wouldn't the original (and unknown) password unlock it as well?

Re:Nothing New

[pegr]

Word document password protection has always been a joke. It's total cake to bypass it.

1. Open a new blank Word document.

2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.

3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.

Nope, not since Office 98. Since Office 98, password protected docs are truly encrypted. It does indeed ask you for the password when you insert it.

And I just noticed that, in Office 2003 anyway, you can hit the "Advanced" tab and choose what kind of encryption you want (RSA, etc.), as well as bit length. Pretty cool!

Re:Nothing New

(just like Linux doesn't store passwords, but hashes, in /etc/password)

Just a brief nitpick here, but most Linux systems store password hashes in /etc/shadow, with /etc/passwd holding the rest of the info for the user accounts. Everyone can read /etc/passwd (and needs to, to get user names from UIDs), but only root (and stuff like getty that checks passwords, running as root) can read /etc/shadow. You can set it up to use the old-school style and hold hashes in /etc/passwd, but it's generally frowned upon.

Re:Nothing New

[spanielrage]

The password is likely stored using a (weak) hash function.

Re:Nothing New

[pegr]

OK, replying to your own post is lame, but here are the encryption types available under Word 2003:

Weak Encryption (XOR)
Office 97/2000 Compatible
RC4, Microsost Base Cryptographic Provider
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider

I especially love the XOR encryption! (At least they call it weak...) For the other types, you can spec a bit length between 40 and 128 bits. Now I'm not sure what MS does to "enhance" these encryption types, but there it is, for what it's worth... (I wonder if Whitfield knows his name is contained within MS Word? ;)

Re:Nothing New

[Feyr]

this hack doesn't even use brute force. they just found the bytes in the word file where the password is store.

zero'ing those bytes with an hex editor allow you to modify the document password-free. you then replace the original hex in the bytes you modified to "reactivate" the protection.

Re:Nothing New

[Suppafly]

If the original and generated password can both unlock the file ... does that guarantee that locking the file with the generated password will allow it to be unlocked with the original?

Yes. But that is not what the article is about anyway.

Re:Nothing New

[Anonym0us+Cow+Herd]

The word doc doesn't store the password, but a one-way checksum.

It is a checksum. But it must not be a very one-way checksum. If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result. (Well, it might be possible, but who has time to wait longer than the life of the universe.)

Re:Nothing New

[saforrest]

If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result.

Uh, you're confusing two things.

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

It's not possible, given an integer n, to find the specific word that mapped to n, simply because there isn't an unique one. This is what makes it one-way.

The fact that there are multiple possible passwords for this Word document is proof that it is a one-way function.

What you're talking about is the ease of finding some element of the preimage of a given hash, which is a separate concept. MD5 is good because for some given value, it's really hard to find anything which hashes to that value, not because it's somehow 'more one-way'.

In fact, the most one-way function of all is a constant function, which is obviously totally useless for authentication.

Re:Nothing New

[Bronster]

Just a brief nitpick here, but I think that most versions of getty actually spawn login, which is what reads the shadow file. But they can only read the shadow file as they have root privileges, there is no "and stuff like...". Just root. You'll note that passwd can no longer be used by normal users if you take away its SUID 0 status.

And right back at you. Have you ever actually looked at the file, or are you just talking out of your arse?

brong@dariat~>ls -la /etc/shadow
-rw-r----- 1 root shadow 1320 Dec 28 10:51 /etc/shadow

This is Debian GNU/Linux - but I remember similar things on BSD and other U*IX like OSen that I've used. Shadow group is a concept that's not exactly new, and it means that tools which only read, and should never write, the password file can be partitioned off where they can't do much damage.

Slashdot does need a 'full of shit' moderation.

The 'passwd' command on the other hand needs to write the password file, and hence needs root privs.

Oh, and a good reason not to use LDAP (and I speak from experience here) is that it leads to single points of failure. We've switched to using centrally managed /etc/passwd and /etc/shadow synchronised out to all machines by the configuration management tools. Far fewer messy failure modes.

If you want to come up with an OS where there isn't a shadow group for /etc/shadow, feel free - but I haven't seen it anywhere I've had to care.

An insecure Microsoft application?!

Is this a dupe? I could swear I've read this one before.

RTFA... It's hilarious

[h4rm0ny]

According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

But for those of you who never RTA, here is what was the highlight for me:

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01

Re:RTFA... It's hilarious

[Kevin+Stevens]

The locks on these files are very similar to locks found on standard filing cabinets. They are there to prevent tampering, keeping people out of places they really shouldnt be- sensitive, but not absolutely secret stuff. Secure they are not. I have used these things before, and I can tell you, its pretty clear they are not using any heavy duty security. I do not see how anyone intelligent could really see them as otherwise. You dont have to read a EULA to realize there is no watermarking, no digitial signature, no complex scheme of any sort behind it. I put last year's tax records in a filing cabinet, but I wouldnt keep the deed to my house or my the account number to my secret account in the cayman's in there, I would buy a safe. Same concept here.

Re:RTFA... It's hilarious

[Skater]

Reminds me of an electrician I knew that always worked on wires live. That way, he claimed, he was certain to be careful.

He was pretty old, too, so I guess it worked...

--RJ

Re:RTFA... It's hilarious

[hikerhat]

The difference between computer security and meat space security is cost. A good physical lock costs much more than a lock on a standard file cabinet. We simply can't afford to put all our physical documents in safes. It is also obvious to most people that a flimsy file cabinet is much less secure that a safe.

Computer security costs the same if you use some lame hack like MS is doing, or use real cryptography. The cost is nothing. Cryptography algorithms are freely available, and modern processors can handle the encryption without serious inconvenience to the user.

And it is not obvious from looking at the interface to a program how secure it is. You enter a password either way. Most people, for better or worse, have an innate trust in computers and other people. If they have to enter a password they assume their data is secure. Programmers know that. If you supply software that asks for a password and you have no real security behind it you are committing fraud, if not by a legal definition then certainly by an ethical definition. Personally I believe developers should be required by law to provide scientifically sound security in any application that prompts a user for a password.

I'll even bite on your little "most intelligent people" bit of trolling. Most intelligent people don't know what watermarking or digital signatures are, and it is not at all clear what application is secure and what is not. Most intelligent people have better things to do than dink around on computers and read about computer security. They hire people to do that for them or buy software that appears to do that for them. Unfortunately in this case the people they hired are lying scumbags and they purchased software from lying scumbags.

What do you mean, that's too cheap?

[Trillan]

I swear, you guys gave me a quote of $6.35 for a new Latitude.

Other Variants

[skroz]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

Re:Other Variants

[pegr]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

Not since Office 98...

No messy Dell battle

[MikeXpop]

This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Basically meaning the submitters comments about Dell are wrong, as Dell wouldn't use that kind of protection.

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

Re:No messy Dell battle

[vasqzr]

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

You've obviously never been in the real world.

To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

Here's a list of things I've seen people use MS Word for:

Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

Creating GIANT tables and using them for inventory, rather than an Access database

Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....

Re:No messy Dell battle

[Geccoman]

MS Word is what you make web pages with, right?

Right...?

DMCA anyone

[Ubi_NL]

As SF.com is located in the US, isn't this exactly something covered under the DMCA: publishing a method to circumvent a protect mechanism.
In that case, what are the chances of them getting into trouble?

Re:DMCA anyone

[Chagatai]

As one of the previous posters mentioned, the password scheme, as described by Microsoft, is not designed to be a means of protection of data, but more of a way to deter users from accidentally modifying Word documents. I suppose the poor man's version of this would be the copy protect tab on a VHS tape. You could tape over it in order to record over something, but it prevents accidental modification.

Ergo, if this password crack is constituted a breach of the DMCA, me taping over my neighbor's wedding and video of his kid's first steps with that weird Swedish adult channel I get on the dish must also be a violation of the DMCA, too. Stupid neighbor.

hehe

[NeoGeo64]

Another case of "if you build it I'll break it"

Anything built by man can be cracked by man.

DRM is useless bloatware.

One Way function

[nuggz]

Passwords can use a one way function.
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.

You end up with a new string, but since you threw out some information, you end up unable to reverse it.

Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.

I'm not a math guy, go read crypto books if you want the 'real' explanation

Reasons for Digital Signatures

[Dark+Paladin]

I've been playing around with some digital signatures solutions (like the one from arx.com) to deal with issues like these - documents that must be "signed" and verified beyond "reasonable doubt".

What it comes down to isn't necessarily a "Microsoft Word" problem - it's an issue with verifying that data has its integrity. Probably doing an MD5/SHA1 hash on all documents and attaching that with the document would be good enough - which means you could just use text files instead.

Now way for such a thing to be secure

[osgeek]

Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

Re:Now way for such a thing to be secure

[dbIII]

Don't trust passwords on supposed read only documents as a general rule.

That's what PDF and MD5 sums are for. If it's a read-only document it shouldn't be in a modifiable format, so why not PDF? I used to be very annoyed with employment agencies which required resumes to be in Word format - one honest person at an agency told me that was so they could modify the things so that they could pad some out and strip others down when they forwarded them on to potential employers. I've seen the modified resume that was submitted for my current position, and I'm very suprised I got the job - almost all relevant details were stripped out. It looked like the agent was pushing a paticular canditate, and that person was not me.

If you have something important in text in final form you shouldn't let others have it in an easily modifyable format. That said, it's easy enough to modify PDF files in the gimp, but the file size changes dramaticly.

The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure.

It probably will happen, everyone accepts virus scanners as a necessity now. Passwords and keys are still a different story - I had a short term contract with a company that used its company name as the Admin password on nearly every workstation and on POS machines that it sold, and the clients never changed it. A new IT manager with a clue, and remote updates of software fixed all that. Very few of the office or helpdesk staff thought passwords were anything other than an annoyance in that place.

How dumb do you have to be?

[p3d0]

What kind of rank amateur would just put a hashed password in the file, and then rely on hostile software to obey that password? Good grief.

The real solution is a digital signature. Anyone to whom that is not obvious shouldn't be putting security measures in commercial products.

Re:How dumb do you have to be?

[Prof.+Pi]

What kind of rank amateur would just put a hashed password in the file, and then rely on hostile software to obey that password?

Probably someone who truly believes their software is so ubiquitous that there would be no such thing as "hostile software."

So what?

[soluzar22]

If you use this feature and expect it to be secure in my opinion you're just asking for trouble. Of course this is M$'s fault, but really! Is this a surprise to anyone. I mean, anything can be hacked in time, but a password-protected word document? I've forgotten passwords myself in the past and decrypted the file in about a half-hour, and I'm hardly what you'd call a l33t d00d! I mean FFS! It's a word processor. Two answers to this. A) Don't let anyone but you have access to the file. Protect your PC and it's harddrive. B) Use something like steganos, or something better to securely encrypt your files. Don't trust in the MS. Anyway, everyone should be using AbiWord.

And this is a good thing

[Smack]

The fact that it can't determine your actual password is a good thing. Not for the security of that particular document, obviously, but for the security of other things you may have used the same password for.

Re:And this is a good thing

[cyb97]

Well run the password checker long enough and it'll come up with several possibilities. If your main concern is that you've used the same password elsewhere, I guess any good blackhat will be able to spot which one you've used or spend enough time to try them all.

The article is troll-ish

[_RiZ_]

I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.

Microsoft already knew

[JUSTONEMORELATTE]

It's old news -- that's why Microsoft prefers PDF for the really important stuff.

And it was about that time...

[pjwalen]

that I noticed my customer was a 12 foot tall monster from the crustacious period! He looked me right in the eye and said, 'My quote for the dell says about Tree-Fitty!' and I said GOD DAMN YOU LOCHNESS MONSTER!

Re:Oh, this bodes well.

[zdislaw]

I wondered exactly the same thing. For about three seconds. The I RTFA.

2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com

2003-11-27 confirmed receipt from: secure microsoft com

2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"

2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"

Just how far should they go?

[WIAKywbfatw]

OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?

Re:Just how far should they go?

[TwistedSquare]

It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time

I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

Re: Just how far should they go?

[Black+Parrot]

> OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Re:Just how far should they go?

[Coryoth]

I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

At GCHQ, where is was kept under lock and key, and no one knew about it until long after Rivest Adleman and Shamir had published their paper.

Jedidiah

Re: Just how far should they go?

[Kjella]

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Take something like 256 bits, which is quite commonly available, and you'll see that brute forcing it requires you to turn each atom on earth into a computer, and compute with each of the atoms of the earth (2^171 atoms) at 1 THz (2^40) for 1 million years (2^45) in order to brute force *one* key.

Now, if that is too unsecure for you, I recommend you seek professional help. Fast.

Kjella

Come on now...

[Kevin+Stevens]

Was this ever really meant to be really truly secure? "security" features like that have always been lame at best and equivalent to luggage locks. These passwords have always been susceptible to brute force attacks. Anyone really serious about keeping documents safe puts them into a source control program. There are many ways to pick at MS's security, this is not one of them. But if you are trusting these measures for really secure documents, I highly suggest you get your valuables out of the pink plastic safe you won at the county fair last year.

Re:Come on now...

[Kevin+Stevens]

its a dumb password scheme because it was meant to be a dumb password scheme. Its a simple one way hash. It is a document, a self contained, meant to be passed around entity. Even if they used some complex password scheme, it would still not be difficult to brute force it, and thus make it inherently insecure. So I bet they had a design meeting at some point and said, "hey, the customers want a feature to prevent snooping/tampering of docs, lets put a simple lock feature on them" knowing full well that it was not secure. Considering that a document is a passed around, meant to be distributed, entity without centralized tracking or control, it would be very difficult to put real security on them, and nowhere have I seen MS office targeted as the "secure way" to store data. A company using this for invoices and such is just plain crazy. Its like complaining about the insecurity of a soft top convertible. Or that the jack that came with your car wouldnt hold the weight of your friend's truck (I mean its a jack isnt it?, there is nothing on there that says it wont jack up a truck) You cant ever trust the client, ever. Thats a cardinal tenet of security. Thats why we have barcodes, and no longer just put little pricetag stickers on products and ring up whatever is on them. You also wouldnt trust the little tiny lock on a diary to hold the wild stories of your other life as a transexual gay man, at least not without hiding the thing damn well when your family is over to visit. Im getting offtopic here, but the point is, MS Word in no way shape or form tries to be a secure document system, and trusting your business or very secret information to it is just silly.
sir, please read the fine post.

Full Article

[Athrawn17]

To: BugTraq
Subject: Microsoft Word Protection Bypass
Date: Jan 2 2004 10:51AM
Author: Thorsten Delbrouck-Konetzko
Hi all,
Microsoft Word provides an option to protect "forms" by password. This is
used to ensure that unauthorized users cannot manipulate the contents of
documents except within specially designed "form" areas. This feature is
also often used to protect documents which do not even have form areas
(quotations/offers etc.).
This form protection can easily be removed without any additional tools
(apart from a hex-editor).
Please find the full advisory attached.
best regards, /tdk
Thorsten Delbrouck
Chief Information Officer
Guardeonic Solutions AG
Rosenheimer Str. 116
D-81669 Munich
Security Advisory #01-2004
Advisory Name: Microsoft Word Form Protection Bypass
Release Date: 2004-01-02
Affected Product: Microsoft Word
Platform: Microsoft Windows, probably Apple Mac OS
Version: tested on 2000, 2002 (XP), 2003,probably other versions vulnerable as well
Severity:Document ("Form") protection can be easily removed
Author:Thorsten Delbrouck
Vendor Communication:2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com
2003-11-27 confirmed receipt
from: secure microsoft com
2003-12-03 Note from Microsoft, Form
protection "is not intended as a full-proof protection for tampering or spoofing, this is
merely a functionality to prevent accidental
changes of a document", request additional
time to update Microsoft Knowledge Base
article. Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"
Overview:
Word provides an option to protect "forms" by password. This is used
to ensure that unauthorized users can not manipulate the contents of
documents except within specially designed "form" areas. This feature
is also often used to protect documents which do not even have form
areas (quotations/offers etc.).
(Word users will find this option on the "Tools" menu, entry "Protection", select "Forms" there and provide a password)If a Word document is protected" by this mechanism, users cannot select parts of the text or place the cursor ithin the text thus they cannot make any changes to the document.
Description:
When saving protected Word-documents as html-files, Word adds a
"checksum" of the password (enclosed in a proprietary tag) to the
code. The checksum format looks somewhat like CRC32 but currently
there are no further details available. The same checksum can be
found within the original Word document (hexadecimal view). If this
"checksum" is replaced by 0x00000000 the password equals an empty
string.
Example:
1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)
Variation:
If the 8 checksum bytes are replaced with the checksum of a known
password it should be fairly easy to unprotect the document, make any
necessary changes, save, close and reset the password to the original
(unknown!) password by simply restoring the original values. Document
changed without even knowing the password. Nasty.
(Note: Take care to get file properties (author, organisation,
date/time etc.) right.)
Solution:
No solution is currently available. Do not rely on the "Protect
Forms" mechanism to protect a Word document against changes.
Credits:
Magnus from the Microsoft Security Response Center for his fast
responses and for showing a decent sense of humour. :-)

The shame's in the design not the hack

[dnoyeb]

If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.

I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???

shame.

Messy

[icemax]

This could become a very large legal problem for Word users that rely on this type of protection to (legally) prove that files have not been tampered with (think FDA submissions for pharmacuticals).
I see this being a larger problem in the future, when MS Office DRM is used on most files assuming that these files will follow the orderes encoded into their DRM. Imagine a file that is supposed to self-destruct in 10 months as part of a document retention lifecycle. Two years from now, a tape backup of that file is subpoenad and the DRM is hacked so that the file is openable, leaving said company liable for its contents previously thought destroyed.
I don't mean to rag on Microsoft or its protection schemes, more on those who use these weak means as a method of security in their infrastructure. A good server-based file protection model will always trump a good in-file-based protection model.

Cryptographic signing

[Peaker]

If you don't want your document to be changed by others, why don't you crypto-sign it?

Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.

Microsoft's response

[Ben+Hutchings]

Microsoft pointed to this Knowledge Base article. Choice quote: "Not all features that are found on the Security tab are designed to help make your documents and files more secure."

A little salt...

[Aardpig]

My understanding of the hack is this: it is possible to unlock a word document or form (i.e., make read-only parts writeable), modify it, and then re-lock it with the original password, without ever having to know what the original password is.

Which then raises the question: in the hashing algorithm Microsoft is using to scramble the password, why the hell aren't they adding in some cryptographic salt?. If they had made the scrambled password (which is leaked when a locked document is saved as HTML) depend not only on the cleartext password, but also on the read-only parts of the document, then they wouldn't have this problem: a hacked document re-locked with the same scrambled password would have a different salt, and therefore a different cleartext password. D'oh!

NOT a feature, clearly a BUG.

[GillBates0]

The article references this advisory page in the Microsoft Knowledgebase which was presumably added after the author contacted "Magnus" at Microsoft Security.

The page is titled: "Overview of Office Features That Are Intended to Enable Collaboration and That Are Not Intended to Increase Security", and reeks of hindsight. Microsoft notes that these features were never intended to increase security, but were designed to encourage collaboration.

But on the other hand, they also say:
"Information About Strong Passwords To reduce the chances of someone guessing your password, use only strong passwords.
For a password to be a strong password, it should meet all the following criteria:
* Be at least seven characters long. Longer passwords are more secure.
"...etc.

Why would users be encouraged to use strong passwords, not easily guessed by malicious users etc, when they were just intended to avoid accidental modifications? The document is clearly a lame attempt my M$ to coverup a serious vulnerability by suggesting that the feature was not designed to provide security. However, I bet they would not have hesitated to tout it as a "security feature" in Microsoft Word, had the vulnerability not been found.

Good Work!

[polyp2000]

This is excellent news. The more Microsoft continues to prove itself as market leaders in security the more copies of Windows XP SP2 they can sell.;)

nick ...

Easy to crack manually

[pmann79]

I've modified "protected" Word documents by opening them in Notepad and scrolling through the last few lines until I find a string of plain text that looks like a password (i.e. isn't a username or Word setting). Although this takes a bit more time for the searching, there's no need to modify the password at all.

OpenOffice

[tds67]

I would like to see this hack become a feature in OpenOffice.

0% Security and 100% Trouble

[dimss]

All password protection that Microsoft use in their products is an eternal source of inconvenience. There was at least three cases in last five years when we had to use (il)legal cracking tools to recover _our own_ data in MS Access and MS Words when employee forgot password.

Re:OMG MICROSFT IS TEH SUCK

[youngerpants]

You're new here aren't you?

Welcome to /.

DRM in Office 2003 is unaffected

[kylef]

First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features in Office 2003 as the Microsoft-approved method to secure Office documents.

In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.

In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.

It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.

Re:DRM in Office 2003 is unaffected

[cookd]

Excellent point. The "lock" that has been broken is just that -- a lock, designed such that those who only use Word to edit the file can't edit the file without the password. This is the same as saying that a lock on a door is only effective against those who only come in through the doorway. The file isn't encrypted in any way, just locked. It is just a flag that tells Word to not let you view or edit the file until you've provided the password.

There have always been a lot of ways around this lock. First, you can always generate a matching password (equivalent to picking the lock on a door). Or you can just zero out the password field in the file (the point of the "Security Advisory" linked in the article), which is like taking a door off of its hinges (I'm nearing metaphor breakdown here, but you'll just have to deal with it). Or you can just use some other editor (a hacked version of Word, a hex editor, or an Open Source editor) that lacks the programming to enforce the lock flag. That would be like ignoring the door and going for an open window or the back door or something. (Metaphor over, you can open your eyes now.)

Remember that the file format was designed back when any non-trivial encryption was evil, and exporting it was considered espionage. Also remember that Word is targeted at students, teachers, and soccer moms just as much as it is targeted at CEOs and lawyers. The average Joe is satisfied with the trivial lock, and in fact would probably prefer less security, since that means if he/she is careless and forgets the password, the document can still be recovered (cost/benefit analysis: potential for damage if the document is opened by an outsider * probability that it will be opened by an outsider --versus-- potential for damage if my password is lost * probability that I will lose my password). Most people aren't protecting documents against evil government agents -- usually it is just their little brother or the guy in the next office that they need to keep out.

Anyway, the bottom line is that this was never meant to be a safe deposit box, not even barbed wire and chain link. It is a simple lock, and just as a good screwdriver or a pair of bolt cutters can get you past a lock in no time, a real computer person would never even blink if confronted by something like this, and Microsoft never advertised it as anything else.

On the other hand, they are now advertising new encryption and protection features that are the real thing. This time, they are making a strong claim of decent encryption: if you don't have the appropriate certificate, you're going to have a very hard time opening this document. Of course, once it is opened, the "Do Not Forward" or "Do Not Save Unencrypted" flags are once again just trivial locks, but that is a separate issue -- you have to open the document before you could do that.

Much ado about nothing.

"A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle."

ZDNet overreats. All Dell has to do is digitally sign the word files with gpg. Better yet, screw Word files and distribute digitally signed PDF quotes.

Word files are meant to be edited. This stupid password security is a bolt on hack to try to make Word files do something they were never intended to be in the first place: secure electronic documents. There are, and have been for a long time, much better solutions.

Quotes are offers and subject to negotiation

[coyote-san]

A while back I read an article on the legality of manually changing the HTML form used by some shopping cart software. Is it legal to change the price of a plasma screen TV to $250 instead of $5000? Could you force the seller to honor the adjusted price?

The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any counteroffer and insist on the original price. The company can either pay to have somebody check the prices in counteroffers (or to have somebody automate that check), or it can absorb the loss when it automatically accepts such counteroffers.

So this is where we publish our hacks?

[PetoskeyGuy]

From http://www.scalabium.com/faq/dct0153.htm

Today I want to show how you may load some xls-file that is password-protected, and how to save xls into another file but without protection.

var
xls, xlw: Variant;
begin
{load MS Excel}
xls := CreateOLEObject('Excel.Application');

{open your xls-file}
xlw := xls.WorkBooks.Open(FileName := 'd:\book1.xls', Password := 'qq',
ReadOnly := True);
{save with other file name}
xlw.SaveAs(FileName := 'd:\book2.xls', Password := '');

{unload MS Excel}
xlw := UnAssigned;
xls := UnAssigned;
end;

Just replace there file names and password Not sure if it works on the latest version. Office Automation - coming soon to a worm near you.

Signed PDF

[Qrlx]

This came up at work. What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference.

We decided to send out digitally signed PDFs instead.

Re:Signed PDF

[Chester+K]

What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference. We decided to send out digitally signed PDFs instead.

Unfortunately that doesn't close the "customer changes it, prints it, signs it, sends it back, and we sign it without noticing" hole.

Re:Weren't .ZIP files worse?

[tuffy]

pkzip files have always had genuine data encryption (the sort that isn't viewable with a hex editor), but that encryption has traditionally been quite weak. I'm unsure if the new schemes are any better, but I doubt many people use that aspect of pkzip files anyway.

Can't have it both ways

[CaptainSuperBoy]

I'm sure that some people here are laughing at Microsoft for its "lax security." Of course if you really wanted to protect a Word document you could use Office 2003's built-in encryption features, which rely on Windows Rights Management. Yet the people who criticize Microsoft for Word's "security hole" are also the most vocal opponents to anything having to do with trusted computing, including Windows Rights Management. You can't have it both ways, you know. You can either accept that Microsoft's WRM already has a solution to this issue, or you decide that the additional security that WRM provides isn't worth the imagined "privacy and freedom" implications. But don't say that MS should make their file formats more secure while at the same time dismissing WRM.

Re:Can't have it both ways

[Anonym0us+Cow+Herd]

I don't know what "both ways" you're talking about.

I can assure you it is possible to have secure encryption, secure digital signatures without DRM.

GPG and PGP are examples of both, without DRM.

Try reading the book Applied Cryptography.

It would be most certianly possible to encrypt a document using a password, using a secure encryption mechanism, such that it cannot be decrypted without the password.

Similarly, it is possible to take a secure (i.e. MD5) hash of a document, and then compare that document if it comes back to you to be sure it is the original. Applied Cryptography details numerous protocols for conducting business, signing documents, and many other useful things. All securely. All without DRM.

Somewhat OT Electricity Story

[chadjg]

I helped a family member install a washer/dryer set. It took 220v/60hz and he hadn't installed the plug onto the bare wires.

We asked my dear cousin if the breaker was set to "off," asked her to double check, and then went to work. I went to work and accidentally bumped the wires, causing a huge arc about 2 inches in front of my eyes.

I was lucky to live, folks. I'm not sure who the bigger fool was, me or my cousin. The leson is that a wire isn't dead until you have personally checked it, and checked it again. Even then you have to be careful.

I'm pretty new to high voltage electronics and information security, but I have learned a lesson.

It seems to me that even if you use this Word feature, and know what it does, you can't count on your documents being secured. Another ignoramus will come along and screw it up and you won't know it. I really despise half solutions. They are as useful as almost making jump over the Grand Canyon.

Now, we all know what the information security equivalent to lockout/tagout is, right?

Done venting now, thanks.

Irreproducible?

[major.morgan]

Myself and others have tried to reproduce the bypass and cannot. I have created several forms documents as well as found existing ones to try it on. Whenever I save as HTML, the w:UnprotectPassword tag is not present. Initially I had problems with the HTML compatibility settings, which I got worked out, but even after using every logical combination of settings I still do not get the tag. I have tried different methods of protecting the document, still no password hash in the HTML.

I can easily bypass the document protection, but not in a way that is not noticible.

What am I missing or has anyone successfully reproduced?

How about this one?

[whterbt]

KB article 189126, two clicks away from the article referenced in the parent, offers this nugget of wisdom:

The password-protection systems built into Microsoft programs are designed to be unbreakable; there would be no point in including a password-protection system that could be broken.

Well, then, Microsoft, why is there a breakable password system in your product?!

some forms of XOR are not weak

[js7a]

Remember, XOR is used for one time pads, the strongest form of encryption.

XOR against a passphrase is weak.

XOR against a repeating secure (irreversible) hash of the password is technically weak but in practice very strong unless the message is dozens of times longer than the hash.

XOR against a successive concatination of secure hashes is strong, fast, and simple. There is no reason to believe 3DES is any stronger. Plus, it's the same algorithm for encrypting and decrypting. Pseudocode:

1. secureXOR(input[], key):
2. pad = SecureHash(key); /* e.g. MD5 or SHA[1-n] */
3. length = LengthOf(SecureHash); /* e.g. 128 for MD5 */
4. ptr = 0;
5. output[ptr..ptr+length] = input[ptr..ptr+length] XOR pad;
6. if (ptr > sizeof(input)) return(output[]);
7. pad = SecureHash(pad);
8. goto 4;

Re:Missing Possessive

[Zontar+The+Mindless]

> IAAPN (I Am A Punctuation Nazi): the headline should read "Microsoft Word Forms' Passwords Cracked" or "Microsoft Word Forms's Passwords Cracked".

Apparently IKEGBTYD (I Know English Grammar Better than You Do): Wrong. Nouns being used in a partitive or atttributive sense are not possessives and do not require apostrophe + s. (You say "C compiler" and "dog food", and not "C's compiler" and "dog's food", right?)

The headline is correct. Hard to believe since this is ./, but true.

Stinging indictment of Dell.

[i_r_sensitive]

Really the thing I think we all should be taking from this is that Dell has some real morons making some rather important decisions...

Why anyone would choose to use a Word document for the purpose Dell used it is completely beyond me. Are they so brainwashed over there that there was no exploration of the alternatives? Particularly in view of the fact that the app vendor (M$) specifically does not promote the use of that feature for securitys sake.

Really Dell, STFU, your precious relationship with Microsoft does not preclude using your brains when making software selections for sensitive processes like binding quotes...

On the plus side, I'm sure I've got a Dell quote somewhere in the office... Hmmm, laptop for $15 anyone?

the article was a joke

[BubbleNOP]

This article is false. I just tried this in Word 2000 with a protected document. When I try to save it as HTML it brings up a dialog box saying that "some of the features in this document aren't supported by Web browsers" and "Password to unprotect document for tracked changes, comments and forms will be lost". In the resulting .html there is nothing about the password.

Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"

Re:the article was a joke

[DaCool42]

There is a thread about this vulnerability on bugtraq. I would suggest you go there for first hand info.

Non-linear, not one-way

[IncohereD]

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

Think this one through. The algorithms used to sign PGP/GPG messages are one way. The reason being is that it's hard to come up with something else that maps to the same value.

Using your length function example, considering the two e-mails from Alice

"I love Bob"

"I hate Bob"

Would both parse to 1 4 3. Which means Eve could flip Alice's feelings for Bob, without invalidating the signature.

That, my friend, is a crappy 'one-way' function. So crappy, that's it's not really one-way.

The "multiple inputs give the same output" thing just means it's non-linear. And all that that implies.

Word is insecure crap, anyway

[Safety+Cap]

Woody's Office Watch had a good writeup (and followup) as to why you shouldn't use Word for anything sent out to the public. The problem he sites is that Word stores all kinds of things that you probably shouldn't disclose to just anyone, such as...

1. Last document editor's name, initials, and company
2. Computer name last edited on
3. Path (incl server name) of last save (Remember all those hacks that require the miscreant to know specific file path & names?)
4. Previous editor's names
5. Number of revisions and versions
6. Template name and path
7. Any hidden text
8. Comments

This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.

Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.