Slashdot Mirror
Microsoft Word Forms Passwords Hacked
An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.
There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.
What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.
So, if such passwords can easily be bypassed anyway - what does this really change?
I should note that I'm using a Passware product called Office Key.
This crack just takes what has been commercially available for quite some time and moves it into the public arena.
Josh
How many roads must a man walk down? 42.
Is this a dupe? I could swear I've read this one before.
According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.
I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.
But for those of you who never RTA, here is what was the highlight for me:
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
I swear, you guys gave me a quote of $6.35 for a new Latitude.
If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...
-- Minds are like parachutes... they work best when open.
Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
As SF.com is located in the US, isn't this exactly something covered under the DMCA: publishing a method to circumvent a protect mechanism.
In that case, what are the chances of them getting into trouble?
If an experiment works, something has gone wrong.
Another case of "if you build it I'll break it"
Anything built by man can be cracked by man.
DRM is useless bloatware.
Passwords can use a one way function.
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.
You end up with a new string, but since you threw out some information, you end up unable to reverse it.
Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.
I'm not a math guy, go read crypto books if you want the 'real' explanation
Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.
The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.
Why are you letting these clowns ruin our country?
The real solution is a digital signature. Anyone to whom that is not obvious shouldn't be putting security measures in commercial products.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
The fact that it can't determine your actual password is a good thing. Not for the security of that particular document, obviously, but for the security of other things you may have used the same password for.
I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.
They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.
To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.
that I noticed my customer was a 12 foot tall monster from the crustacious period! He looked me right in the eye and said, 'My quote for the dell says about Tree-Fitty!' and I said GOD DAMN YOU LOCHNESS MONSTER!
2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com
2003-11-27 confirmed receipt from: secure microsoft com
2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"
bad sig...no donut.
OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?
And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Was this ever really meant to be really truly secure? "security" features like that have always been lame at best and equivalent to luggage locks. These passwords have always been susceptible to brute force attacks. Anyone really serious about keeping documents safe puts them into a source control program. There are many ways to pick at MS's security, this is not one of them. But if you are trusting these measures for really secure documents, I highly suggest you get your valuables out of the pink plastic safe you won at the county fair last year.
If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.
I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???
shame.
This could become a very large legal problem for Word users that rely on this type of protection to (legally) prove that files have not been tampered with (think FDA submissions for pharmacuticals).
I see this being a larger problem in the future, when MS Office DRM is used on most files assuming that these files will follow the orderes encoded into their DRM. Imagine a file that is supposed to self-destruct in 10 months as part of a document retention lifecycle. Two years from now, a tape backup of that file is subpoenad and the DRM is hacked so that the file is openable, leaving said company liable for its contents previously thought destroyed.
I don't mean to rag on Microsoft or its protection schemes, more on those who use these weak means as a method of security in their infrastructure. A good server-based file protection model will always trump a good in-file-based protection model.
__________
Love conquers all... except CANCER
If you don't want your document to be changed by others, why don't you crypto-sign it?
Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.
Microsoft pointed to this Knowledge Base article. Choice quote: "Not all features that are found on the Security tab are designed to help make your documents and files more secure."
I would like to see this hack become a feature in OpenOffice.
You're new here aren't you?
/.
Welcome to
First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features in Office 2003 as the Microsoft-approved method to secure Office documents.
In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.
In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.
It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.
This came up at work. What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference.
We decided to send out digitally signed PDFs instead.
I'm sure that some people here are laughing at Microsoft for its "lax security." Of course if you really wanted to protect a Word document you could use Office 2003's built-in encryption features, which rely on Windows Rights Management. Yet the people who criticize Microsoft for Word's "security hole" are also the most vocal opponents to anything having to do with trusted computing, including Windows Rights Management. You can't have it both ways, you know. You can either accept that Microsoft's WRM already has a solution to this issue, or you decide that the additional security that WRM provides isn't worth the imagined "privacy and freedom" implications. But don't say that MS should make their file formats more secure while at the same time dismissing WRM.
Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"
- Last document editor's name, initials,
and company
- Computer name last edited on
- Path (incl server
name) of last save (Remember all those hacks that require the
miscreant to know specific file path & names?)
- Previous
editor's names
- Number of revisions and versions
- Template
name and path
- Any hidden text
- Comments
This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.
Yeah, right.