Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

13 of 438 comments (clear)

  1. Nothing New by digitalvengeance · · Score: 5, Informative

    There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

    What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
    Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

    So, if such passwords can easily be bypassed anyway - what does this really change?

    I should note that I'm using a Passware product called Office Key.

    This crack just takes what has been commercially available for quite some time and moves it into the public arena.

    Josh

    --
    How many roads must a man walk down? 42.
    1. Re:Nothing New by Stavr0 · · Score: 5, Informative
      The word doc doesn't store the password, but a one-way checksum.

      The passware product merely computes a password that matches the checksum found in the word doc.

    2. Re:Nothing New by pegr · · Score: 5, Interesting

      That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

      Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

  2. RTFA... It's hilarious by h4rm0ny · · Score: 5, Informative

    According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

    I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

    But for those of you who never RTA, here is what was the highlight for me:
    1.) Open a protected document in MS Word
    2.) Save as "Web Page (*.htm; *.html)", close Word
    3.) Open html-document in any Text-Editor
    4.) Search "" tag, the line reads something like that: ABCDEF01

    --

    Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
    1. Re:RTFA... It's hilarious by Kevin+Stevens · · Score: 5, Insightful

      The locks on these files are very similar to locks found on standard filing cabinets. They are there to prevent tampering, keeping people out of places they really shouldnt be- sensitive, but not absolutely secret stuff. Secure they are not. I have used these things before, and I can tell you, its pretty clear they are not using any heavy duty security. I do not see how anyone intelligent could really see them as otherwise. You dont have to read a EULA to realize there is no watermarking, no digitial signature, no complex scheme of any sort behind it. I put last year's tax records in a filing cabinet, but I wouldnt keep the deed to my house or my the account number to my secret account in the cayman's in there, I would buy a safe. Same concept here.

  3. What do you mean, that's too cheap? by Trillan · · Score: 5, Funny

    I swear, you guys gave me a quote of $6.35 for a new Latitude.

  4. Now way for such a thing to be secure by osgeek · · Score: 5, Interesting

    Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

    The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

    --
    Why are you letting these clowns ruin our country?
  5. Re:No messy Dell battle by vasqzr · · Score: 5, Informative


    Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

    You've obviously never been in the real world.

    To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

    Here's a list of things I've seen people use MS Word for:

    Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

    Creating GIANT tables and using them for inventory, rather than an Access database

    Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....

  6. The article is troll-ish by _RiZ_ · · Score: 5, Informative

    I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

    They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

    To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.

  7. And it was about that time... by pjwalen · · Score: 5, Funny

    that I noticed my customer was a 12 foot tall monster from the crustacious period! He looked me right in the eye and said, 'My quote for the dell says about Tree-Fitty!' and I said GOD DAMN YOU LOCHNESS MONSTER!

  8. Re:Oh, this bodes well. by zdislaw · · Score: 5, Informative
    I wondered exactly the same thing. For about three seconds. The I RTFA.

    2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com

    2003-11-27 confirmed receipt from: secure microsoft com

    2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
    Targetting beginning of January 2004 for release of this advisory.
    from: "Magnus"

    2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
    from: "Magnus"

    --
    bad sig...no donut.
  9. Microsoft's response by Ben+Hutchings · · Score: 5, Funny

    Microsoft pointed to this Knowledge Base article. Choice quote: "Not all features that are found on the Security tab are designed to help make your documents and files more secure."

  10. DRM in Office 2003 is unaffected by kylef · · Score: 5, Insightful

    First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features in Office 2003 as the Microsoft-approved method to secure Office documents.

    In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.

    In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.

    It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.