By Munir Kotadia, 7 January 2004 17:25
NEWS Microsoft Word documents that use the software's built-in password protection to avoid unauthorised editing can easily be modified using a relatively simple hack that was published on a security website last Friday.
The password-protection feature in Microsoft Word - activated by clicking on Tools/Protect Document - can be bypassed, disabled or deleted at will, with the help of a simple programming tool called a hex editor. The hack does not leave a trace, meaning an unauthorised user could remove the password protection from a document, edit it and then replace the original password.
Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. In early December, Microsoft denied there was a problem because, the company said, the password-protection feature is not intended to provide "fool-proof protection for tampering or spoofing" but is "merely a functionality to prevent accidental changes of a document".
This view is questioned by Delbrouck, who said that the 'feature' poses serious legal implications for companies. He explained that one of his company's hardware suppliers is Dell, which emails its quotes on a form protected-Word document. What happens, asked Delbrouck, if Dell sends him an offer, he uses the hack to modify the offer in his favour, then signs it and faxes it back? "We would probably end up in court and an expert would probably look at the original document and say, 'this document is protected by a password that the customer could not have known. It has not been modified because the protection is still active and the document still has its original password,'" Delbrouck said.
Following Delbrouck's revelations, Microsoft updated its Knowledge Base article 822924, titled 'Overview of Office features that are intended to enable collaboration and that are not intended to increase security' to include the following warning to users: "When you are using the 'Password to Modify' feature, a malicious user may still be able to gain access to your password."
Delbrouck said there is no solution to the problem. Instead of using the protect feature, he advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe's PDF, which he has recommended to Dell in Germany.
Microsoft was not available for comment.
Munir Kotadia writes for ZDNet UK
Comments
There are 5 comments. Join the discussion
1. John Matlock
Cool thats , great news, I was woundering how to access all the old word documents i locked up, I always new it was basic security on a word document so forgetting the password wasn't a problem. proud to be 100% Microsoft
2. anonymous
Is this really news? Sorry if I have missed something but haven't 3rd party Word password sniffers been available for years?
3. Vladimir Katalov
Actually, we have reported about this problem almost three years ago at "Black Hat Windows Security 2001" conference (Las Vegas, Feb'2001), see:
http://www.blackhat.com/html/bh-multi-media-archives.html#Windows%20Security%202001
Here is the presentation ("Analysis of Microsoft Office Password Protection System, and Survey of Encryption Holes In Other MS Windows Applications") in PowerPoint format:
http://www.blackhat.com/presentations/win-usa-01/Malyshev/bh-win-01-malyshev.ppt
And streaming video:
rtsp://media-1.datamerica.com/blackhat/bh-usa-win-01/video/bh-usa-win-01-andrey-malyshev-video.rm
Microsoft, of course, was aware. There is an article published in Microsoft TechNet:
Ask Us About... Security, March 2001
http://www.microsoft.com/technet/columns/security/askus/auas0301.asp
Quote from there:
"Recovering Office passwords
Q: I'm creating a document using Microsoft Word that may potentially contain sensitive information. I note that Word has a password protection feature (under Tools/Protect Document). How strong is the security surrounding this feature?
A: I get a lot of mail asking about the strength of passwords for Office documents. As was demonstrated in an analysis of the Microsoft Office password protection system presented by ElcomSoft at Black Hat (see above), the password-protection features of these programs were not designed to be invincible. [...]"
You may also want to have a look at our software that can recover or remove this password, among many other ones:
Advanced Office XP Password Recovery
http://www.elcomsoft.com/aoxppr.html
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
http://www.elcomsoft.com
4. anonymous
Password crackers for the entire office suite have been out for years. If people are naive enough to trust this simple password protection then I cant see how its microsofts fault. As far as bugs goes this is a very very small one compared to the rest of the holes in MS OS's that we have to deal with on a daily basis
5. anonymous
Adobe PDF is not a reliable solution either considering that I recently received a CD in the mail by ScanSoft which is called "Convert PDF into Microsoft Word Documents"!