By Munir Kotadia, 8 January 2004 08:45
NEWS Microsoft has hit back at critics of Word's password protect feature, which the company has admitted is not safe from hackers.
The tool is intended to make collaboration easier, Microsoft said, explaining that users should invest in digital signatures or an Adobe Acrobat-type application if they want security.
A set of relatively simple instructions on how to bypass the security of a password-protected Word document was published on the internet on Friday. Thorsten Delbrouck, chief information officer of German security company Guardeonic Solutions, informed Microsoft about the vulnerability in November 2003. A week later, Microsoft updated its Knowledge Base to warn users that the feature should not be used for security purposes.
David Bennie, Microsoft UK's Office product marketing manager, said that although Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such.
"If [users] are using it as a security feature then that is not correct," said Bennie. He agreed that if a company wanted to transport documents securely, they should either use digital certificates or an application like Adobe Acrobat that can 'lock down' the document.
"If you are looking for secure encryption you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever - and it works perfectly well for that," said Bennie.
However, Delbrouck believes Microsoft is attempting to play down the problem because it cannot be fixed. "I doubt there is much they can do about it, because they have to be backwards-compatible with their file format, which keeps changing," he said. "I think the only possible solution for them was to play down the problem."
Munir Kotadia writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. Vladimir Katalov
Adobe Acrobat is not much better, actually. The "owner" password (preventing from document printing, copying to clipboard, editing etc) can be removed instantly regardless the password length and complexity. If "user" password is set (preventing the file from opening), but 40-bit encryption has been used (as in all PDF 1.3 and most 1.4-1.5 files), the file still can be decrypted in just 4-5 days on a single desktop PC.
2. Alex Steel
This isn't as big an issue as everyone seems to be making it - the hack only works on Word "Forms" that have been "Protected." It doesn't work on general documents that require a password to open (i.e. if you use "Tools" and then "General Options" when you save the Word document, and choose "Password to Open".)
The hack being reported requires you to open the document, then save as HTML, which you can't do (without some other password cracker tool) if you've used "password to open." This bug appears to only affect "Forms" - how many normal users use them anyway?
3. Acrobat User
If you secure a PDF, then the PDF Converter from ScanSoft cannot convert it. It only works on PDF files that have been left unlocked!
Acrobat also uses third-party security certificates from Verisign, Entrust and others... so very secure!