Security Basics mailing list archives
RE: password protection in office XP documents
From: security () rexwire com
Date: Wed, 18 Jun 2003 12:07:59 -0400
No one is claiming that printing is compromising content integrity. People protect content in document to stop it from being alerted other wise why else would they go through the effort of protecting? A protected document should remain protected in its own framework. What I mean by this is that; if Word is used to protect certain parts of a document than it should not be possible to use Word to unprotect that document just by saving in a different format. A PDF is a good example. Once you set security on the PDF document all PDF readers honor that security they don't let you save it as a html. (there are tools to unlock PDF but they are beyond the scope of this conversation) Hope that brings out my original point. -SKP -----Original Message----- From: Brian Eckman [mailto:eckman () umn edu] Sent: Wednesday, June 18, 2003 9:00 AM To: security () rexwire com; leifg () doh state nm us; security-basics () securityfocus com Subject: Re: password protection in office XP documents I did copy the contents of a "protected" file (not the full password protection - the changes protection that Leif discussed) into a new doc and save it before I wrote the message. In fact, I just did it again before I sent this message. Then I modified the new doc and saved it again. Then I saved it over the old file just for fun. Now at first glance, it appears like the original document to everyone else. I can set my own protection password too, so nobody except maybe eventually the original document owner will know the difference. It took seconds to accomplish. This was in Word XP fully patched. How is the data "compromised" by saving it into a different format, and a different file, while the original document that everyone else uses is intact? If I print the document out, use some "white out" and type over it with my typewriter, I could argue that it has been "compromised" too. Should we report to Microsoft that printing files is a security flaw? Brian security () rexwire com wrote:
You cant copy a file that is protected. I do think letting someone save a protected file in another format (Html) is dumb. I don't care if the argument is that the original file is still protected. The goal is to protect the data and the data is compromised once the file is saved in a different format. -SKP -----Original Message----- From: Brian Eckman [mailto:eckman () umn edu] Sent: Tuesday, June 17, 2003 4:17 PM To: Leif Gregory; security-basics () securityfocus com Subject: Re: password protection in office XP documents Leif Gregory wrote:Hello Brian, Tuesday, June 17, 2003, 7:46:42 AM, you wrote: BE> Gosh, if I wanted to bypass those, I'd copy the existing Office BE> file into a new one and make my changes, then save it over the old BE> one. Seems like it would be a quicker "hack", and would be easier BE> for most people than saving it as HTML and editing the source BE> code, then saving it back as an Office file. BE> Now, one could get into file system rights arguments, but if you saveitBE> as HTML, you are creating a new file. Now there will be a .doc and an BE> .html, and if you have rights to turn the .html back into the .doc,thenBE> you can do what I mentioned above as well. BE> I still fail to see any flaw here. What was reported is opening theHTMLBE> file in Office and the protection is gone. The HTML file is a *new*fileBE> that you created; the original Office file still has the protection. But see, it's not a file rights issue. It's an XML document property tag (if that is the right terminology). It's an integral piece of the Word document. Copying it retains the document properties, therefore the protection. Converting it to HTML brings the document properties into plaintext, which you can highlight and delete.(mass snippage) Leif & list, Sorry, I wasn't clear. I wasn't talking about copying the file, I was talking about copying the contents of the file. Using a Word doc as an example, I would take the Word doc, highlight everything, copy and paste it into a new Word doc and save it over the original "protected" document. It would be a heck of a lot faster than the methods that have been described. Brian
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- password protection in office XP documents security (Jun 13)
- RE: password protection in office XP documents Larry Seltzer (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 16)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Brian Eckman (Jun 18)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- <Possible follow-ups>
- Re: password protection in office XP documents John Benstead (Jun 16)
- RE: password protection in office XP documents matt willson (Jun 16)
- RE: password protection in office XP documents news.ajanas (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- RE: password protection in office XP documents Tim Laureska (Jun 17)
- RE: password protection in office XP documents Chad M. (Jun 17)
- RE: password protection in office XP documents matt willson (Jun 16)