Re: password protection in office XP documents

[Brian Eckman <eckman () umn edu>]

I did copy the contents of a "protected" file (not the full password 
protection - the changes protection that Leif discussed) into a new doc 
and save it before I wrote the message. In fact, I just did it again 
before I sent this message. Then I modified the new doc and saved it 
again. Then I saved it over the old file just for fun.

Now at first glance, it appears like the original document to everyone 
else. I can set my own protection password too, so nobody except maybe 
eventually the original document owner will know the difference. It took 
seconds to accomplish. This was in Word XP fully patched.

How is the data "compromised" by saving it into a different format, and 
a different file, while the original document that everyone else uses is 
intact? If I print the document out, use some "white out" and type over 
it with my typewriter, I could argue that it has been "compromised" too. 
Should we report to Microsoft that printing files is a security flaw?

Brian


security () rexwire com wrote:
> You cant copy a file that is protected. I do think letting someone save a
> protected file in another format (Html) is dumb. I don't care if the
> argument is that the original file is still protected. The goal is to
> protect the data and the data is compromised once the file is saved in a
> different format.
>
>
> -SKP
>
> -----Original Message-----
> From: Brian Eckman [mailto:eckman () umn edu] 
> Sent: Tuesday, June 17, 2003 4:17 PM
> To: Leif Gregory; security-basics () securityfocus com
> Subject: Re: password protection in office XP documents
>
>
>
>
> Leif Gregory wrote:
>
> > Hello Brian,
> >
> > Tuesday, June 17, 2003, 7:46:42 AM, you wrote:
> > BE> Gosh, if I wanted to bypass those, I'd copy the existing Office
> > BE> file into a new one and make my changes, then save it over the old
> > BE> one. Seems like it would be a quicker "hack", and would be easier
> > BE> for most people than saving it as HTML and editing the source
> > BE> code, then saving it back as an Office file.
> >
> > BE> Now, one could get into file system rights arguments, but if you save
>
> it
>
> > BE> as HTML, you are creating a new file. Now there will be a .doc and an
> > BE> .html, and if you have rights to turn the .html back into the .doc,
>
> then
>
> > BE> you can do what I mentioned above as well.
> >
> > BE> I still fail to see any flaw here. What was reported is opening the
>
> HTML
>
> > BE> file in Office and the protection is gone. The HTML file is a *new*
>
> file
>
> > BE> that you created; the original Office file still has the protection.
> >
> > But see, it's not a file rights issue. It's an XML document property
> > tag (if that is the right terminology). It's an integral piece of the
> > Word document. Copying it retains the document properties, therefore
> > the protection. Converting it to HTML brings the document properties
> > into plaintext, which you can highlight and delete.
>
>
> (mass snippage)
>
> Leif & list,
>
> Sorry, I wasn't clear. I wasn't talking about copying the file, I was 
> talking about copying the contents of the file. Using a Word doc as an 
> example, I would take the Word doc, highlight everything, copy and paste 
> it into a new Word doc and save it over the original "protected" 
> document. It would be a heck of a lot faster than the methods that have 
> been described.
>
> Brian


--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------