Password protection in Microsoft Word criticized

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1029_3-5136913.html

By Munir Kotadia 
Special to CNET News.com
January 7, 2004

Microsoft Word documents that use the software's built-in password 
protection to avoid unauthorized editing can easily be modified using 
a relatively simple hack that was recently published on a security Web 
site. 

Known as the Password to Modify feature, the password-protection 
mechanism in Microsoft Word can be bypassed, disabled or deleted with 
the help of a simple programming tool called a hex editor. The hack 
does not leave a trace, meaning an unauthorized user could remove the 
password protection from a document, edit it and replace the original 
password. 

Microsoft was informed about the vulnerability in late November by 
Thorsten Delbrouck, chief information officer of Guardeonic Solutions, 
which is a subsidiary of German security specialist Infineon 
Technologies. 

In a Knowledge Base article published in early December, Microsoft 
denied there was a problem because, the company said, the 
password-protection feature is not intended to provide "fool-proof 
protection for tampering or spoofing," but is "merely a functionality 
to prevent accidental changes of a document."

"(When) you use the Password to Modify feature, the feature is 
functioning as intended even when a user with malicious intent 
bypasses the feature," the technical support document explained. "The 
behavior occurs because the feature was never designed to protect your 
document or file from a user with malicious intent." 

The software giant recommends that users who want to secure their 
documents use the Password to Open feature. 

However, Microsoft's assertions were questioned by Delbrouck, who said 
the feature poses serious legal implications for companies. He 
explained that one of his company's hardware suppliers is Dell, which 
e-mails its quotes on a protected Word document. What happens, asked 
Delbrouck, if Dell sends him an offer, he uses the hack to modify the 
offer in his favor, then signs it and faxes it back? 

"We would probably end up in court and an expert would probably look 
at the original document and say, 'this document is protected by a 
password that the customer could not have known. It has not been 
modified because the protection is still active and the document still 
has its original password,'" Delbrouck said. 

Following Delbrouck's revelations, which were posted Friday, Microsoft 
updated its Knowledge Base article to include the following warning: 
"When you are using the 'Password to Modify' feature, a malicious user 
may still be able to gain access to your password." 

Delbrouck said there is no solution to the problem. Instead of using 
the protect feature, he advises companies sending sensitive 
information to use digital signatures or a different document format 
altogether, such as Adobe's PDF, which he has recommended to Dell in 
Germany. 

David Bennie, Microsoft UK's Office product marketing manager, told 
ZDNet UK that although Word's password protection is useful for 
collaborating with colleagues, it is not a security feature and should 
not be relied upon as such. 

"If (users) are using it as a security feature, then that is not 
correct," Bennie said. He agreed that if a company wants to transport 
documents securely, it should either use digital certificates or an 
application such as Adobe Acrobat that can "lock down" the document. 

"If you are looking for secure encryption, you should not be using 
this feature. We have lots of customers out there using password 
protection, but the reason they are doing that is to stop general 
users changing the text or whatever--and it works perfectly well for 
that," Bennie said. 

However, Delbrouck countered that Microsoft is attempting to play down 
the problem because it cannot be fixed. "I doubt there is much they 
can do about it, because they have to be backward-compatible with 
their file format, which keeps changing," he said. "I think the only 
possible solution for them was to play down the problem." 

Munir Kotadia of ZDNet UK reported from London. CNET News.com's Robert 
Lemos reported from San Francisco.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.