[ISN] Password protection in Microsoft Word criticized

From: InfoSec News (isn@private)
Date: Thu Jan 08 2004 - 05:51:49 PST

  • Next message: InfoSec News: "[ISN] re: China grants WLAN technology rights to more companies"

    http://news.com.com/2100-1029_3-5136913.html
    
    By Munir Kotadia 
    Special to CNET News.com
    January 7, 2004
    
    Microsoft Word documents that use the software's built-in password 
    protection to avoid unauthorized editing can easily be modified using 
    a relatively simple hack that was recently published on a security Web 
    site. 
    
    Known as the Password to Modify feature, the password-protection 
    mechanism in Microsoft Word can be bypassed, disabled or deleted with 
    the help of a simple programming tool called a hex editor. The hack 
    does not leave a trace, meaning an unauthorized user could remove the 
    password protection from a document, edit it and replace the original 
    password. 
    
    Microsoft was informed about the vulnerability in late November by 
    Thorsten Delbrouck, chief information officer of Guardeonic Solutions, 
    which is a subsidiary of German security specialist Infineon 
    Technologies. 
    
    In a Knowledge Base article published in early December, Microsoft 
    denied there was a problem because, the company said, the 
    password-protection feature is not intended to provide "fool-proof 
    protection for tampering or spoofing," but is "merely a functionality 
    to prevent accidental changes of a document."
    
    "(When) you use the Password to Modify feature, the feature is 
    functioning as intended even when a user with malicious intent 
    bypasses the feature," the technical support document explained. "The 
    behavior occurs because the feature was never designed to protect your 
    document or file from a user with malicious intent." 
    
    The software giant recommends that users who want to secure their 
    documents use the Password to Open feature. 
    
    However, Microsoft's assertions were questioned by Delbrouck, who said 
    the feature poses serious legal implications for companies. He 
    explained that one of his company's hardware suppliers is Dell, which 
    e-mails its quotes on a protected Word document. What happens, asked 
    Delbrouck, if Dell sends him an offer, he uses the hack to modify the 
    offer in his favor, then signs it and faxes it back? 
    
    "We would probably end up in court and an expert would probably look 
    at the original document and say, 'this document is protected by a 
    password that the customer could not have known. It has not been 
    modified because the protection is still active and the document still 
    has its original password,'" Delbrouck said. 
    
    Following Delbrouck's revelations, which were posted Friday, Microsoft 
    updated its Knowledge Base article to include the following warning: 
    "When you are using the 'Password to Modify' feature, a malicious user 
    may still be able to gain access to your password." 
    
    Delbrouck said there is no solution to the problem. Instead of using 
    the protect feature, he advises companies sending sensitive 
    information to use digital signatures or a different document format 
    altogether, such as Adobe's PDF, which he has recommended to Dell in 
    Germany. 
    
    David Bennie, Microsoft UK's Office product marketing manager, told 
    ZDNet UK that although Word's password protection is useful for 
    collaborating with colleagues, it is not a security feature and should 
    not be relied upon as such. 
    
    "If (users) are using it as a security feature, then that is not 
    correct," Bennie said. He agreed that if a company wants to transport 
    documents securely, it should either use digital certificates or an 
    application such as Adobe Acrobat that can "lock down" the document. 
    
    "If you are looking for secure encryption, you should not be using 
    this feature. We have lots of customers out there using password 
    protection, but the reason they are doing that is to stop general 
    users changing the text or whatever--and it works perfectly well for 
    that," Bennie said. 
    
    However, Delbrouck countered that Microsoft is attempting to play down 
    the problem because it cannot be fixed. "I doubt there is much they 
    can do about it, because they have to be backward-compatible with 
    their file format, which keeps changing," he said. "I think the only 
    possible solution for them was to play down the problem." 
    
    Munir Kotadia of ZDNet UK reported from London. CNET News.com's Robert 
    Lemos reported from San Francisco.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 08 2004 - 08:07:23 PST