Microsoft Word Forms Passwords Hacked 438
An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.
Nothing New (Score:5, Informative)
What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.
So, if such passwords can easily be bypassed anyway - what does this really change?
I should note that I'm using a Passware product called Office Key.
This crack just takes what has been commercially available for quite some time and moves it into the public arena.
Josh
One Way function (Score:5, Informative)
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.
You end up with a new string, but since you threw out some information, you end up unable to reverse it.
Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.
I'm not a math guy, go read crypto books if you want the 'real' explanation
Re:Nothing New (Score:5, Informative)
The passware product merely computes a password that matches the checksum found in the word doc.
Re:Nothing New (Score:3, Interesting)
It is a checksum. But it must not be a very one-way checksum. If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result. (Well, it might be possible, but who has time to wait longer than the life of the universe.)
Re:Nothing New (Score:5, Informative)
Uh, you're confusing two things.
A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.
It's not possible, given an integer n, to find the specific word that mapped to n, simply because there isn't an unique one. This is what makes it one-way.
The fact that there are multiple possible passwords for this Word document is proof that it is a one-way function.
What you're talking about is the ease of finding some element of the preimage of a given hash, which is a separate concept. MD5 is good because for some given value, it's really hard to find anything which hashes to that value, not because it's somehow 'more one-way'.
In fact, the most one-way function of all is a constant function, which is obviously totally useless for authentication.
Non-linear, not one-way (Score:3, Informative)
Think this one through. The algorithms used to sign PGP/GPG messages are one way. The reason being is that it's hard to come up with something else that maps to the same value.
Using your length function example, considering the two e-mails from Alice
"I love Bob"
"I hate Bob"
Would both parse to 1 4 3. Which means Eve could flip Alice's fe
And this is a good thing (Score:4, Insightful)
Re:And this is a good thing (Score:4, Interesting)
Re:Nothing New (Score:5, Informative)
Hashes are more secure than storing the password, because they tend to be pretty one way -- it's trivial to get a hash from a password, but much less trivial to get a password from the hash.
However, hashes can collide; the smaller the hash returned, compared to the possible keyspace, the more likely this is. For instance, if I have a hash function that returns a one byte hash that I use to hash my password, then there is a 1/256 chance that _any_ gibberish I send in will return the same hash, and thus match.
Microsoft is probably using a very small hash, and your "tool of choice" probably just brute forces the thing until it finds a match.
If your tool of choice continued through the keyspace, it would inevitably come up with test, too.
Re:Nothing New (Score:2, Informative)
Just a brief nitpick here, but most Linux systems store password hashes in /etc/shadow, with /etc/passwd holding the rest of the info for the user accounts. Everyone can read /etc/passwd (and needs to, to get user names from UIDs), but only root (and stuff like getty that checks passwords, running as root) can read /etc/shadow. You can set it up to use the old-school style and hold hashes in /etc/passwd, but it's generally frowned up
Re:Nothing New (Score:3, Informative)
And right back at you. Have you ever actually looked at the file, or are you just talking out of your arse?
brong@dariat~>ls -la
-rw-r----- 1 root shado
Re:Nothing New (Score:5, Interesting)
Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader!
Re:Nothing New (Score:2, Informative)
1. Open a new blank Word document.
2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.
3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.
Re:Nothing New (Score:5, Informative)
1. Open a new blank Word document.
2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.
3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.
Nope, not since Office 98. Since Office 98, password protected docs are truly encrypted. It does indeed ask you for the password when you insert it.
And I just noticed that, in Office 2003 anyway, you can hit the "Advanced" tab and choose what kind of encryption you want (RSA, etc.), as well as bit length. Pretty cool!
Re:Nothing New (Score:5, Informative)
Weak Encryption (XOR)
Office 97/2000 Compatible
RC4, Microsost Base Cryptographic Provider
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider
I especially love the XOR encryption! (At least they call it weak...) For the other types, you can spec a bit length between 40 and 128 bits. Now I'm not sure what MS does to "enhance" these encryption types, but there it is, for what it's worth... (I wonder if Whitfield knows his name is contained within MS Word?
some forms of XOR are not weak (Score:3, Informative)
XOR against a passphrase is weak.
XOR against a repeating secure (irreversible) hash of the password is technically weak but in practice very strong unless the message is dozens of times longer than the hash.
XOR against a successive concatination of secure hashes is strong, fast, and simple. There is no reason to believe 3DES is any stronger. Plus, it's the same algorithm for encrypting and decrypting. Pseudocode:
Re:Nothing New (Score:2)
Part of the point of the article is that you can unlock the document, make modifications, and then re-lock it using the original password
If your hack program only returns gobbledy-gook type passwords, how do you go about re-locking the document in such a way that your changes are undetected?
Re:Nothing New (Score:3, Insightful)
um, if your bruted password gens the same hash, why wouldn't the original (and unknown) password unlock it as well?
Re:Nothing New (Score:3, Informative)
Yes. But that is not what the article is about anyway.
Re:Nothing New (Score:4, Informative)
zero'ing those bytes with an hex editor allow you to modify the document password-free. you then replace the original hex in the bytes you modified to "reactivate" the protection.
Re:Nothing New (Score:5, Informative)
Really really simple dumbed down of an explination of what could be happening.
I set the password to "011". Word takes the sum of the digits (0 + 1 + 1 = 2) and stored the result.
When I want to unlock it Word takes the password I enter and sums the digits and sees if they match with the stored result from step 1. So "011" would work and so would "020" and "110".
Of course it would be more complex math. Hope this gives you a bit understanding how it could happen.
Re:Nothing New - I know.... (Score:2)
DRM in Office 2003 is unaffected (Score:5, Insightful)
First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features [com.com] in Office 2003 as the Microsoft-approved method to secure Office documents.
In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.
In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.
It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.
Re:Nothing New (Score:2, Insightful)
Re:Nothing New (Score:2)
Re:Nothing New (Score:2)
I think thats 'cause thay use a hashing algorythm to store the password. It's usually not possible to get back the password form a hash, you have to brute-force to find a password that generates the same hash. It's also possible that a
Re:Nothing New (Score:2)
Now, I still maintain that this is nothing new. Using my commercial cracker, I can still change data, re-protect with my same-hash password, and the original person would never know the difference as their password would unprotect just as well.
An insecure Microsoft application?! (Score:3, Funny)
RTFA... It's hilarious (Score:5, Informative)
According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.
I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.
But for those of you who never RTA, here is what was the highlight for me:
Re:RTFA... It's hilarious (Score:5, Insightful)
Re:RTFA... It's hilarious (Score:3, Interesting)
Computer security costs the same if you use some lame hack like MS is doing, or use real cryptography. The cost is nothing. Cryptography algorithms are freely available, and modern processors can han
MS allows most users to think they are secure. (Score:2)
Re:RTFA... It's hilarious (Score:5, Insightful)
He was pretty old, too, so I guess it worked...
--RJ
Re:RTFA... It's hilarious (Score:2)
Fair comment, but I'm a C++ programmer, written device drivers that sort of thing, so I suppose it does look pretty silly to me but may not to others. What I was getting at really is that it's not clear to most people that it isn't secure. If a big company like Dell makes that mistake then I'm sure others will too.
By the way, I didn't intend my editing to be quite that creative - darn sla
What do you mean, that's too cheap? (Score:5, Funny)
I swear, you guys gave me a quote of $6.35 for a new Latitude.
Other Variants (Score:5, Interesting)
Re:Other Variants (Score:2)
Re:Other Variants (Score:4, Informative)
Not since Office 98...
No messy Dell battle (Score:5, Insightful)
Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected
Re:No messy Dell battle (Score:5, Informative)
Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected
You've obviously never been in the real world.
To someone like your or I, Word is simply a word processing program. But, to office workers across the country....
Here's a list of things I've seen people use MS Word for:
Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'
Creating GIANT tables and using them for inventory, rather than an Access database
Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....
Re:No messy Dell battle (Score:2, Funny)
Right...?
Re:No messy Dell battle (Score:2)
Argh.
DMCA anyone (Score:4, Interesting)
In that case, what are the chances of them getting into trouble?
Re:DMCA anyone (Score:4, Interesting)
Ergo, if this password crack is constituted a breach of the DMCA, me taping over my neighbor's wedding and video of his kid's first steps with that weird Swedish adult channel I get on the dish must also be a violation of the DMCA, too. Stupid neighbor.
hehe (Score:3, Insightful)
Anything built by man can be cracked by man.
DRM is useless bloatware.
Reasons for Digital Signatures (Score:3, Insightful)
What it comes down to isn't necessarily a "Microsoft Word" problem - it's an issue with verifying that data has its integrity. Probably doing an MD5/SHA1 hash on all documents and attaching that with the document would be good enough - which means you could just use text files instead.
Now way for such a thing to be secure (Score:5, Interesting)
The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.
Re:Now way for such a thing to be secure (Score:2)
We should hack REALLY secure documents into openoffice...
Re:Now way for such a thing to be secure (Score:3, Insightful)
That's what PDF and MD5 sums are for. If it's a read-only document it shouldn't be in a modifiable format, so why not PDF? I used to be very annoyed with employment agencies which required resumes to be in Word format - one honest person at an agency told me that was so they could modify the things so that they could pad some out and strip others down when they forwarded them on to potential employers. I've seen the modified resume t
How dumb do you have to be? (Score:4, Insightful)
The real solution is a digital signature. Anyone to whom that is not obvious shouldn't be putting security measures in commercial products.
Re:How dumb do you have to be? (Score:5, Funny)
Probably someone who truly believes their software is so ubiquitous that there would be no such thing as "hostile software."
So what? (Score:2, Interesting)
The article is troll-ish (Score:5, Informative)
They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.
To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.
Re:The article is troll-ish (Score:2)
But you've gotta pretty stupid to believe that Dell would honor a quote based purely on a FAX you send them - I'm sure somebody actually compares it to the original quote before it's authorized.
Quotes are offers and subject to negotiation (Score:3, Interesting)
The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any cou
Microsoft already knew (Score:3, Informative)
Re:Microsoft already knew (Score:2)
And it was about that time... (Score:5, Funny)
Just how far should they go? (Score:4, Interesting)
And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?
Re:Just how far should they go? (Score:5, Insightful)
I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.
Re:Just how far should they go? (Score:3, Informative)
At GCHQ, where is was kept under lock and key, and no one knew about it until long after Rivest Adleman and Shamir had published their paper.
Jedidiah
Re: Just how far should they go? (Score:5, Insightful)
> OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?
So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.
Re: Just how far should they go? (Score:5, Informative)
Take something like 256 bits, which is quite commonly available, and you'll see that brute forcing it requires you to turn each atom on earth into a computer, and compute with each of the atoms of the earth (2^171 atoms) at 1 THz (2^40) for 1 million years (2^45) in order to brute force *one* key.
Now, if that is too unsecure for you, I recommend you seek professional help. Fast.
Kjella
Come on now... (Score:5, Informative)
Re:Come on now... (Score:2, Informative)
Re:Come on now... (Score:2)
That doesn't, in any way, refute his point. He was saying that you cannot practically secure a document like this. Microsoft wasn't even aiming to do that. It's more like the FBI Warning at the beginning of a movie than a padlock.
Re:Come on now... (Score:4, Insightful)
sir, please read the fine post.
Full Article (Score:2, Informative)
Subject: Microsoft Word Protection Bypass
Date: Jan 2 2004 10:51AM
Author: Thorsten Delbrouck-Konetzko
Hi all,
Microsoft Word provides an option to protect "forms" by password. This is
used to ensure that unauthorized users cannot manipulate the contents of
documents except within specially designed "form" areas. This feature is
also often used to protect documents which do not even have form areas
(quotations/offers etc.).
This form protection can easily be removed without any additional tools
(apart
The shame's in the design not the hack (Score:5, Interesting)
I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???
shame.
Messy (Score:4, Insightful)
I see this being a larger problem in the future, when MS Office DRM is used on most files assuming that these files will follow the orderes encoded into their DRM. Imagine a file that is supposed to self-destruct in 10 months as part of a document retention lifecycle. Two years from now, a tape backup of that file is subpoenad and the DRM is hacked so that the file is openable, leaving said company liable for its contents previously thought destroyed.
I don't mean to rag on Microsoft or its protection schemes, more on those who use these weak means as a method of security in their infrastructure. A good server-based file protection model will always trump a good in-file-based protection model.
Re:Messy (Score:2)
Do you really think that anyone uses the edit-password on a word processor as legal proof that a document has not been tampered with?
Do you really think that MS will use this sort of weak approach to protecting documents (which doesn't actually encrypt the document at all - just tells word not to let the user edit it) when they roll out full DRM?
Dan.
First time I hear about a flaw (Score:2)
Cryptographic signing (Score:4, Interesting)
Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.
Side effects (Score:2)
Hello DMCA (Score:2)
Microsoft's response (Score:5, Funny)
Weren't .ZIP files worse? (Score:2)
Hmm (Score:2)
Surely, that should read "potentially go unnoticed"?
A little salt... (Score:3, Insightful)
My understanding of the hack is this: it is possible to unlock a word document or form (i.e., make read-only parts writeable), modify it, and then re-lock it with the original password, without ever having to know what the original password is.
Which then raises the question: in the hashing algorithm Microsoft is using to scramble the password, why the hell aren't they adding in some cryptographic salt?. If they had made the scrambled password (which is leaked when a locked document is saved as HTML) depend not only on the cleartext password, but also on the read-only parts of the document, then they wouldn't have this problem: a hacked document re-locked with the same scrambled password would have a different salt, and therefore a different cleartext password. D'oh!
NOT a feature, clearly a BUG. (Score:3, Interesting)
The page is titled: "Overview of Office Features That Are Intended to Enable Collaboration and That Are Not Intended to Increase Security", and reeks of hindsight. Microsoft notes that these features were never intended to increase security, but were designed to encourage collaboration.
But on the other hand, they also say:
"Information About Strong Passwords To reduce the chances of someone guessing your password, use only strong passwords.
For a password to be a strong password, it should meet all the following criteria:
* Be at least seven characters long. Longer passwords are more secure.
"...etc.
Why would users be encouraged to use strong passwords, not easily guessed by malicious users etc, when they were just intended to avoid accidental modifications? The document is clearly a lame attempt my M$ to coverup a serious vulnerability by suggesting that the feature was not designed to provide security. However, I bet they would not have hesitated to tout it as a "security feature" in Microsoft Word, had the vulnerability not been found.
Good Work! (Score:3, Funny)
nick
Easy to crack manually (Score:2, Informative)
OpenOffice (Score:3, Insightful)
0% Security and 100% Trouble (Score:2, Insightful)
Implications (Score:2)
This is worse than no protection (Score:2, Redundant)
Much ado about nothing. (Score:2, Insightful)
ZDNet overreats. All Dell has to do is digitally sign the word files with gpg. Better yet, screw Word files and distribute digitally signed PDF quotes.
Word files are meant to be edited. This stupid password security is a bolt on hack to try to make Word files do something they were never intended to be in the first place: secure electronic documents. There are, and have been for
So this is where we publish our hacks? (Score:3, Interesting)
Today I want to show how you may load some xls-file that is password-protected, and how to save xls into another file but without protection.Just replace there file names and password Not sure if it works on the latest version. Office Automation - coming soon to a worm near you.
Signed PDF (Score:5, Insightful)
We decided to send out digitally signed PDFs instead.
Re:Signed PDF (Score:3, Insightful)
Unfortunately that doesn't close the "customer changes it, prints it, signs it, sends it back, and we sign it without noticing" hole.
Can't have it both ways (Score:4, Insightful)
Re:Can't have it both ways (Score:3, Informative)
I can assure you it is possible to have secure encryption, secure digital signatures without DRM.
GPG and PGP are examples of both, without DRM.
Try reading the book Applied Cryptography.
It would be most certianly possible to encrypt a document using a password, using a secure encryption mechanism, such that it cannot be decrypted without the password.
Similarly, it is possible to take a secure (i.e. MD5) hash of a document, and then compare tha
Stinging indictment of Dell. (Score:3, Interesting)
Why anyone would choose to use a Word document for the purpose Dell used it is completely beyond me. Are they so brainwashed over there that there was no exploration of the alternatives? Particularly in view of the fact that the app vendor (M$) specifically does not promote the use of that feature for securitys sake.
Really Dell, STFU, your precious relationship with Microsoft does not preclude using your brains when making software selections for sensitive processes like binding quotes...
On the plus side, I'm sure I've got a Dell quote somewhere in the office... Hmmm, laptop for $15 anyone?
the article was a joke (Score:3, Interesting)
Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"
Re:the article was a joke (Score:3, Informative)
Word is insecure crap, anyway (Score:4, Interesting)
- Last document editor's name, initials,
and company
- Computer name last edited on
- Path (incl server
name) of last save (Remember all those hacks that require the
miscreant to know specific file path & names?)
- Previous
editor's names
- Number of revisions and versions
- Template
name and path
- Any hidden text
- Comments
This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.
Re:Oh, this bodes well. (Score:5, Informative)
2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com
2003-11-27 confirmed receipt from: secure microsoft com
2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"
MOD PARENT DOWN (Score:2)
Please mod parent down (-1, DMCA Troll) (Score:2)
Re:OMG MICROSFT IS TEH SUCK (Score:4, Funny)
Welcome to