Microsoft Word Forms Passwords Hacked

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Nothing New

[digitalvengeance]

There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

So, if such passwords can easily be bypassed anyway - what does this really change?

I should note that I'm using a Passware product called Office Key.

This crack just takes what has been commercially available for quite some time and moves it into the public arena.

Josh

One Way function

[nuggz]

Passwords can use a one way function.
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.

You end up with a new string, but since you threw out some information, you end up unable to reverse it.

Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.

I'm not a math guy, go read crypto books if you want the 'real' explanation

Re:Nothing New

[Stavr0]

The word doc doesn't store the password, but a one-way checksum.

The passware product merely computes a password that matches the checksum found in the word doc.

Re:Nothing New

[Anonym0us Cow Herd]

The word doc doesn't store the password, but a one-way checksum.

It is a checksum. But it must not be a very one-way checksum. If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result. (Well, it might be possible, but who has time to wait longer than the life of the universe.)

Re:Nothing New

[saforrest]

If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result.

Uh, you're confusing two things.

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

It's not possible, given an integer n, to find the specific word that mapped to n, simply because there isn't an unique one. This is what makes it one-way.

The fact that there are multiple possible passwords for this Word document is proof that it is a one-way function.

What you're talking about is the ease of finding some element of the preimage of a given hash, which is a separate concept. MD5 is good because for some given value, it's really hard to find anything which hashes to that value, not because it's somehow 'more one-way'.

In fact, the most one-way function of all is a constant function, which is obviously totally useless for authentication.

Non-linear, not one-way

[IncohereD]

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

Think this one through. The algorithms used to sign PGP/GPG messages are one way. The reason being is that it's hard to come up with something else that maps to the same value.

Using your length function example, considering the two e-mails from Alice

"I love Bob"

"I hate Bob"

Would both parse to 1 4 3. Which means Eve could flip Alice's fe

And this is a good thing

[Smack]

The fact that it can't determine your actual password is a good thing. Not for the security of that particular document, obviously, but for the security of other things you may have used the same password for.

Re:And this is a good thing

[cyb97]

Well run the password checker long enough and it'll come up with several possibilities. If your main concern is that you've used the same password elsewhere, I guess any good blackhat will be able to spot which one you've used or spend enough time to try them all.

Re:Nothing New

[Violet Null]

Word probably uses a hash function to test the password (just like Linux doesn't store passwords, but hashes, in /etc/password). There's some function, you put the "password" in, it spits a hash out, and that is compared to the stored hash.

Hashes are more secure than storing the password, because they tend to be pretty one way -- it's trivial to get a hash from a password, but much less trivial to get a password from the hash.

However, hashes can collide; the smaller the hash returned, compared to the possible keyspace, the more likely this is. For instance, if I have a hash function that returns a one byte hash that I use to hash my password, then there is a 1/256 chance that _any_ gibberish I send in will return the same hash, and thus match.

Microsoft is probably using a very small hash, and your "tool of choice" probably just brute forces the thing until it finds a match.

If your tool of choice continued through the keyspace, it would inevitably come up with test, too.

Re:Nothing New

[Anonymous Coward]

(just like Linux doesn't store passwords, but hashes, in /etc/password)

Just a brief nitpick here, but most Linux systems store password hashes in /etc/shadow, with /etc/passwd holding the rest of the info for the user accounts. Everyone can read /etc/passwd (and needs to, to get user names from UIDs), but only root (and stuff like getty that checks passwords, running as root) can read /etc/shadow. You can set it up to use the old-school style and hold hashes in /etc/passwd, but it's generally frowned up

Re:Nothing New

[Bronster]

Just a brief nitpick here, but I think that most versions of getty actually spawn login, which is what reads the shadow file. But they can only read the shadow file as they have root privileges, there is no "and stuff like...". Just root. You'll note that passwd can no longer be used by normal users if you take away its SUID 0 status.

And right back at you. Have you ever actually looked at the file, or are you just talking out of your arse?

brong@dariat~>ls -la /etc/shadow
-rw-r----- 1 root shado

Re:Nothing New

[pegr]

That's very interesting, but that's NOT what this article is about. This article describes how to modify "unmodifiable" fields. Here's the kick: Save the doc with "unmodifiable" fields as html and look at the source. There you will find a "key" in the metadata. Search for this key in the original doc with a hex editor. Zero it out, and voila, your fields are now modifiable.

Again, this article is NOT about how to remove a password from the document itself. Such docs are truly encrypted. (How well is an exercise left for the reader! ;)

Re:Nothing New

[b-baggins]

Word document password protection has always been a joke. It's total cake to bypass it.

1. Open a new blank Word document.

2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.

3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.

Re:Nothing New

[pegr]

Word document password protection has always been a joke. It's total cake to bypass it.

1. Open a new blank Word document.

2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.

3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.

Nope, not since Office 98. Since Office 98, password protected docs are truly encrypted. It does indeed ask you for the password when you insert it.

And I just noticed that, in Office 2003 anyway, you can hit the "Advanced" tab and choose what kind of encryption you want (RSA, etc.), as well as bit length. Pretty cool!

Re:Nothing New

[pegr]

OK, replying to your own post is lame, but here are the encryption types available under Word 2003:

Weak Encryption (XOR)
Office 97/2000 Compatible
RC4, Microsost Base Cryptographic Provider
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider

I especially love the XOR encryption! (At least they call it weak...) For the other types, you can spec a bit length between 40 and 128 bits. Now I'm not sure what MS does to "enhance" these encryption types, but there it is, for what it's worth... (I wonder if Whitfield knows his name is contained within MS Word? ;)

some forms of XOR are not weak

[js7a]

Remember, XOR is used for one time pads, the strongest form of encryption.

XOR against a passphrase is weak.

XOR against a repeating secure (irreversible) hash of the password is technically weak but in practice very strong unless the message is dozens of times longer than the hash.

XOR against a successive concatination of secure hashes is strong, fast, and simple. There is no reason to believe 3DES is any stronger. Plus, it's the same algorithm for encrypting and decrypting. Pseudocode:

1. secureXOR(in

Re:Nothing New

[xkenny13]

So, if such passwords can easily be bypassed anyway - what does this really change?

Part of the point of the article is that you can unlock the document, make modifications, and then re-lock it using the original password ... thereby allowing your changes to go unnoticed.

If your hack program only returns gobbledy-gook type passwords, how do you go about re-locking the document in such a way that your changes are undetected?

Re:Nothing New

[pegr]

If your hack program only returns gobbledy-gook type passwords, how do you go about re-locking the document in such a way that your changes are undetected?

um, if your bruted password gens the same hash, why wouldn't the original (and unknown) password unlock it as well?

Re:Nothing New

[Suppafly]

If the original and generated password can both unlock the file ... does that guarantee that locking the file with the generated password will allow it to be unlocked with the original?

Yes. But that is not what the article is about anyway.

Re:Nothing New

[Feyr]

this hack doesn't even use brute force. they just found the bytes in the word file where the password is store.

zero'ing those bytes with an hex editor allow you to modify the document password-free. you then replace the original hex in the bytes you modified to "reactivate" the protection.

Re:Nothing New

[GoofyBoy]

>Some sort of odd math that makes more than one password work?

Really really simple dumbed down of an explination of what could be happening.

I set the password to "011". Word takes the sum of the digits (0 + 1 + 1 = 2) and stored the result.

When I want to unlock it Word takes the password I enter and sums the digits and sees if they match with the stored result from step 1. So "011" would work and so would "020" and "110".

Of course it would be more complex math. Hope this gives you a bit understanding how it could happen.

Re:Nothing New - I know....

[freeze128]

Our company has hundreds of forms that are now completely out of date, but they were Microsoft Word Forms and a few of them were actually protected with a password. I just checked your generic password, but it didn't work for my forms. These forms were created originally in Microsoft Office 4.2 (for windows 3.1 - HA!) and some have been upgraded for use in Office 97 (double HA!). It might be a different algorithm for Word 2000 than it is for Word 5 or 97.

DRM in Office 2003 is unaffected

[kylef]

First of all, if you read the article, you will understand that Microsoft has not been advertising these "Word document passwords" as true security mechanisms. Microsoft has been pushing its new DRM Features [com.com] in Office 2003 as the Microsoft-approved method to secure Office documents.

In fact, I doubt Microsoft really put much effort into making these document-modification passwords all that secure. They have been around for quite some time, and I doubt they have changed much or improved much over the years. I don't know anyone who was relying on these document passwords for their security, and Microsoft did not advertise this as a great feature of Word. In fact, the bug itself is limited in scope to protecting Word FORMS from being modified.

In any case, the new DRM features in Office 2003 are much more sophisticated and will no doubt be much more difficult to crack. THESE are the security features that Microsoft is pushing today, and if you really want to lambast Microsoft Security, then you must point out a way to subvert these newer technologies that Microsoft is actually pushing.

It would be very big news indeed if someone could succeed in copying an Outlook 2003 email marked with a "Do Not Forward" permissions flag. Indeed, if someone could even READ such an email on an unauthorized email client, Microsoft's newest security policies would be questionable. Until then, I'm not convinced this is anything more than FUD trying to convince people that Office is inherently insecure.

Re:Nothing New

[spanielrage]

The password is likely stored using a (weak) hash function.

Re:Nothing New

[netsharc]

One tool that does this is the ominious-sounding "Advanced Office Password Recovery", from Elcomsoft [elcomsoft.com]. Remember them? Yes that's the compnay who employed Dmitry Sklyarov, who got arrested under the DMCA for talking about Adobe's lame-ass encryption.. :)

Re:Nothing New

[ayjay29]

What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?

I think thats 'cause thay use a hashing algorythm to store the password. It's usually not possible to get back the password form a hash, you have to brute-force to find a password that generates the same hash. It's also possible that a

Re:Nothing New

[digitalvengeance]

Thanks to all for clarifications. I'm pretty familar with hashes - but just assumed the password itself was stored. Moronic logic at its best.

Now, I still maintain that this is nothing new. Using my commercial cracker, I can still change data, re-protect with my same-hash password, and the original person would never know the difference as their password would unprotect just as well.

An insecure Microsoft application?!

[Anonymous Coward]

Is this a dupe? I could swear I've read this one before.

RTFA... It's hilarious

[h4rm0ny]

According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

But for those of you who never RTA, here is what was the highlight for me:

1.) Open a protected document in MS Word

2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01

Re:RTFA... It's hilarious

[Kevin Stevens]

The locks on these files are very similar to locks found on standard filing cabinets. They are there to prevent tampering, keeping people out of places they really shouldnt be- sensitive, but not absolutely secret stuff. Secure they are not. I have used these things before, and I can tell you, its pretty clear they are not using any heavy duty security. I do not see how anyone intelligent could really see them as otherwise. You dont have to read a EULA to realize there is no watermarking, no digitial signature, no complex scheme of any sort behind it. I put last year's tax records in a filing cabinet, but I wouldnt keep the deed to my house or my the account number to my secret account in the cayman's in there, I would buy a safe. Same concept here.

Re:RTFA... It's hilarious

[hikerhat]

The difference between computer security and meat space security is cost. A good physical lock costs much more than a lock on a standard file cabinet. We simply can't afford to put all our physical documents in safes. It is also obvious to most people that a flimsy file cabinet is much less secure that a safe.

Computer security costs the same if you use some lame hack like MS is doing, or use real cryptography. The cost is nothing. Cryptography algorithms are freely available, and modern processors can han

MS allows most users to think they are secure.

[Futurepower(R)]

There is a pattern here: Put in passwords, call it "protection", and allow users to believe they have security, when then don't. For example, Bart's PE Builder [nu2.nu] allows access to Windows XP systems, and changing the passwords, even when the password to the recovery console is not known. Recovery Manager [winternals.com] changes passwords.

Re:RTFA... It's hilarious

[Skater]

Reminds me of an electrician I knew that always worked on wires live. That way, he claimed, he was certain to be careful.

He was pretty old, too, so I guess it worked...

--RJ

Re:RTFA... It's hilarious

[h4rm0ny]

I mean, it's not rocket science, but that was some creative editing on your part to make it look ridiculously easy.

Fair comment, but I'm a C++ programmer, written device drivers that sort of thing, so I suppose it does look pretty silly to me but may not to others. What I was getting at really is that it's not clear to most people that it isn't secure. If a big company like Dell makes that mistake then I'm sure others will too.

By the way, I didn't intend my editing to be quite that creative - darn sla

What do you mean, that's too cheap?

[Trillan]

I swear, you guys gave me a quote of $6.35 for a new Latitude.

Other Variants

[skroz]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

Re:Other Variants

[setzman]

I don't think that's what this particular password was intended for. The article says that this particular hack is for unprotecting documents. It doesn't say that it will unencrypt a document.

Re:Other Variants

[pegr]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

Not since Office 98...

No messy Dell battle

[MikeXpop]

This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Basically meaning the submitters comments about Dell are wrong, as Dell wouldn't use that kind of protection.

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

Re:No messy Dell battle

[vasqzr]

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

You've obviously never been in the real world.

To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

Here's a list of things I've seen people use MS Word for:

Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

Creating GIANT tables and using them for inventory, rather than an Access database

Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....

Re:No messy Dell battle

[Geccoman]

MS Word is what you make web pages with, right?

Right...?

Re:No messy Dell battle

[cloudmaster]

You forgot "archive images in a format suitable for email". Yes. I've received a set of images via email, more than once, wherin the client thought "you know what would be better than multiple attachments or zip or stuffit or something like that? Putting all of the images into a word doc created by the very latest version of word, without bothering to save in a backward-compatible format." Or, they were thinking something like that...

Argh.

DMCA anyone

[Ubi_NL]

As SF.com is located in the US, isn't this exactly something covered under the DMCA: publishing a method to circumvent a protect mechanism.
In that case, what are the chances of them getting into trouble?

Re:DMCA anyone

[Chagatai]

As one of the previous posters mentioned, the password scheme, as described by Microsoft, is not designed to be a means of protection of data, but more of a way to deter users from accidentally modifying Word documents. I suppose the poor man's version of this would be the copy protect tab on a VHS tape. You could tape over it in order to record over something, but it prevents accidental modification.

Ergo, if this password crack is constituted a breach of the DMCA, me taping over my neighbor's wedding and video of his kid's first steps with that weird Swedish adult channel I get on the dish must also be a violation of the DMCA, too. Stupid neighbor.

hehe

[NeoGeo64]

Another case of "if you build it I'll break it"

Anything built by man can be cracked by man.

DRM is useless bloatware.

Reasons for Digital Signatures

[Dark Paladin]

I've been playing around with some digital signatures solutions (like the one from arx.com) to deal with issues like these - documents that must be "signed" and verified beyond "reasonable doubt".

What it comes down to isn't necessarily a "Microsoft Word" problem - it's an issue with verifying that data has its integrity. Probably doing an MD5/SHA1 hash on all documents and attaching that with the document would be good enough - which means you could just use text files instead.

Now way for such a thing to be secure

[osgeek]

Without some type of private/public digital signature system, you're going to see problems like this. Don't trust passwords on supposed read only documents as a general rule.

The sooner business people understand these things, the sooner that we'll all see the benefits of a standardized, omnipresent public key infrastructure. Make sure to educate the nontechnical people in your office so that they demand better security for their data.

Re:Now way for such a thing to be secure

[Greyfox]

Probably "Not Invented Here."

We should hack REALLY secure documents into openoffice...

Re:Now way for such a thing to be secure

[dbIII]

Don't trust passwords on supposed read only documents as a general rule.

That's what PDF and MD5 sums are for. If it's a read-only document it shouldn't be in a modifiable format, so why not PDF? I used to be very annoyed with employment agencies which required resumes to be in Word format - one honest person at an agency told me that was so they could modify the things so that they could pad some out and strip others down when they forwarded them on to potential employers. I've seen the modified resume t

How dumb do you have to be?

[p3d0]

What kind of rank amateur would just put a hashed password in the file, and then rely on hostile software to obey that password? Good grief.

The real solution is a digital signature. Anyone to whom that is not obvious shouldn't be putting security measures in commercial products.

Re:How dumb do you have to be?

[Prof. Pi]

What kind of rank amateur would just put a hashed password in the file, and then rely on hostile software to obey that password?

Probably someone who truly believes their software is so ubiquitous that there would be no such thing as "hostile software."

So what?

[soluzar22]

If you use this feature and expect it to be secure in my opinion you're just asking for trouble. Of course this is M$'s fault, but really! Is this a surprise to anyone. I mean, anything can be hacked in time, but a password-protected word document? I've forgotten passwords myself in the past and decrypted the file in about a half-hour, and I'm hardly what you'd call a l33t d00d! I mean FFS! It's a word processor. Two answers to this. A) Don't let anyone but you have access to the file. Protect your PC and i

The article is troll-ish

[_RiZ_]

I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.

Re:The article is troll-ish

[exhilaration]

The dude was in Germany, Dell might do things differently there.

But you've gotta pretty stupid to believe that Dell would honor a quote based purely on a FAX you send them - I'm sure somebody actually compares it to the original quote before it's authorized.

Quotes are offers and subject to negotiation

[coyote-san]

A while back I read an article on the legality of manually changing the HTML form used by some shopping cart software. Is it legal to change the price of a plasma screen TV to $250 instead of $5000? Could you force the seller to honor the adjusted price?

The answer, surprisingly, is that the "hacker" had an excellent chance of winning in court. Quotes are offers and subject to negotiation. The burden is on the offerer to verify that the counteroffer is acceptable - they are always free to reject any cou

Microsoft already knew

[JUSTONEMORELATTE]

It's old news -- that's why Microsoft prefers PDF [slashdot.org] for the really important stuff.

Re:Microsoft already knew

[gorilla]

For most PDF documents it's not that hard to change the text. The only ones where it's hard are where there are graphics for the text instead of using fonts.

And it was about that time...

[pjwalen]

that I noticed my customer was a 12 foot tall monster from the crustacious period! He looked me right in the eye and said, 'My quote for the dell says about Tree-Fitty!' and I said GOD DAMN YOU LOCHNESS MONSTER!

Just how far should they go?

[WIAKywbfatw]

OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

And what about the consequences of selling Office (or even emailing a file) around the world with such strong encryption? It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time. So where do you draw the line between too weak (to be of any use to anyone at all) and too strong (to be of use to anyone who needs to deal with anyone based outside the US)?

Re:Just how far should they go?

[TwistedSquare]

It wasn't that long ago that the 128-bit encryption version of Internet Explorer couldn't be downloaded by anyone outside the US (even people in countries such as the UK) because that key length was longer than US export laws allowed at that time

I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

Re:Just how far should they go?

[Coryoth]

I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

At GCHQ, where is was kept under lock and key, and no one knew about it until long after Rivest Adleman and Shamir had published their paper.

Jedidiah

Re: Just how far should they go?

[Black Parrot]

> OK, I'm not saying that Microsoft's totally without guilt here but just how far do people think they need to go with regards to securing passworded files? 48-bit encryption? 128-bit? 160-bit with triple DES? At what stage does the encryption become overkill?

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Re: Just how far should they go?

[Kjella]

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Take something like 256 bits, which is quite commonly available, and you'll see that brute forcing it requires you to turn each atom on earth into a computer, and compute with each of the atoms of the earth (2^171 atoms) at 1 THz (2^40) for 1 million years (2^45) in order to brute force *one* key.

Now, if that is too unsecure for you, I recommend you seek professional help. Fast.

Kjella

Come on now...

[Kevin Stevens]

Was this ever really meant to be really truly secure? "security" features like that have always been lame at best and equivalent to luggage locks. These passwords have always been susceptible to brute force attacks. Anyone really serious about keeping documents safe puts them into a source control program. There are many ways to pick at MS's security, this is not one of them. But if you are trusting these measures for really secure documents, I highly suggest you get your valuables out of the pink plastic safe you won at the county fair last year.

Re:Come on now...

[p3d0]

RTFA. This is not a brute-force attack. It's an inherent dumbness of their password scheme.

Re:Come on now...

[NanoGator]

"RTFA. This is not a brute-force attack. It's an inherent dumbness of their password scheme."

That doesn't, in any way, refute his point. He was saying that you cannot practically secure a document like this. Microsoft wasn't even aiming to do that. It's more like the FBI Warning at the beginning of a movie than a padlock.

Re:Come on now...

[Kevin Stevens]

its a dumb password scheme because it was meant to be a dumb password scheme. Its a simple one way hash. It is a document, a self contained, meant to be passed around entity. Even if they used some complex password scheme, it would still not be difficult to brute force it, and thus make it inherently insecure. So I bet they had a design meeting at some point and said, "hey, the customers want a feature to prevent snooping/tampering of docs, lets put a simple lock feature on them" knowing full well that it was not secure. Considering that a document is a passed around, meant to be distributed, entity without centralized tracking or control, it would be very difficult to put real security on them, and nowhere have I seen MS office targeted as the "secure way" to store data. A company using this for invoices and such is just plain crazy. Its like complaining about the insecurity of a soft top convertible. Or that the jack that came with your car wouldnt hold the weight of your friend's truck (I mean its a jack isnt it?, there is nothing on there that says it wont jack up a truck) You cant ever trust the client, ever. Thats a cardinal tenet of security. Thats why we have barcodes, and no longer just put little pricetag stickers on products and ring up whatever is on them. You also wouldnt trust the little tiny lock on a diary to hold the wild stories of your other life as a transexual gay man, at least not without hiding the thing damn well when your family is over to visit. Im getting offtopic here, but the point is, MS Word in no way shape or form tries to be a secure document system, and trusting your business or very secret information to it is just silly.
sir, please read the fine post.

Full Article

[Athrawn17]

To: BugTraq
Subject: Microsoft Word Protection Bypass
Date: Jan 2 2004 10:51AM
Author: Thorsten Delbrouck-Konetzko
Hi all,
Microsoft Word provides an option to protect "forms" by password. This is
used to ensure that unauthorized users cannot manipulate the contents of
documents except within specially designed "form" areas. This feature is
also often used to protect documents which do not even have form areas
(quotations/offers etc.).
This form protection can easily be removed without any additional tools
(apart

The shame's in the design not the hack

[dnoyeb]

If the program claims that you can lock a document against modification, then shouldn't it provide verification of that? Or does it believe in its infallability.

I know MS word includes signatures, why wouldn't a signature be an automatic feature on a locked document???

shame.

Messy

[icemax]

This could become a very large legal problem for Word users that rely on this type of protection to (legally) prove that files have not been tampered with (think FDA submissions for pharmacuticals).
I see this being a larger problem in the future, when MS Office DRM is used on most files assuming that these files will follow the orderes encoded into their DRM. Imagine a file that is supposed to self-destruct in 10 months as part of a document retention lifecycle. Two years from now, a tape backup of that file is subpoenad and the DRM is hacked so that the file is openable, leaving said company liable for its contents previously thought destroyed.
I don't mean to rag on Microsoft or its protection schemes, more on those who use these weak means as a method of security in their infrastructure. A good server-based file protection model will always trump a good in-file-based protection model.

Re:Messy

[actiondan]

Do you really think that anyone uses the edit-password on a word processor as legal proof that a document has not been tampered with?

Do you really think that MS will use this sort of weak approach to protecting documents (which doesn't actually encrypt the document at all - just tells word not to let the user edit it) when they roll out full DRM?

Dan.

First time I hear about a flaw

[jmv]

...before I even heard of the feature itself.

Cryptographic signing

[Peaker]

If you don't want your document to be changed by others, why don't you crypto-sign it?

Its not specific to any specific document format or type and requires no extra features/code on the behalf of every program. Ofcourse "Password-protecting yadda yadda yadda" sure sounds good on a feature list of a word processor, even if completely useless.

Side effects

[IGnatius T Foobar]

Unfortunately, this only gives them another excuse to shift the Office file formats to something that is encrypted, DRM'ed, patented, etc.

Hello DMCA

[NanoGator]

I got $.50 that says Microsoft goes after Security Focus via DMCA. If that day comes, don't pretend to act surprised. It ain't right, but it's happened before elsewhere.

Microsoft's response

[Ben Hutchings]

Microsoft pointed to this Knowledge Base article [microsoft.com]. Choice quote: "Not all features that are found on the Security tab are designed to help make your documents and files more secure."

Weren't .ZIP files worse?

[British]

IIRC .ZIP files were stored in plaintext, so you could easily unlock it with viewing it in a hex editor.

Hmm

[oniony]

go potentially unnoticed

Surely, that should read "potentially go unnoticed"?

A little salt...

[Aardpig]

My understanding of the hack is this: it is possible to unlock a word document or form (i.e., make read-only parts writeable), modify it, and then re-lock it with the original password, without ever having to know what the original password is.

Which then raises the question: in the hashing algorithm Microsoft is using to scramble the password, why the hell aren't they adding in some cryptographic salt?. If they had made the scrambled password (which is leaked when a locked document is saved as HTML) depend not only on the cleartext password, but also on the read-only parts of the document, then they wouldn't have this problem: a hacked document re-locked with the same scrambled password would have a different salt, and therefore a different cleartext password. D'oh!

NOT a feature, clearly a BUG.

[GillBates0]

The article references this advisory page [microsoft.com] in the Microsoft Knowledgebase which was presumably added after the author contacted "Magnus" at Microsoft Security.

The page is titled: "Overview of Office Features That Are Intended to Enable Collaboration and That Are Not Intended to Increase Security", and reeks of hindsight. Microsoft notes that these features were never intended to increase security, but were designed to encourage collaboration.

But on the other hand, they also say:
"Information About Strong Passwords To reduce the chances of someone guessing your password, use only strong passwords.
For a password to be a strong password, it should meet all the following criteria:
* Be at least seven characters long. Longer passwords are more secure.
"...etc.

Why would users be encouraged to use strong passwords, not easily guessed by malicious users etc, when they were just intended to avoid accidental modifications? The document is clearly a lame attempt my M$ to coverup a serious vulnerability by suggesting that the feature was not designed to provide security. However, I bet they would not have hesitated to tout it as a "security feature" in Microsoft Word, had the vulnerability not been found.

Good Work!

[polyp2000]

This is excellent news. The more Microsoft continues to prove itself as market leaders in security the more copies of Windows XP SP2 [slashdot.org] they can sell.;)

nick ...

Easy to crack manually

[pmann79]

I've modified "protected" Word documents by opening them in Notepad and scrolling through the last few lines until I find a string of plain text that looks like a password (i.e. isn't a username or Word setting). Although this takes a bit more time for the searching, there's no need to modify the password at all.

OpenOffice

[tds67]

I would like to see this hack become a feature in OpenOffice.

0% Security and 100% Trouble

[dimss]

All password protection that Microsoft use in their products is an eternal source of inconvenience. There was at least three cases in last five years when we had to use (il)legal cracking tools to recover _our own_ data in MS Access and MS Words when employee forgot password.

Implications

[Fjord]

When SecurityFocus was asked about the implications of this finding, they would only comment "Dude, we're getting some Dells!"

This is worse than no protection

[Zork the Almighty]

Totally ineffective protection like this is worse than no protection at all. Thank you Microsoft for another useless "feature" which gives bad people an edge.

Much ado about nothing.

[Anonymous Coward]

"A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle."

ZDNet overreats. All Dell has to do is digitally sign the word files with gpg. Better yet, screw Word files and distribute digitally signed PDF quotes.

Word files are meant to be edited. This stupid password security is a bolt on hack to try to make Word files do something they were never intended to be in the first place: secure electronic documents. There are, and have been for

So this is where we publish our hacks?

[PetoskeyGuy]

From http://www.scalabium.com/faq/dct0153.htm

Today I want to show how you may load some xls-file that is password-protected, and how to save xls into another file but without protection.

var
xls, xlw: Variant;
begin
{load MS Excel}
xls := CreateOLEObject('Excel.Application');

{open your xls-file}
xlw := xls.WorkBooks.Open(FileName := 'd:\book1.xls', Password := 'qq',
ReadOnly := True);
{save with other file name}
xlw.SaveAs(FileName := 'd:\book2.xls', Password := '');

{unload MS Excel}
xlw := UnAssigned;
xls := UnAssigned;
end;

Just replace there file names and password Not sure if it works on the latest version. Office Automation - coming soon to a worm near you.

Signed PDF

[Qrlx]

This came up at work. What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference.

We decided to send out digitally signed PDFs instead.

Re:Signed PDF

[Chester K]

What happens if: You send out a contract as a Word doc email attachment. Customer changes the language of the contract, signs it, prints it, then mails it back. We could easily sign that without noticing the difference. We decided to send out digitally signed PDFs instead.

Unfortunately that doesn't close the "customer changes it, prints it, signs it, sends it back, and we sign it without noticing" hole.

Can't have it both ways

[CaptainSuperBoy]

I'm sure that some people here are laughing at Microsoft for its "lax security." Of course if you really wanted to protect a Word document you could use Office 2003's built-in encryption features, which rely on Windows Rights Management. Yet the people who criticize Microsoft for Word's "security hole" are also the most vocal opponents to anything having to do with trusted computing, including Windows Rights Management. You can't have it both ways, you know. You can either accept that Microsoft's WRM already has a solution to this issue, or you decide that the additional security that WRM provides isn't worth the imagined "privacy and freedom" implications. But don't say that MS should make their file formats more secure while at the same time dismissing WRM.

Re:Can't have it both ways

[Anonym0us Cow Herd]

I don't know what "both ways" you're talking about.

I can assure you it is possible to have secure encryption, secure digital signatures without DRM.

GPG and PGP are examples of both, without DRM.

Try reading the book Applied Cryptography.

It would be most certianly possible to encrypt a document using a password, using a secure encryption mechanism, such that it cannot be decrypted without the password.

Similarly, it is possible to take a secure (i.e. MD5) hash of a document, and then compare tha

Stinging indictment of Dell.

[i_r_sensitive]

Really the thing I think we all should be taking from this is that Dell has some real morons making some rather important decisions...

Why anyone would choose to use a Word document for the purpose Dell used it is completely beyond me. Are they so brainwashed over there that there was no exploration of the alternatives? Particularly in view of the fact that the app vendor (M$) specifically does not promote the use of that feature for securitys sake.

Really Dell, STFU, your precious relationship with Microsoft does not preclude using your brains when making software selections for sensitive processes like binding quotes...

On the plus side, I'm sure I've got a Dell quote somewhere in the office... Hmmm, laptop for $15 anyone?

the article was a joke

[BubbleNOP]

This article is false. I just tried this in Word 2000 with a protected document. When I try to save it as HTML it brings up a dialog box saying that "some of the features in this document aren't supported by Web browsers" and "Password to unprotect document for tracked changes, comments and forms will be lost". In the resulting .html there is nothing about the password.

Clearly the article was a joke. The Credits at the end of it give it away: "Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)"

Re:the article was a joke

[DaCool42]

There is a thread about this vulnerability on bugtraq. I would suggest you go there for first hand info.

Word is insecure crap, anyway

[Safety Cap]

Woody's Office Watch had a good writeup [woodyswatch.com] (and followup [woodyswatch.com]) as to why you shouldn't use Word for anything sent out to the public. The problem he sites is that Word stores all kinds of things [microsoft.com] that you probably shouldn't disclose to just anyone, such as...

1. Last document editor's name, initials, and company
2. Computer name last edited on
3. Path (incl server name) of last save (Remember all those hacks that require the miscreant to know specific file path & names?)
4. Previous editor's names
5. Number of revisions and versions
6. Template name and path
7. Any hidden text
8. Comments

This is why you distill DOC to PDF before passing it around or posting it on the web, so none of the aforementioned information is inadvertently released. Yes, someone can still change it, but that's what digital signatures are for.

Side note: PDF Passwords ARE TRIVIAL to break. Don't try to protect your PDFs from printing/copying/etc. with the built-in "security." It takes about 15 seconds with publicly-available software to crack any PDF.

Re:Oh, this bodes well.

[zdislaw]

I wondered exactly the same thing. For about three seconds. The I RTFA.

2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com

2003-11-27 confirmed receipt from: secure microsoft com

2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"

2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"

MOD PARENT DOWN

[setzman]

Didn't RTFA.

Please mod parent down (-1, DMCA Troll)

[setzman]

Did you RTFA? Apparently not. They told Microsoft about it before releasing it. If Microsoft didn't want this released to the public, they might would have done something about it before now.

Re:OMG MICROSFT IS TEH SUCK

[youngerpants]

You're new here aren't you?

Welcome to /.