Password protection in Microsoft Word criticized

By Munir Kotadia
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Microsoft publishes program to blast MSBlast
January 6, 2004; Cracking Windows passwords in seconds
July 22, 2003; Passwords: The weakest link
May 22, 2002

Microsoft Word documents that use the software's built-in password protection to avoid unauthorized editing can easily be modified using a relatively simple hack that was recently published on a security Web site.

Known as the Password to Modify feature, the password-protection mechanism in Microsoft Word can be bypassed, disabled or deleted with the help of a simple programming tool called a hex editor. The hack does not leave a trace, meaning an unauthorized user could remove the password protection from a document, edit it and replace the original password.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies.

In a Knowledge Base article published in early December, Microsoft denied there was a problem because, the company said, the password-protection feature is not intended to provide "fool-proof protection for tampering or spoofing," but is "merely a functionality to prevent accidental changes of a document."

"(When) you use the Password to Modify feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature," the technical support document explained. "The behavior occurs because the feature was never designed to protect your document or file from a user with malicious intent."

The software giant recommends that users who want to secure their documents use the Password to Open feature.

However, Microsoft's assertions were questioned by Delbrouck, who said the feature poses serious legal implications for companies. He explained that one of his company's hardware suppliers is Dell, which e-mails its quotes on a protected Word document. What happens, asked Delbrouck, if Dell sends him an offer, he uses the hack to modify the offer in his favor, then signs it and faxes it back?

"We would probably end up in court and an expert would probably look at the original document and say, 'this document is protected by a password that the customer could not have known. It has not been modified because the protection is still active and the document still has its original password,'" Delbrouck said.

Following Delbrouck's revelations, which were posted Friday, Microsoft updated its Knowledge Base article to include the following warning: "When you are using the 'Password to Modify' feature, a malicious user may still be able to gain access to your password."

Delbrouck said there is no solution to the problem. Instead of using the protect feature, he advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe's PDF, which he has recommended to Dell in Germany.

David Bennie, Microsoft UK's Office product marketing manager, told ZDNet UK that although Word's password protection is useful for collaborating with colleagues, it is not a security feature and should not be relied upon as such.

"If (users) are using it as a security feature, then that is not correct," Bennie said. He agreed that if a company wants to transport documents securely, it should either use digital certificates or an application such as Adobe Acrobat that can "lock down" the document.

"If you are looking for secure encryption, you should not be using this feature. We have lots of customers out there using password protection, but the reason they are doing that is to stop general users changing the text or whatever--and it works perfectly well for that," Bennie said.

However, Delbrouck countered that Microsoft is attempting to play down the problem because it cannot be fixed. "I doubt there is much they can do about it, because they have to be backward-compatible with their file format, which keeps changing," he said. "I think the only possible solution for them was to play down the problem."

Munir Kotadia of ZDNet UK reported from London. CNET News.com's Robert Lemos reported from San Francisco.

See more CNET content tagged:
Knowledge Base article, password protection, password, Microsoft Word, document

Latest tech news headlines

Another iPhone bug?
Posted in News - Apple by Elinor Mills

October 7, 2008 2:53 PM PDT
Dow plummets 508 points
Posted in News - Business Tech by Dawn Kawamoto

October 7, 2008 1:48 PM PDT
CNET News Daily Podcast: Subway cards now easily hackable
Posted in CNET News Daily Podcast by Kara Tsuboi

October 7, 2008 1:41 PM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Dow plummets 508 points
The Dow Jones industrial average takes another wild ride, marking a second consecutive day it has ended the session below 10,000.
Gallery
Photos: Messenger returns to Mercury
News - Apple
Another iPhone bug?
Security conscious 12-year-old discovers new security hole in iPhone that allows people to see incoming text messages even when the passcode lock is enabled.
News - Microsoft
Microsoft search results land inside Facebook
As part of a deal announced in July that resulted from an investment, users can now do Web searches using Microsoft's engine without leaving the social-networking site.
Video
Mercury exposed
CNET News Daily Podcast
CNET News Daily Podcast: Subway cards now easily hackable
Protecting yourself from subway card hacks; a possible battery change for Apple's iPhone; and corporate restructuring at AMD.
Video
DIY political ads proliferate
News - Politics and Law
CBS live Webcast: Presidential debate, round two
Continuing our coverage of Election 2008, CBS News and CNET are presenting a live Webcast of Tuesday's presidential debate, followed by Web-only analysis and commentary.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crave
Teleconverters for Sony HSM lenses from Sigma
Sigma has announced two new teleconverters for Sony mount telephoto lenses, the APO Teleconverter 1.4x EX DG and the APO Teleconverter 2x EX DG.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.