ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

DRM FAIL: Microsoft locks users out from own documents

By | December 15, 2009, 5:51am PST

If you think that DRM that locks you out of a song or movie that you’ve bought is bad, imagine being locked of document that you created, and being able to do nothing about it until a patch is released.

This is exactly what happened to Microsoft Office 2003 users who had protected their documents using the Rights Management Service (RMS) feature. Starting on December 11th, users trying to open documents protected by RMS were greeted by the following error message:

“Unexpected error occurred. Please try again later or contact your system administrator”

The problem, it seemed, was down to an expired security certificate. There is a hotfix available.

It is, however, a cautionary tale. The fact that Microsoft didn’t update this certificate in a timely fashion is an indication that Microsoft wasn’t taking this feature a seriously as some of its customers were.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Digital-rights Management, Microsoft Corp., Digital Rights Management (DRM), Digital Media, Security, Consumer Electronics, Personal Technology, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
55
Comments
Add Your Opinion

Join the conversation!

Just In

Bashing or just truth?
eldernorm 3rd Jan 2010
The problem is that Microsoft is not your cousin Fred. Its a giant
company that put DRM out there to help control YOU.

DRM prevents people from doing what they may want to do, usually
cause they do not have the right to ..... make unlimited copies, view
someone elses stuff, etc.

For Microsoft to forget this issue,,,, and the next ,,, and the loss of the
mobile information (2 months ago) says just one thing......

Microsoft wants you to go to the cloud, but they do not really care
about supporting you when you get there..... Just controlling you
money.

Microsoft is all and only about your money. Getting it and keeping it.

Just a thought. But good luck if its true. sad

en
View in thread
0 Votes
+ -
This is why people
ju1ce 15th Dec 2009
Should stick to PDF Creators from Word Documents if they feel they do not want anyone to easily copy or modify their document.
0 Votes
+ -
PDF is easily modifiable
mdemuth 15th Dec 2009
using PDF instead of Rights Management is like using masking tape to hold a door closed instead of a dead bolt.
It is in no way going to solve your problem.
Especially if your problem is preventing unauthorized people from READING the document.
0 Votes
+ -
PDF is easily modifiable, with the help of MS Word 2007!
Nookhoek 15th Dec 2009
PDF is easily modifiable. That's true, especially if you use Office 2007 with the "Save as PDF" add-in installed.

All you need to do, is open the PDF Document in Adobe Reader, Select the text, copy it into Word, change what you want to change, and then save as PDF.

Bottom line: Saving your documents as PDF will not help, even in the short term!
0 Votes
+ -
You need Adobe Acrobat Pro
cgarrett 15th Dec 2009
To prevent copy-and-paste, prevent editing, or protect the document with a password. But PDF does support that.
0 Votes
+ -
Sorry a little late
ju1ce 15th Dec 2009
but you are correct, we use it as our method for distributing documents.

Nothing is "100%" bulletproof mind you but in most cases you can easily prevent people from modifying, copying documents with cheaper and less complex alternatives.
0 Votes
+ -
cgarrett and ju1ce are both wrong
kckn4fun 15th Dec 2009
You're assuming that third party PDF software respects the PDF protocols when it comes to security-- and not all do. The fact is there are packages out there that allow you to circumvent PDF security to some extent.
0 Votes
+ -
So make sure you use a 3rd party software
ju1ce 15th Dec 2009
that uses the protocols. Even one that doesn't still would have the capability in addition where you could attach digital signatures etc through the use of Adobe if the utlimate security was required. Either way. PDF Wins, Word loses in this area.
0 Votes
+ -
Can you expand on your statement?
NonZealot Updated - 15th Dec 2009
Even one that doesn't still would have the
capability in addition where you could attach
digital signatures etc through the use of Adobe
if the utlimate security was required. Either
way. PDF Wins, Word loses in this area.

Can you explain how Adobe's implementation of
digital signatures is superior to MS's?

http://office.microsoft.com/en-us/word/HA100997681033.aspx
0 Votes
+ -
Search for yourself...
ju1ce 15th Dec 2009
http://www.adobe.com/security/digsig.html

Make up your own opinion, we had to do ours for our own company (10k+ people), which is also requested from our clients.
0 Votes
+ -
Thanks ju1ce!
NonZealot 15th Dec 2009
Much appreciated. It looks like the actual
decision is whether to standardize on PDF or Word.
Once you've made that decision, both offer digital
signing.
0 Votes
+ -
Question
NonZealot 15th Dec 2009
Does PDF support the ability to restrict who can
view that PDF?
0 Votes
+ -
I know it supports passwords...
lostarchitect 15th Dec 2009
but I don't know if that's what you're looking
for.
0 Votes
+ -
Just wondering how comparable the suggested solution is
NonZealot 15th Dec 2009
I was just wondering if PDFs supported the same
end results that RMS lets you achieve with Office
documents. If RMS let's you achieve things that
cannot be achieved with PDF then suggesting PDFs
isn't an answer. I honestly don't know what PDFs
support so I didn't have an answer in mind when I
asked the question. happy
0 Votes
+ -
Doesn't matter really
ju1ce 15th Dec 2009
Both are easily hacked but PDF is the defacto standard for a reason.
0 Votes
+ -
Hacked?
NonZealot 15th Dec 2009
Both are easily hacked

Do you have links to show that RMS is easily
hacked? I did a quick search myself and didn't
come up with anything.

PDF is the defacto standard for a reason

I never really viewed PDF and Word as being
competitors in the same space.

Besides, just because something is a standard
doesn't mean that it has better support for
specific features. Let's be honest, the type of
protection you get with RMS is not required by
most people, nor are, I'm sure, some of the
more exotic ways that you can protect a PDF
document. So even if PDF and Word did compete
in the same space, simply saying "PDF is the
standard" in no way proves that "PDF has better
document protection".
0 Votes
+ -
PDF has optional passwords, but are easily crackable
gmeader 15th Dec 2009
The PDF file format has security options that can restrict what users can do with the document, read, print, copy, modify, etc.
These are controlled by a password.

However these passwords are easily cracked using password removal software.
0 Votes
+ -
True
ju1ce 15th Dec 2009
but the same can be said of anything office related.

How many tools are there out there for cracking word documents, access db's etc. The point is to restrict your average consumer.
0 Votes
+ -
Yes
ju1ce 15th Dec 2009
You can also include digital signatures to the document for authenticity which can't be duplicated if used properly. Which also affects how the document is viewed if someone attempts to modify it.

PDF is a far superior format for document authentication and protection than Word. Word is getting there but still has a way to go.
0 Votes
+ -
DRM is just a catastrophe waiting to happen
sismoc 15th Dec 2009
If you use DRM to "protect" your documents you WILL eventually get burned. Whether it is a catastrophe or just an inconvenience will depend on a number of factors, most of which you do not control.
0 Votes
+ -
When DRM has happened
Ole Man 15th Dec 2009
it is just a catastrophe waiting.

Software designed to cause hardware failure.
0 Votes
+ -
Oh come on...
NoThomas 15th Dec 2009
MS made a mistake and is taking the responsibility for it. They had a fix the next day, its not like people had to wait long. No reason to blow this out of proportion. However I do agree with the previous post, put stuff into PDF so it cannot be easily copied.
0 Votes
+ -
No one is blowing this out of proportion
use_what_works_4_U 15th Dec 2009
This is one of Adrian's briefest, most to the point blogs ever. It's
simple:
MS created a feature that people use.
MS failed to keep that feature functioning when they could have.
Microsoft had to publish a fix for something that did not have to
break, but did. (Breaking something out of absentmindedness is a fail.
Specifically a failure to pay attention to your own work.)
People who used the feature cannot now access their own work until
they apply the fix.

Conclusion: Microsoft underestimated the importance of this feature.

No one disputes any of this. This is a report, and a surprisingly
unbiased one with the exception of the one conclusion which is nearly
self evident anyway.

I agree also, save stuff as PDF.
0 Votes
+ -
They were wrong..
NoThomas 15th Dec 2009
They should not of let the certificate expire, that is true.

Once they found the error though it took them within 24 hours to issue a fix. I am just saying its not that big of a deal. If MS did not issue a fix until a week later or I dont know the next patch tuesday then I would agree that would be a big deal.

"Conclusion: Microsoft underestimated the importance of this feature." I agree with you on this.
0 Votes
+ -
RE:They were wrong..
joe6pack_z 15th Dec 2009
...Once they found the error though it took them within 24 hours to issue a fix...

Agree or disagree?:That it was fixed within 24 hours should be expected, not noteworthy.
0 Votes
+ -
agree
use_what_works_4_U 15th Dec 2009
It should be expected and I think MS got that right. It would have been
better to avoid the issue, but at least they fixed it quickly.
0 Votes
+ -
Disagree.
CobraA1 15th Dec 2009
"MS failed to keep that feature functioning when they could have."

Yes, probably because the employee that put the certificate in forgot to renew it.

"(Breaking something out of absentmindedness is a fail. Specifically a failure to pay attention to your own work.)"

Which most people are guilty of. I have yet to find a person who is absolutely, 100% perfect at everything they do.

"Conclusion: Microsoft underestimated the importance of this feature."

Bad conclusion.

Certificates last a long time - on the order of years, I think. It's easy for somebody to forget.

"No one disputes any of this."

I must not be anybody, then :P.
0 Votes
+ -
You are entitled
use_what_works_4_U 15th Dec 2009
"MS failed to keep that feature functioning when they could have."

Yes, probably because the employee that put the certificate in forgot
to renew it.
No offense intended but, D'oh! That's my point. Someone had a job
to do and for the customers who bought what is arguably the most
important product Microsoft makes it is not excuse to say "It's not the
company's fault, it was Joe"


"(Breaking something out of absentmindedness is a fail. Specifically a
failure to pay attention to your own work.)"
Which most people are guilty of. I have yet to find a person who is
absolutely, 100% perfect at everything they do.
Did I suggest otherwise? The fact that we are fallible does not relieve
us of our responsibilities. The judicious use of Microsoft's own Project
or Outlook applications was all that was necessary.

"Conclusion: Microsoft underestimated the importance of this
feature."
Bad conclusion.

So my intellectual property is not important? Because failing to tell me
that Microsoft is responsible for keeping my IP available if I use their
product is pretty freaking important. What will happen if Microsoft
decides they are not going to support this feature at some point down
the road? If my kids need to access something I created after I die,
say to show state of mind when I created my Will, are the just SOL?

Certificates last a long time - on the order of years, I think. It's
easy for somebody to forget.
Again, not in dispute. But if you are going to sell millions of
something and advertise a certain feature you have an obligation to
make sure that feature works. "Easy to forget" is no more a valid
excuse then "Gee Officer, I felt sober before I got behind the wheel."

"No one disputes any of this."
I must not be anybody, then :P.


Hardly. We just disagree. happy
0 Votes
+ -
RE: You are entitled
fatman65535 Updated - 15th Dec 2009
Quote: So my intellectual property is not important? Because failing to tell me that Microsoft is responsible for keeping my IP available if I use their product is pretty freaking important. What will happen if Microsoft decides they are not going to support this feature at some point down the road? If my kids need to access something I created after I die, say to show state of mind when I created my Will, are the just SOL?

(emphasis mine)

(sarcasm)

Now, that can't happen, now can it???

(/sarcasm)

Well, Plays For Sure comes to mind, now doesn't it?
0 Votes
+ -
Logic
CobraA1 16th Dec 2009
"Hardly. We just disagree."

Which means your original assertion that "No one disputes any of this" is false. You know that colleges offer courses in logic?

"So my intellectual property is not important?"

Importance is not an automatic fix for human fallibility, and human fallibility is not indicative of lack of importance.
0 Votes
+ -
MS Bashing
bobiroc 15th Dec 2009
I agree that this was an overlooked mistake on Microsoft's part but if it were another company I think it would have been a less condescending of an article/blog. Adrian has a long history of writing biased and uninformed blogs about Microsoft to fulfill his agenda on bashing Microsoft at every turn. Similar mistakes have been made by software companies just as big and some take a lot longer to issue a patch. The email I got about the certificate issue was written as them admitting they dropped the ball and apologetic for them inconveniencing the end users using this rights management feature. I guess the real fact that remains to be seen is how many of the millions/billions that use MS Office 2003 were really affected in this 24 hour period. Probably not as many as Adrian would want to imply.
  • Flagged
0 Votes
+ -
Accepted
use_what_works_4_U 15th Dec 2009
I don't dispute that Microsoft did the right thing to correct the issue. I
just happen to feel that the issue only existed due to corporate short-
sightedness.
0 Votes
+ -
MS observing
dfolk2 15th Dec 2009
I have found Adrian to be one of the most credible,
well researched, and even handed writers on this
web site. When I am looking for thoughtful,
scientific information, I look to his research and
conclusions. If you are looking for a steady diet articles which consistently try to make MS look
good and diminish failings in their products,
stick with Ed Bott, he should keep you satisfied.

The fact of the matter is that MS has deserved
far more severe criticism than I have even observed
from Mr. Kingsley-Hughes.

As an example:
http://www.albion.com/microsoft/findings.html
0 Votes
+ -
Bashing or just truth?
eldernorm 3rd Jan 2010
The problem is that Microsoft is not your cousin Fred. Its a giant
company that put DRM out there to help control YOU.

DRM prevents people from doing what they may want to do, usually
cause they do not have the right to ..... make unlimited copies, view
someone elses stuff, etc.

For Microsoft to forget this issue,,,, and the next ,,, and the loss of the
mobile information (2 months ago) says just one thing......

Microsoft wants you to go to the cloud, but they do not really care
about supporting you when you get there..... Just controlling you
money.

Microsoft is all and only about your money. Getting it and keeping it.

Just a thought. But good luck if its true. sad

en
0 Votes
+ -
Microsoft underestimated the importance of this feature??
planruse 15th Dec 2009
So did VMware underestimate the importance of ESX/ESXi when a certificate expired too? Bad mistake by Microsoft but bad conclusion by you also.
0 Votes
+ -
Not My Conclusion
use_what_works_4_U 15th Dec 2009
That was a paraphrasing of Adrian's conclusion.
The fact that Microsoft didn?t update this certificate in a timely
fashion is an indication that Microsoft wasn?t taking this feature a
seriously as some of its customers were.

Having said that, yeah, absolutely if VMWare failed to properly support
their customers when an expected event happened on schedule then
they also did not properly evaluate the importance of said event.

Folks, stuff happens and I understand that. Giving any corporation a
pass because they "forgot" an obligation to their customers is just
pandering, though. We pay for a product, service, or (in these cases)
both and we should expect that our business is important enough to
avoid such issues. The problem I have with both of these examples is
that certificates have a specific expiration date and it's not
rocket science to set a calendar alert.
0 Votes
+ -
I know it wasn't your conclusion but
planruse 15th Dec 2009
you still stated it as being your conclusion also. I still can't see how it means that a feature/piece as software is not considered important by a company as ESX is of critical importance to VMware as is this to Microsoft and its customers. I do agree with your other points about setting a calander alert - surely someone in that department runs Outlook! I am also surprised the software doesn't even check itself an issue warnings too.
0 Votes
+ -
Where I Disagree
DannyO_0x98 15th Dec 2009
The issue for discussion today should be the wisdom of having outside
parties directly or indirectly hold the keys to our documents.

It's a variation on the cloud debate.

The customers affected were fortunate, I suppose, in that Microsoft held
the keys, it's a company that is not likely to disappear overnight, and it
does realize the implications of not getting this fixed fast.

But imagine the problem if the keys are held by a more marginal
company.
0 Votes
+ -
RE: Where I disagree
fatman65535 15th Dec 2009
FINALLY!!!!!!!!!!!


Someone who GETS IT!!!!!


Well said DannyO_0x98!!!!
0 Votes
+ -
I second that!
use_what_works_4_U 15th Dec 2009
Well said indeed!
0 Votes
+ -
You're joking . . .
CobraA1 15th Dec 2009
Okay - a security certificate expired . . .

If it were anybody else, you'd caulk it up to an honest mistake. Truth is, it's very likely somebody forgot to set a date on their calendar to renew the certificate.

Heck, I've seen expired certificates on high-profile websites like Yahoo. It happens. Certificates last a very long time, and it's easy for somebody to forget.
0 Votes
+ -
RE: DRM FAIL: Microsoft locks users out from own documents
Loverock Davidson 15th Dec 2009
ARTICLE FAIL! Another AKH Microsoft bashing moment brought to you by ZDNet.

Story broke last week, your just now reporting it? Way to keep up with the tech times! You realize this can happen to any software that invokes rights management. If you think about it, the software didn't fail. In fact it did exactly what it was supposed to do, it protected the documents! Besides that, you admitted that the issue has been resolved.

The problem, it seemed, was down to an expired security certificate. There is a hotfix available.

Hotfix is available, download it and be done with it. End of issue.

It is, however, a cautionary tale. The fact that Microsoft didn?t update this certificate in a timely fashion is an indication that Microsoft wasn?t taking this feature a seriously as some of its customers were.

They weren't? They took it seriously enough to issue a hotfix to resolve it. You know what else isn't taken seriously? Your Microsoft bashing. Like I said, this same issue could happen in any piece of software that uses rights management. Trying to make this a bigger issue than it is will not help you.
0 Votes
+ -
My questions are ...
mrlinux 15th Dec 2009
1) How long will the update cert last ???
2) What is the plan for the next time it expires ??
Hopefully update before expires.
0 Votes
+ -
RE: DRM FAIL: Microsoft locks users out from own documents
butterman.b 15th Dec 2009
DRM = Bad idea
0 Votes
+ -
RE: DRM FAIL: Microsoft locks users out from own documents
bobeverson 15th Dec 2009
This was just an itty-bitty oopsie.

This Microsoft company, you all keep mentioning, appears to still be around to make a 24hr fix. BUT . . . what if they were not around?

Six years (2003-2009)! Even at the glacial speed of corporate lawsuits this is enough time for, ohhh .... the DOJ to step in and break Micrsoft into two or three Minisofts (hey! it was discussed).

Now Office is part of the applications group and the DRM certificate has to be issued by the O/S group. Is it done in 24hrs?


Go ahead. DRM your paper. Lock it down. Keep it safe from prying eyes. Just make sure you keep an unencrypted plain text version in the directory beside it - just in case.
0 Votes
+ -
Can you clarify?
NonZealot 15th Dec 2009
Who did this affect? Was there a bug in Word that added
DRM to every document created and then prevented you from
opening it or did this only affect end users who chose to
enable this on only the documents they felt were private
enough to warrant this type of protection?

Thanks in advance for the clarification.
0 Votes
+ -
One additional question
use_what_works_4_U 15th Dec 2009
If you did choose to use this DRM scheme, was there any documentation
to inform you that you were reliant on MS and their certificates?
Probably so, but if not why not?

OK, that's 2. happy
0 Votes
+ -
Knowing usual software providers
ju1ce 15th Dec 2009
Why would you even question it? It's like that small little fine print in the bottom or back of a contract that states something so obsecure that unless you know what you're looking for you'll never find it.

It's probably stated SOMEWHERE in their EULA.
0 Votes
+ -
Security sucks
Wait A Minute Here 15th Dec 2009
Security sucks. If not for hackers and security and
thieves, computers and even the net itself would work
ten times as fast.

I used to sell software last century. Then I got
greedy and paranoid and added copy protection. It
added a whole new level of support to my product,
helping people open my product when their disk drives
were 1% off track. My software took twice as long to
load and actually slowed down faster systems, and
couldn't be installed onto hard drives. People had to
insert a slow diskette (remember that word?) I got rid
of the protection.

Now I work for one of the largest companies in the
world. day to day, security -- needless security -
makes every day hell. I have to literally log in to
log in to log in to log in, and then probably three
times more every day, log in again. This doesn't even
begin to get me into the tools that I have to log
into. I even have to log in to the database that lets
me know policy to freely tell customers. Even though I
have to tell customers this crap, it says that the
stuff we're supposed to tell customers is proprietary
and classified. And wouldn't you believe it, sometimes
I can't log in at all.
0 Votes
+ -
Protected to death!
Ole Man 15th Dec 2009
That's the word you're looking for.

Microsoft has been doing it all along. Now your government wants to do it too.

Sort of like a double-dog dare. Either way you lose.
0 Votes
+ -
A few thoughts:
msalzberg 15th Dec 2009
For those who say it was only for a day; I'd think that any
document that's important enough to call for some sort of
DRM, is probably one that requires instant access. "You
can have your document tomorrow" doesn't always cut it.

Doesn't anyone at Microsoft have a calendar that will alert
them to renew a certificate? I'm sure Outlook has that
ability.

How long will it take for these people to trust Microsoft
again? Microsoft has been doing a great job of gaining
users' trust, but for those who were locked out of their
own documents, will they even attempt this again?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix