'Unfixable' Word password hole exposed

'Unfixable' Word password hole exposed

Summary: A simple hack to Word's password-protection feature means documents may not be as secure as users believe. No fix is on the way, says Microsoft


Microsoft Word documents that use the software's built-in password protection to avoid unauthorised editing can easily be modified using a relatively simple hack that was published on a security Web site last Friday.

The password-protection feature in Microsoft Word -- activated by clicking on Tools/Protect Document -- can be bypassed, disabled or deleted at will, with the help of a simple programming tool called a hex editor. The hack does not leave a trace, meaning an unauthorised user could remove the password protection from a document, edit it, and then replace the original password.

Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. In early December, Microsoft denied there was a problem because, the company said, the password-protection feature is not intended to provide "fool-proof protection for tampering or spoofing" but is "merely a functionality to prevent accidental changes of a document".

This view is questioned by Delbrouck, who told ZDNet UK that the "feature" poses serious legal implications for companies. He explained that one of his company's hardware suppliers is Dell, which emails its quotes on a form protected-Word document. What happens, asked Delbrouck, if Dell sends him an offer, he uses the hack to modify the offer in his favour, then signs it and faxes it back? "We would probably end up in court and an expert would probably look at the original document and say, 'this document is protected by a password that the customer could not have known. It has not been modified because the protection is still active and the document still has its original password,'" Delbrouck said.

Following Delbrouck's revelations, Microsoft updated its Knowledge Base article 822924, titled "Overview of Office features that are intended to enable collaboration and that are not intended to increase security" to include the following warning to users: "When you are using the 'Password to Modify' feature, a malicious user may still be able to gain access to your password."

Delbrouck said there is no solution to the problem. Instead of using the protect feature, he advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe's PDF, which he has recommended to Dell in Germany.

Microsoft was not available for comment.

Topic: Operating Systems

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Office documents have never been secure, for years programs have been available on the internet (a simple google search brings up hundreds) which allow you to simply enter a password protected .doc file and within a minute a non-password protected .doc file is produced.

    These programs are great if you forget the password to a document (as I have done on several occasions) however make password protecting any office document totally pointless.
  • Delbrouck's example is perfrect!

    "What happens, asked Delbrouck, if Dell sends him an offer, he uses the hack to modify the offer in his favour, then signs it and faxes it back? "

    I'm not even going to bother delving into the obvious result - Delbrouck goes to jail for fraud.

    Instead lets change the scenario only slightly and say Dell used a locked PDF instead. So Delbrouck makes his own PDF that looks just lke the original except he lowers the quote and locks it with his own password. How can dell prove they didn't send him the altered PDF?

    Strong encryption, by itself, does nothing to help prevent his fraud. And, as a 'security expert' Delbrouck should know better.

    The fact that he used this lame example raises more questions than his trumpted up security hole.
  • Since the days of tip-ex and photocopiers, we have always had people who will try and alter official documents. What we need is people to be aware and to check the contracts as they are returned. At the end of the day computers are tools and should never be trusted so completely as to allow anyone to get away with this kind of fraud. The limitations of the 'password protection' should be made known but as for being made foolproof, well I think thats living in a dreamworld.
  • This whole discussion about passwords is *way* overblown. If you want to modify a password protected document, you do this:

    - Select All
    - Copy
    - New Document
    - Paste

    Woohoo! You can edit the document to your heart's content. Of course, you've circumvented a security mechanism and so are probably prosecutable under the DMCA :-)

    If you *really* want to modify the original, you go buy a $30 tool to crack the password. It's been available for years.
  • What sombody at some security company figures out something which has been known for sometime and it a big deal now. if you have access to the source document and can open it their is no way you can stop from editing. I'm betting the same problem exsit in PDF as well.

    The only way to keep this from happing is encrypt the document. but then the end users can't read it so whats the point.
  • Possibly already known. I opened a "protected" word document with Open Office v1.1.0 hey presto no protection.
  • I have a Word doc with a 'read-only embedded font'.

    The Beveridge means of copying text is prevented.

    Is it possible in Open Office? Must try.
  • I forgot the password of my Doc file can anyone reover it for me.