Enero 02, 2004

Just how crappy is Microsoft Word?

I tell everyone that most Microsoft software is complexity coded too simply to do anything of value correctly... I've even wrote about the dangers of sending MS Word DOC files as attachments.

Here's more proof... if you use the "protect forms with a password" feature in MS Word (that prompts the end-user for a password in order to modify certain parts of the document), you aren't really protecting your content. A determined adversary could use the following procedure (via Bugtraq) to reset this password and change the document... all the time under your radar. Worse, this adversary could change the password, modify your content and then change it back again without you knowing the difference (what percentage of MS Word users have even heard of a "hex editor"?). If you're interested, read on...

Example: --------

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like
that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)

Variation:
----------

If the 8 checksum bytes are replaced with the checksum of a known
password it should be fairly easy to unprotect the document, make any
necessary changes, save, close and reset the password to the original
(unknown!) password by simply restoring the original values. Document
changed without even knowing the password. Nasty.

(Note: Take care to get file properties (author, organisation,
date/time etc.) right.)

Solution:
---------

No solution is currently available. Do not rely on the "Protect
Forms" mechanism to protect a Word document against changes.

Posted by joebeone at Enero 2, 2004 04:39 PM
Comments
Joe, I was with you until the last sentence, but I can't agree with your solution. The correct solution would be: don't use MS Word. I actually had a funny accident with MS Word's protected fields this year. I was filling in a form for Brazilian consulate, and of course it was a MS Word form with fixed fields. I decided to not push my luck and was filling the form in Word, until I came accross a field that simply give enough space to put in the whole address. So, I had to open the form in OpenOffice, which of course allowed me to modify the fields without asking for password or anything like that.
Posted by: Yuri at Enero 2, 2004 06:28 PM
That solution is from the Bugtraq advisory... it's not mine. My solution, of course, is: Don't use anything even remotely related to Microsoft so as to 1) not aid the evil empire and 2) promote cross-platform, cross-application standards and 3) demote vendor lock-in. Hope you're well, Yuri... Brazilian consulate? Sounds spicy! It is great to know that OpenOffice shorts out this functionality... a question for the cyberlaw buffs: could this method above (or whatever OO does to bypass this) be circumvention under 1201 of the DMCA?
Posted by: joe at Enero 3, 2004 08:32 AM
Oh-oh. I guess I am in trouble now. I hope MS comes up with some sort of amnesty program, where if you delete all open source software from you computer and promise to never use it again, they will promise not to sue you under DMCA.
Posted by: Yuri at Enero 3, 2004 09:08 AM
Now that made me laugh... hard... ...there are definitely incentives to code crappy authentication/access procedures now that section 1201 is around... the fucked up thing is how the term "effective" is defined traditionally in legislation (as in "No person shall circumvent a technological measure that effectively controls access to a work protected under this title."[1])... it doesn't mean what you'd think it means... it means anything that it designed to prohibit access to some content... not anything that actually does that job. [1] U.S.C. 1201 (a)(1)(A): http://www4.law.cornell.edu/uscode/17/1201.html
Posted by: joe at Enero 3, 2004 09:42 AM
There is one thing that still bugs me from all this crap now that microsoft has been irritating me for a while, when i open my password protected documents saved as file.doc, they always give me a popup to fill in the password and wount open unless i put in the correct password. so is this microsoft word flaw only available when you save a word document as file.html . Because remember, without the password to open a document there is no "save as" option under FILE in the menu bar. My more defined question is this; when is word a flaw, is it when the document has only a password to modify or only password to open or even both?
Posted by: dave at Enero 14, 2004 09:10 AM
I don't use word... I suggest that you don't either...
Posted by: joe at Enero 14, 2004 09:36 AM
Ah... to dave: This is a flaw in the "password to modify" feature... not "password to open". See discussion here.
Posted by: joe at Enero 16, 2004 11:14 AM
Post a comment









Remember personal info?