When a security feature is no longer secure

Robert Vamosi CNET

Published: 04 Feb 2004

• 
• 
• 
• 
• 

Question: When is a security feature not a security feature? Answer: When it's the document-protection system in Microsoft Word.

It's called Protect Documents, and it allows the owner of a document to prevent its readers from tracking changes, making comments or changing the content in forms. It can be used, for instance, to make sure a customer can't alter a price quote before printing it out and signing it.

You can locate this feature by selecting Tools > Protect Document. It's different from the encryption security feature, which locks an entire document from modification. The latter is available by selecting Tools > Options > Security.

Even Microsoft admits that the Protect Document feature is not a true security feature. But the software giant hasn't gone out of its way to tell its customers. As a result, many businesses and individuals are unaware that 'protected' documents they send out are in fact susceptible to modification. I think that's just plain irresponsible.

The vulnerability of the Protect Document feature came to light recently, when Thorsten Delbrouck, chief information officer of security company Guardeonic Solutions, announced on the security newsgroup Bugtraq that he could make changes in a 'protected' document -- without the owner of the document having any proof he did so. Delbrouck says he notified Microsoft of this flaw in November 2003.

Microsoft knew about it

Turns out this isn't exactly breaking news. Back in 2001, at the Black Hat Win2k Security Briefing, members of Russian software company ElcomSoft demonstrated the relative insecurity of all the Microsoft Excel, Word, VBA and Outlook file-protection schemes. In fact, during the 2001 presentation, ElcomSoft suggested the same method that Mr Delbrouck outlined in his Bugtraq post.

According to the ElcomSoft presenters, the password-protection flaws exist in part because of the US export rules regarding high-end encryption. In other words, to provide a truly secure Word and Excel, Microsoft would have to sell two versions: a high-encryption version in the United States and a low-encryption version for the rest of the world.

What's unfortunate is that while Microsoft acknowledged ElcomSoft's claims in a March 2001 technical newsletter, the company didn't include this information in its online FAQ about securing Word and Excel.

Only after Delbrouck revived interest in the matter did Microsoft publish a new document that redefines the Protect Document feature as a collaboration tool. Needless to say, the average Office user isn't necessarily going to know about this new definition. And certainly the name -- Protect Document -- implies (to me at least) security more than collaboration.

Secure your documents

If you want to ensure that your documents won't be edited by their readers, I recommend using non-Microsoft software. You could save your files as Adobe PDF files, although now OCR software can open and even modify PDFs. Another option is to encrypt the document with PGP Personal for Windows 8.0, an industrial-strength encryption program that costs about £50 for the full version. A free version is also available. This application will make sure that only your intended recipients can read or modify your documents. I should mention that the latest Microsoft Office System includes digital-rights management systems for Word 2003, Excel 2003 and other applications, which provide better security for your documents. Of course, to get this protection, you'd need to invest in the new Office, which costs anywhere from £110 to £398 (inc. VAT). Given the software giant's uneven security reputation, I'd put my faith in a third-party solution instead.

Related articles

• 
• 
• 
• 

• Most Recent
• Most Popular