Word hole exposed with no fix on the way

Microsoft Word documents that use the software's built-in password protection to avoid unauthorised editing can easily be modified using a relatively simple hack that was published on a security website last Friday.

The password-protection feature in Microsoft Word - activated by clicking on Tools/Protect Document - can be bypassed, disabled or deleted at will, with the help of a simple programming tool called a hex editor. The hack does not leave a trace, meaning an unauthorised user could remove the password protection from a document, edit it and then replace the original password.

Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. In early December, Microsoft denied there was a problem because, the company said, the password-protection feature is not intended to provide "fool-proof protection for tampering or spoofing" but is "merely a functionality to prevent accidental changes of a document".

This view is questioned by Delbrouck, who said that the 'feature' poses serious legal implications for companies. He explained that one of his company's hardware suppliers is Dell, which emails its quotes on a form protected-Word document. What happens, asked Delbrouck, if Dell sends him an offer, he uses the hack to modify the offer in his favour, then signs it and faxes it back? "We would probably end up in court and an expert would probably look at the original document and say, 'this document is protected by a password that the customer could not have known. It has not been modified because the protection is still active and the document still has its original password,'" Delbrouck said.

Following Delbrouck's revelations, Microsoft updated its Knowledge Base article 822924, titled 'Overview of Office features that are intended to enable collaboration and that are not intended to increase security' to include the following warning to users: "When you are using the 'Password to Modify' feature, a malicious user may still be able to gain access to your password."

Delbrouck said there is no solution to the problem. Instead of using the protect feature, he advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe's PDF, which he has recommended to Dell in Germany.

Microsoft was not available for comment.

Munir Kotadia writes for ZDNet UK