[448] in Best-of-Security
BoS: Microsoft Office security bug
daemon@ATHENA.MIT.EDU (Aleph One)
Wed Nov 12 18:51:50 1997
Date: Fri, 7 Nov 1997 10:02:24 -0600
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Aleph One <aleph1@DFW.NET>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
---------- Forwarded message ----------
Date: Fri, 07 Nov 1997 08:32:21 -0600
From: lustiger@att.com
To: lustiger@att.com
Newsgroups: comp.security.misc, alt.security
Subject: Microsoft Office security bug
(First posting didn't get out, sorry if repeated.)
I discovered what looks like a major hole in Microsoft Office (95 and 97)
passworded files.
While the files are encrypted (and I know that the Office 95 file
encryption is laughably weak), *the file attachments are not.* So if you
attach a Visio picture or Excel spreadsheet to a passworded Word file,
they are saved in the clear. Any ASCII file viewer can be used to easily
verify this.
Needless to say, one can get a lot of information from attachments.
This problem exists for both Word and Excel, 95 and 97.
I e-mailed to secure@microsoft.com and never received a reply besides
the boilerplate "if we consider this a security problem we'll contact you
within one business day, otherwise call support."
So if you really want to safeguard your MS Office files, use a third-party
encryption package.
--
Alan Lustiger
lustiger@att.com
These are my opinions only, not AT&T's. AT&T is not responsible for
this posting.
-------------------==== Posted via Deja News ====-----------------------
http://www.dejanews.com/ Search, Read, Post to Usenet
