[5563] in bugtraq
Re: Microsoft Office security bug
daemon@ATHENA.MIT.EDU (Inigo Gonzalez)
Tue Nov 11 19:52:22 1997
Date: Tue, 11 Nov 1997 10:36:51 +0100
Reply-To: Inigo Gonzalez <igonzalez@ATI.ES>
From: Inigo Gonzalez <igonzalez@ATI.ES>
X-To: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.94.971107100206.25457B-100000@dfw.dfw.net>
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 7 Nov 1997, Aleph One wrote:
> I discovered what looks like a major hole in Microsoft Office (95 and=
97)
> passworded files.
>
> While the files are encrypted (and I know that the Office 95 file
> encryption is laughably weak), *the file attachments are not.* So if =
you
> attach a Visio picture or Excel spreadsheet to a passworded Word file=
,
> they are saved in the clear. Any ASCII file viewer can be used to eas=
ily
> verify this.
>
> Needless to say, one can get a lot of information from attachments.
I am no expert on Win32 / OLE-COM-ACtiveX; but it seems that
this isn't Office Fault; but OLE one's.
AFAIK, every OLE container is responsible of its own data;
in this case, you tell Word to cipher his own data, and
Excel/Visio/etc... data is not Word bussiness so it's not
ciphered.
Remember: When you talk to OLE objects, you delegate them
a part of your file + archiving capabilities.
I will take a look at OLE/COM spec to see if there's a
way to tell a COM object to cipher itself, but I seriously
doubt there is one...
So long,
--
I=F1igo Gonzalez <igonzalez@ati.es> - cfingerd maintainer
e-mail fileserver available: mail me with 'send pgp-key'
for my public key. Use 'send help' for instructions.
(don't expect inmediate response: I'm on a dialup)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBNGgnO6QKqXTm2TCtAQGVEAQAuErcnRH8FuUk6cAVMeL0loXFu30Yj2NI
Qt0fElda8YvbBcavfVN8KS0ZgZdvhAnw/9sFvYSiwMFMailC4DEf52bvDxHmWuFV
t2zj8U7rkuXewk8VBEHgTLV9femHo6JroT7YfQneRc4tiIRtdhupNNMTpj5b5PGd
49MyG04Dh5s=3D
=3Dv9Dc
-----END PGP SIGNATURE-----