Re: Microsoft Office security bug

Inigo Gonzalez (igonzalez@ATI.ES)
Tue, 11 Nov 1997 10:36:51 +0100


On Fri, 7 Nov 1997, Aleph One wrote:

> I discovered what looks like a major hole in Microsoft Office (95 and 97)
> passworded files.
> While the files are encrypted (and I know that the Office 95 file
> encryption is laughably weak), *the file attachments are not.* So if you
> attach a Visio picture or Excel spreadsheet to a passworded Word file,
> they are saved in the clear. Any ASCII file viewer can be used to easily
> verify this.
> Needless to say, one can get a lot of information from attachments.

  I am no expert on Win32 / OLE-COM-ACtiveX; but it seems that
this isn't Office Fault; but OLE one's.

  AFAIK, every OLE container is responsible of its own data;
in this case, you tell Word to cipher his own data, and
Excel/Visio/etc... data is not Word bussiness so it's not

  Remember: When you talk to OLE objects, you delegate them
a part of your file + archiving capabilities.

  I will take a look at OLE/COM spec to see if there's a
way to tell a COM object to cipher itself, but I seriously
doubt there is one...

So long,
 Iņigo Gonzalez <> - cfingerd maintainer
 e-mail fileserver available: mail me with 'send pgp-key'
  for my public key. Use 'send help' for instructions.
   (don't expect inmediate response: I'm on a dialup)

Version: 2.6.3i
Charset: noconv


This archive was generated by hypermail 2.0b3 on Sun Aug 08 1999 - 09:37:50 CEST