Re: Microsoft Office security bug


Inigo Gonzalez (igonzalez@ATI.ES)
Tue, 11 Nov 1997 10:36:51 +0100


-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 7 Nov 1997, Aleph One wrote:

> I discovered what looks like a major hole in Microsoft Office (95 and 97)
> passworded files.
>
> While the files are encrypted (and I know that the Office 95 file
> encryption is laughably weak), *the file attachments are not.* So if you
> attach a Visio picture or Excel spreadsheet to a passworded Word file,
> they are saved in the clear. Any ASCII file viewer can be used to easily
> verify this.
>
> Needless to say, one can get a lot of information from attachments.

  I am no expert on Win32 / OLE-COM-ACtiveX; but it seems that
this isn't Office Fault; but OLE one's.

  AFAIK, every OLE container is responsible of its own data;
in this case, you tell Word to cipher his own data, and
Excel/Visio/etc... data is not Word bussiness so it's not
ciphered.

  Remember: When you talk to OLE objects, you delegate them
a part of your file + archiving capabilities.

  I will take a look at OLE/COM spec to see if there's a
way to tell a COM object to cipher itself, but I seriously
doubt there is one...

So long,
 --
 Iņigo Gonzalez <igonzalez@ati.es> - cfingerd maintainer
 e-mail fileserver available: mail me with 'send pgp-key'
  for my public key. Use 'send help' for instructions.
   (don't expect inmediate response: I'm on a dialup)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNGgnO6QKqXTm2TCtAQGVEAQAuErcnRH8FuUk6cAVMeL0loXFu30Yj2NI
Qt0fElda8YvbBcavfVN8KS0ZgZdvhAnw/9sFvYSiwMFMailC4DEf52bvDxHmWuFV
t2zj8U7rkuXewk8VBEHgTLV9femHo6JroT7YfQneRc4tiIRtdhupNNMTpj5b5PGd
49MyG04Dh5s=
=v9Dc
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.0b3 on Sun Aug 08 1999 - 09:37:50 CEST