Security Basics mailing list archives
Re: password protection in office XP documents
From: Brian Eckman <eckman () umn edu>
Date: Tue, 17 Jun 2003 08:46:42 -0500
Leif Gregory wrote:
Hello Brian, Monday, June 16, 2003, 7:45:22 AM, you wrote: BE> If you had the office document open, which AFAIK you need to do in BE> order to save it as HTML, then don't you already know the BE> password? If not, how did you open it and save it as HTML without BE> knowing the password? That would be a flaw worth noting. No. There are varying levels of "protection". 1. Tracked Changes - Meaning any changes they make show up in a different color. They can't turn off the track changes without the password. 2. Comments - Allows them to add comments, but not change the original text without the password. 3. Forms - Allows them to only make changes to form fields, radio buttons, check boxes etc, but not the document text. Also allows them to modify the original text of unprotected sections without the password. All three of these forms of protection can be removed without the password as easily as the original poster states. This type of protection has nothing to do with the opening of the document. It only protects the contents from modification. All it does is to keep your average Joe from modifying a document.
OK, point taken.Gosh, if I wanted to bypass those, I'd copy the existing Office file into a new one and make my changes, then save it over the old one. Seems like it would be a quicker "hack", and would be easier for most people than saving it as HTML and editing the source code, then saving it back as an Office file.
Now, one could get into file system rights arguments, but if you save it as HTML, you are creating a new file. Now there will be a .doc and an .html, and if you have rights to turn the .html back into the .doc, then you can do what I mentioned above as well.
I still fail to see any flaw here. What was reported is opening the HTML file in Office and the protection is gone. The HTML file is a *new* file that you created; the original Office file still has the protection.
Thanks, Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare.Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Current thread:
- password protection in office XP documents security (Jun 13)
- RE: password protection in office XP documents Larry Seltzer (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 16)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Brian Eckman (Jun 18)
- RE: password protection in office XP documents security (Jun 18)
- Re: password protection in office XP documents Leif Gregory (Jun 16)
- <Possible follow-ups>
- Re: password protection in office XP documents John Benstead (Jun 16)
- RE: password protection in office XP documents matt willson (Jun 16)
- RE: password protection in office XP documents news.ajanas (Jun 17)
- Re: password protection in office XP documents Leif Gregory (Jun 17)
- Re: password protection in office XP documents Brian Eckman (Jun 17)
- RE: password protection in office XP documents matt willson (Jun 16)