Re: password protection in office XP documents

[Brian Eckman <eckman () umn edu>]

Leif Gregory wrote:
> Hello Brian,
>
> Monday, June 16, 2003, 7:45:22 AM, you wrote:
> BE> If you had the office document open, which AFAIK you need to do in
> BE> order to save it as HTML, then don't you already know the
> BE> password? If not, how did you open it and save it as HTML without
> BE> knowing the password? That would be a flaw worth noting.
>
> No. There are varying levels of "protection".
>
> 1. Tracked Changes - Meaning any changes they make show up in a
>                      different color. They can't turn off the track
>                      changes without the password.
>
> 2. Comments - Allows them to add comments, but not change the original
>               text without the password.
>
> 3. Forms - Allows them to only make changes to form fields, radio
>            buttons, check boxes etc, but not the document text. Also
>            allows them to modify the original text of unprotected
>            sections without the password.
>
> All three of these forms of protection can be removed without the
> password as easily as the original poster states. This type of
> protection has nothing to do with the opening of the document. It only
> protects the contents from modification. All it does is to keep your
> average Joe from modifying a document.


OK, point taken.

Gosh, if I wanted to bypass those, I'd copy the existing Office file 
into a new one and make my changes, then save it over the old one. Seems 
like it would be a quicker "hack", and would be easier for most people 
than saving it as HTML and editing the source code, then saving it back 
as an Office file.

Now, one could get into file system rights arguments, but if you save it 
as HTML, you are creating a new file. Now there will be a .doc and an 
.html, and if you have rights to turn the .html back into the .doc, then 
you can do what I mentioned above as well.

I still fail to see any flaw here. What was reported is opening the HTML 
file in Office and the protection is gone. The HTML file is a *new* file 
that you created; the original Office file still has the protection.

Thanks,
Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------