Bugtraq mailing list archives
Re: Microsoft Office security bug
From: igonzalez () ATI ES (Inigo Gonzalez)
Date: Tue, 11 Nov 1997 10:36:51 +0100
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 7 Nov 1997, Aleph One wrote:
I discovered what looks like a major hole in Microsoft Office (95 and 97) passworded files. While the files are encrypted (and I know that the Office 95 file encryption is laughably weak), *the file attachments are not.* So if you attach a Visio picture or Excel spreadsheet to a passworded Word file, they are saved in the clear. Any ASCII file viewer can be used to easily verify this. Needless to say, one can get a lot of information from attachments.
I am no expert on Win32 / OLE-COM-ACtiveX; but it seems that this isn't Office Fault; but OLE one's. AFAIK, every OLE container is responsible of its own data; in this case, you tell Word to cipher his own data, and Excel/Visio/etc... data is not Word bussiness so it's not ciphered. Remember: When you talk to OLE objects, you delegate them a part of your file + archiving capabilities. I will take a look at OLE/COM spec to see if there's a way to tell a COM object to cipher itself, but I seriously doubt there is one... So long, -- IƱigo Gonzalez <igonzalez () ati es> - cfingerd maintainer e-mail fileserver available: mail me with 'send pgp-key' for my public key. Use 'send help' for instructions. (don't expect inmediate response: I'm on a dialup) -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNGgnO6QKqXTm2TCtAQGVEAQAuErcnRH8FuUk6cAVMeL0loXFu30Yj2NI Qt0fElda8YvbBcavfVN8KS0ZgZdvhAnw/9sFvYSiwMFMailC4DEf52bvDxHmWuFV t2zj8U7rkuXewk8VBEHgTLV9femHo6JroT7YfQneRc4tiIRtdhupNNMTpj5b5PGd 49MyG04Dh5s= =v9Dc -----END PGP SIGNATURE-----
Current thread:
- Security bug in iCat Suite version 3.0, (continued)
- Security bug in iCat Suite version 3.0 Mikael Johansson (Nov 08)
- Re: Intel Pentium Bug JoelKatz (Nov 07)
- Re: Intel Pentium Bug Joe Ilacqua (Nov 07)
- Re: Intel Pentium Bug Rubens Kuhl Jr. (Nov 07)
- Re: Intel Pentium Bug Ralf Baechle (Nov 10)
- Re: Intel Pentium Bug Barry Irwin (Nov 08)
- Re: Intel Pentium Bug Bjorn Wesen (Nov 08)
- Re: Intel Pentium Bug Peter Bierman (Nov 08)
- Re: Intel Pentium Bug Aleph One (Nov 08)
- Microsoft Office security bug Aleph One (Nov 07)
- Re: Microsoft Office security bug Inigo Gonzalez (Nov 11)
- What were the opcodes to hang a Pentium again? (fwd) Darren Reed (Nov 11)
- Re: Microsoft Office security bug Aleph One (Nov 11)
- Vunerability in Lizards game SUID (Nov 11)
- Re: Vunerability in Lizards game Alex Murray (Nov 12)
- Re: Vunerability in Lizards game Olaf Titz (Nov 13)
- Re: Vunerability in Lizards game Kragen \ (Nov 13)
- Re: Vunerability in Lizards game Neil Levine (Nov 17)
- Re: Vunerability in Lizards game Joe Zbiciak (Nov 18)
- Re: Vunerability in Lizards game Zoltan Hidvegi (Nov 18)
- Major Security Flaw in Cybercash 2.1.2 Kerri Kraft (Nov 19)
- Microsoft Office security bug Aleph One (Nov 07)