Microsoft Office security bug

aleph1DFW.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: David LeBlanc: "Re: L0pht Advisory: IE4.0"
• Previous message: DilDog: "L0pht Advisory: IE4.0"
• Next in thread: Inigo Gonzalez: "Re: Microsoft Office security bug"

---------- Forwarded message ----------
Date: Fri, 07 Nov 1997 08:32:21 -0600
From: lustigeratt.com
To: lustigeratt.com
Newsgroups: comp.security.misc, alt.security
Subject: Microsoft Office security bug

(First posting didn't get out, sorry if repeated.)

I discovered what looks like a major hole in Microsoft Office (95 and 97)
passworded files.

While the files are encrypted (and I know that the Office 95 file
encryption is laughably weak), *the file attachments are not.* So if you
attach a Visio picture or Excel spreadsheet to a passworded Word file,
they are saved in the clear. Any ASCII file viewer can be used to easily
verify this.

Needless to say, one can get a lot of information from attachments.

This problem exists for both Word and Excel, 95 and 97.

I e-mailed to securemicrosoft.com and never received a reply besides
the boilerplate "if we consider this a security problem we'll contact you
within one business day, otherwise call support."

So if you really want to safeguard your MS Office files, use a third-party
encryption package.

--
Alan Lustiger
lustigeratt.com

These are my opinions only, not AT&T's. AT&T is not responsible for
this posting.

-------------------==== Posted via Deja News ====-----------------------
      http://www.dejanews.com/     Search, Read, Post to Usenet

• Next message: David LeBlanc: "Re: L0pht Advisory: IE4.0"
• Previous message: DilDog: "L0pht Advisory: IE4.0"
• Next in thread: Inigo Gonzalez: "Re: Microsoft Office security bug"