Attachments to Office files not encrypted

Date: Fri, 7 Nov 1997 10:02:24 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Microsoft Office security bug

---------- Forwarded message ----------
Date: Fri, 07 Nov 1997 08:32:21 -0600
From: lustiger@att.com
To: lustiger@att.com
Newsgroups: comp.security.misc, alt.security
Subject: Microsoft Office security bug

(First posting didn't get out, sorry if repeated.)

I discovered what looks like a major hole in Microsoft Office (95 and 97)
passworded files.

While the files are encrypted (and I know that the Office 95 file
encryption is laughably weak), *the file attachments are not.* So if you
attach a Visio picture or Excel spreadsheet to a passworded Word file,
they are saved in the clear. Any ASCII file viewer can be used to easily
verify this.

Needless to say, one can get a lot of information from attachments.

This problem exists for both Word and Excel, 95 and 97.

I e-mailed to secure@microsoft.com and never received a reply besides
the boilerplate "if we consider this a security problem we'll contact you
within one business day, otherwise call support."

So if you really want to safeguard your MS Office files, use a third-party
encryption package.

--
Alan Lustiger
lustiger@att.com

These are my opinions only, not AT&T's. AT&T is not responsible for
this posting.

-------------------==== Posted via Deja News ====-----------------------
      http://www.dejanews.com/     Search, Read, Post to Usenet