Attachments to Office files not encrypted

Description:Not only is the "encryption" used for Microsoft Office applications hopelessly weak, but attachments are not encrypted at all.
Compromise:Read attachments to "encrypted" Office documents without having to spend 30 seconds decrypting them.
Vulnerable Systems:Microsoft Office 95 and 97
Date:7 November 1997

Date: Fri, 7 Nov 1997 10:02:24 -0600
From: Aleph One <aleph1@DFW.NET>
Subject: Microsoft Office security bug

---------- Forwarded message ----------
Date: Fri, 07 Nov 1997 08:32:21 -0600
Subject: Microsoft Office security bug

(First posting didn't get out, sorry if repeated.)

I discovered what looks like a major hole in Microsoft Office (95 and 97)
passworded files.

While the files are encrypted (and I know that the Office 95 file
encryption is laughably weak), *the file attachments are not.* So if you
attach a Visio picture or Excel spreadsheet to a passworded Word file,
they are saved in the clear. Any ASCII file viewer can be used to easily
verify this.

Needless to say, one can get a lot of information from attachments.

This problem exists for both Word and Excel, 95 and 97.

I e-mailed to and never received a reply besides
the boilerplate "if we consider this a security problem we'll contact you
within one business day, otherwise call support."

So if you really want to safeguard your MS Office files, use a third-party
encryption package.

Alan Lustiger

These are my opinions only, not AT&T's. AT&T is not responsible for
this posting.

-------------------==== Posted via Deja News ====-----------------------     Search, Read, Post to Usenet

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: