Sunday 11 January 2004

Microsoft Word's Insecurity Feature

Edward W Felton explains Microsoft Word's Insecurity Feature better than I am able to:

An "insecurity feature" is a product feature that looks like it provides security, but really doesn't. Insecurity features can make you less secure, because they trick you into trusting something of value to a product that can't properly protect it.

A classic example is the "Password to Modify" feature of Microsoft Word, as revealed recently on BugTraq by Thorsten Delbrouck-Konetzko. This feature allows a document's author to establish a password that must be entered before the document can be modified. That would be a pretty useful feature -- if Word actually provided it. But as Mr. Delbrouck-Konetzko revealed, it is easy for anybody to modify such a file without knowing the password. In other words, Password to Modify is an insecurity feature.

A few paragraphs later, he explains why he thinks "Password to open a file" is a security feature while "Password to modify" is an insecurity feature.

Unfortunately, Microsoft has put a new spin on MS Word's "Password to modify" feature but if you have access to MS Word on your system, read up on "Password to modify" in the help files.