MS Office 95 and 97

Reported November 11, 1997 by Alan Lustiger

Systems Affected

MS Office 95 and 97 Users

The Problem

I discovered what looks like a major hole in Microsoft Office (95 and 97) passworded files.

While the files are encrypted (and I know that the Office 95 file encryption is laughably weak), *the file attachments are not.* So if you attach a Visio picture or Excel spreadsheet to a passworded Word file, they are saved in the clear. Any ASCII file viewer can be used to easily verify this.

Needless to say, one can get a lot of information from attachments.

This problem exists for both Word and Excel, 95 and 97.

Stopping the Problem:

Alan says: If you really want to safeguard your MS Office files, use a third-party encryption package on the files.

Vendor"s Response:

I e-mailed to secure@microsoft.com and never received a reply besides the boilerplate "if we consider this a security problem we"ll contact you within one business day, otherwise call support."

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by Alan Lustiger
Posted here at NTSecurity.Net February 15, 1997