Reported January 4, 2004 by Thorsten Delbrouck.
Microsoft Word 2003 and 2002 (XP)
Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.
The discoverer posted the following demonstration as proof of concept:
1.) Open a protected document in Word.
2.) Choose the Save As Web Page (*.htm; *.html) option and close Word.
3.) Open the HTML document in any text editor.
4.) Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.
5.) Open the original .doc document with any hex editor.
6.) Search for hex values of the password (reverse order).
7.) Overwrite all four double-bytes with 0x00. Save, and close.
8.) Open the document in Word. Select Tools, Unprotect Document. Password is blank.
Microsoft has been notified.
Discovered by Thorsten Delbrouck.