Reported January 4, 2004 by Thorsten Delbrouck.





  • Microsoft Word 2003 and 2002 (XP)




Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.

<span style="font-family:Verdana"> </h3>
<b><span style="font-family:Verdana;
<b><span style="font-family:Verdana;
color:purple"> </h3></b>
<span style="font-family:
Verdana">The discoverer posted the following demonstration as proof of concept:</h3>


1.)    Open a protected document in Word.

2.)    Choose the Save As Web Page (*.htm; *.html) option and close Word.

3.)    Open the HTML document in any text editor.

4.)    Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.)    Open the original .doc document with any hex editor.

6.)    Search for hex values of the password (reverse order).

7.)    Overwrite all four double-bytes with 0x00. Save, and close.

8.)    Open the document in Word. Select Tools, Unprotect Document. Password is blank.




<span style="font-family:Verdana"><a href="" style="color: blue; text-decoration: underline; text-underline: single">Microsoft</a> has been notified.</h3>



Discovered by Thorsten Delbrouck.