Reported January 4, 2004 by Thorsten Delbrouck.





  • Microsoft Word 2003 and 2002 (XP)




Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.

The discoverer posted the following demonstration as proof of concept:


1.)    Open a protected document in Word.

2.)    Choose the Save As Web Page (*.htm; *.html) option and close Word.

3.)    Open the HTML document in any text editor.

4.)    Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.)    Open the original .doc document with any hex editor.

6.)    Search for hex values of the password (reverse order).

7.)    Overwrite all four double-bytes with 0x00. Save, and close.

8.)    Open the document in Word. Select Tools, Unprotect Document. Password is blank.




Microsoft has been notified.



Discovered by Thorsten Delbrouck.