A researcher has uncovered what is claimed to be a “serious” flaw in the way Microsoft implements document encryption in Word and Excel.
The problem relates to the way Microsoft implements the 128-bit RC4 encryption algorithm when re-saving documents after their initial creation. In this situation it appears that the programs use the same password key and initialisation vectors to encrypt different versions of the same document. Normally where the same password key is being used, different vectors should be used.
The problem emerged from detailed investigation by Hongjun Wu of the Institute of Infocomm Research in Singapore and has been dissected by him in a new paper, “The Misuse of RC4 in Microsoft Word and Excel”.
The flaw, which is believed to affect all current versions of the Office programs named, sounds highly technical but Wu describes a number of everyday scenarios where it would seriously undermine document security. One likely compromise was where two co-workers edited successive versions of a document where the password remained constant.
“By XORing [a mathematical function] those two versions we could obtain a lot of information about the document,” he reports. “Once we obtained two different documents encrypted with the same keystream a lot of information could be retrieved.”
In his paper, Wu describes performing a proof-of-flaw experiment on a Word file, where he compared two versions which were identical except for a single word. He noticed that the binary output from these encrypted files was identical bar the address space accounted for by the plaintext change to the original.
Security guru Bruce Scheier comments on the flaw in 18 January 18 weblog, where he recalls Microsoft encountering a similar flaw five years ago in Windows NT 4.0’s SYSKEY.
Microsoft has accepted the existence of the flaw and promised that after a review it will "take the appropriate actions to protect customers, which may include providing a security update through our monthly release process, a service pack, or an out-of-cycle security update."
The software giant claimed the flaw posed a "very low threat" for customers and said it was unaware of any malicious attacks using it - but then it would be unaware, as would the compromised document owners. Instead it turned on Wu, stating: "Microsoft is concerned that this new vulnerability in Microsoft Officewas not disclosed responsibly, potentially putting computer users at risk. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the fix is being developed."
It has a point, but that doesn't diminish the fact that Word/Excel document encryption is, as of today, about as useful as a chocolate teapot.