A hole in Microsoft’s ubiquitous word processing software, Word, makes its much-used security feature superfluous.
The “Protect Document” option in Tools is used when you want to prevent people from making unauthorised changes to specific areas of your document.
The feature allows you to attach a password to a file and so restrict the alteration of data on the page. Large numbers of companies use it to send customers quotes and invoices.
However, CIO of Infineon security subsidiary Guardeonic Solutions, Thorsten Delbrouck, has discovered that with a simple bit of manipulation, the document can be opened up, altered, and given a new password - or the original password so no-one would doubt its authenticity. The method is extremely easy and now posted on the Web.
Microsoft’s response to this potential legal nightmare has been classic Redmond. Informed in November and given until last week to respond, it will not be issuing a fix (presumably because such a fix is impossible).
And in the same way that bugs suddenly become features in Microsoft software, this security feature was never intended to be a security feature. It "is not intended as a full-proof protection for tampering or spoofing.” Instead it “is a functionality to prevent accidental changes of a document.”
And if you ever doubted it, Microsoft requested time to change its documents to reflect this new truism. Overview of Office Features That Are Intended to Enable Collaboration and That Are Not Intended to Increase Security now states that the Protect feature "helps prevent trustworthy users from making changes" and includes the warning: "When you are using the Protect form feature with a password, a malicious user may still be able to gain access to your password."
Just imagine all those idiots out there that had presumed that if you select “Protect Document” and then type in a password that the password would be kept secret. Shows how ignorant people can be about technology.
So, when is a security feature not a security feature? When Microsoft gets involved.