Microsoft Word Form Protection Bypass Vulnerability

SA10529

05 Jan 2004

Not Critical

Vendor Workaround

Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 97
Microsoft Office XP
Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 97

Local system

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Thorsten Delbrouck has reported a vulnerability in Microsoft Word, which can be exploited by malicious people to manipulate protected documents.

Microsoft Word includes a "form" password protection mechanism to prevent manipulation of documents. However, it is possible to bypass this mechanism by clearing the password checksum in the document (setting it to "0x00000000" with a hex editor).

The original password checksum to search for can be found by saving a protected document as a ".html" file and then looking at the value in the "" tag.

Don't rely on this feature to protect documents from malicious tampering.

Microsoft has responded that this feature is meant to protect against accidental changes only and is not intended to increase security. A knowledge base article describing this issue is available at:

http://support.microsoft.com/?id=822924

Thorsten Delbrouck