New Vulnerability in MS Word
VERSIONS AFFECTED
DESCRIPTION
Microsoft Word contains a
protection-bypass vulnerability. By performing a simple
process (outlined in the demonstration below), a malicious user
can unprotect a protected document without the use of a password
cracker or other special tools.
DEMONSTRATION
The discoverer posted the following demonstration as proof of concept:
1.) Open a
protected document in Word.
2.) Choose
the Save As Web Page (*.htm; *.html) option and close Word.
3.) Open the
HTML document in any text editor.
4.) Search
the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>.
Gather the password.
5.) Open the
original .doc document with any hex editor.
6.) Search
for hex values of the password (reverse order).
7.)
Overwrite all four double-bytes with 0x00. Save, and close.
8.) Open the
document in Word. Select Tools, Unprotect Document. Password is
blank. |