RE: Microsoft Word Protection Bypass

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Umm... What exactly prevents you from just typing up your own "contract" and
then claiming they sent it to you?  Or printing a changed contract out and
claiming it was mailed to you?  Or taking of any of a million other
fraudulent actions?

The standard Office protection mechanisms aren't designed (and shouldn't be
expected) to be tamper-proof against a determined adversary.  For more
serious levels of protection, use the new DRM mechanisms in Office 2003.

-Eric

-----Original Message-----
From: Thorsten Delbrouck-Konetzko [mailto:Thorsten.Delbrouck@guardeonic.com]

Sent: Wednesday, January 07, 2004 12:57 AM
To: bugtraq@securityfocus.com
Cc: joop gerritse
Subject: Re: Microsoft Word Protection Bypass

joop gerritse <jjge@xs4all.nl> wrote on 03.01.2004 12:34:45:

> A much simpler trick is to write the document out
> in RTF form, and use a text editor.

There are several methods to extract the contents of a protected document, 
but that fails to be the point here.

Equipped with a method to unprotect/change/reprotect a document (with the 
original, unknown password) it becomes (close to) impossible to prove that 
the document actually *has* been modified. If a senders relies on the 
protection mechanism (like some corporations which send out offers as 
"protected" docs do) this might actually have legal consequences.

Example: Upon your request a vendor e-mails an offer for product foo to 
you, price 100,00 EUR (Word format, protected forms). To form a legally 
binding contract you are asked to print the doc, sign it and send it back. 
In most legal systems (and among merchants who have been entered as such 
in a commercial register) this process is suitable to form a legally 
binding contract between the two parties involved.

Now you could easily decide to change the price within the original 
document to 80,00 EUR, print it, sign it and send it back to the vendor 
(thus forming a legally binding contract between the vendor and you!).

They will of course insist on the 100 EUR version, you will insist on the 
80 EUR version. You'll take them to court. An expert will be asked to 
analyse the original electronic document you received and will most likely 
find that it's protected by a password which is highly likely to be known 
by the vendor only and that you could not have changed the document. They 
lose. You win. :-)

regards,
/tdk
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux