VULHUB ™

When a Microsoft Word document has protection for forms turned on, the password for the protection feature is stored in the Word document. When this document is saved into a HTML document, the password stored in the Word document is placed in hash form in the w:UnprotectPassword header field within the HTML document. This provides an easy method of discovering where the password is located in the original Word document and then nulling it out with a hex editor. It should be noted that the vendor has stated that this feature is not intended to provide document security but instead is implemented to aid in collaborative situations where all parties are trusted. However, this issue still presents a security risk in scenarios where the feature is mistakenly used as a measure to prevent documents from being modified.

When a Microsoft Word document has protection for forms turned on, the password for the protection feature is stored in the Word document. When this document is saved into a HTML document, the password stored in the Word document is placed in hash form in the w:UnprotectPassword header field within the HTML document. This provides an easy method of discovering where the password is located in the original Word document and then nulling it out with a hex editor. It should be noted that the vendor has stated that this feature is not intended to provide document security but instead is implemented to aid in collaborative situations where all parties are trusted. However, this issue still presents a security risk in scenarios where the feature is mistakenly used as a measure to prevent documents from being modified.