Microsoft Downplays Office Encryption Weakness

The software giant acknowledges a security researcher's warning of a serious flaw in the way RC4 encryption is implemented in Word and Excel documents, but it insists the threat is minimal.

A security researcher has issued an alert for a "serious security flaw" in the way document encryption is implemented in Microsofts Word and Excel products, warning that a widely-used encryption algorithm is being misused by the software giant.

However, Microsoft officials are downplaying the threat, insisting that the reported flaw poses a very low threat for users of the two popular word processing programs.

Hongjun Wu, a researcher at the Institute for Infocomm Research in Singapore, said Microsoft is misusing the RC4 (Rivest Cipher 4) algorithm that is licensed from RSA Data Security.

"[W]hen an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily," Wu said in an advisory.

Wu provided several real-world examples of the risks presented by the flaw and argued that a dependence on the embedded encryption could be dangerous.

However, a spokesperson for Microsoft told that an early investigation of Wus findings showed that the issue did not present a major threat. "In some cases, an attacker may be able to read the contents of an encrypted file if multiple versions of that file are available to the attacker," the spokesperson acknowledged.

But, she explained, the attacker would need to have access to two distinct files with the same name that are protected by the same password in order to attempt an exploit. "Customers can help protect their information by restricting access to their encrypted Office documents as they are being created and revised, and by saving the document with a new password after making changes."

Wus advisory pointed out that, from the cryptographic point of view, Microsofts implementation of the encryption scheme in early versions of Word "does not provide any security protection."

/zimages/3/28571.gifMicrosoft is working on a new version of Microsoft Office aimed specifically at small-business managers. Click here to read more.

The problem revolves around an encrypted document that is resaved several times by multiple users. In proof-of-concept experiments, Wu found that the misuse of RC4 in Microsoft Word could present a very straightforward attack scenario. "It is quite easy to detect whether the same keystream has been used for more than once. For example, if the document contains only the ASCII characters, then the most significant bit of each plaintext byte remains 0 and we can simply use those bits for detection," he wrote.

"Once we obtained two different documents encrypted with the same keystream, a lot of information could be retrieved."

Microsofts spokesperson said the company would continue to investigate Wus findings and, if necessary, will provide a security update to protect customers. "This may include providing a security update through our monthly release process, a service pack, or an out-of-cycle security update, depending on customer needs."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.