Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Downplays Office Encryption Weakness

    By
    Ryan Naraine
    -
    January 20, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      A security researcher has issued an alert for a “serious security flaw” in the way document encryption is implemented in Microsofts Word and Excel products, warning that a widely-used encryption algorithm is being misused by the software giant.

      However, Microsoft officials are downplaying the threat, insisting that the reported flaw poses a very low threat for users of the two popular word processing programs.

      Hongjun Wu, a researcher at the Institute for Infocomm Research in Singapore, said Microsoft is misusing the RC4 (Rivest Cipher 4) algorithm that is licensed from RSA Data Security.

      “[W]hen an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily,” Wu said in an advisory.

      Wu provided several real-world examples of the risks presented by the flaw and argued that a dependence on the embedded encryption could be dangerous.

      However, a spokesperson for Microsoft told eWEEK.com that an early investigation of Wus findings showed that the issue did not present a major threat. “In some cases, an attacker may be able to read the contents of an encrypted file if multiple versions of that file are available to the attacker,” the spokesperson acknowledged.

      But, she explained, the attacker would need to have access to two distinct files with the same name that are protected by the same password in order to attempt an exploit. “Customers can help protect their information by restricting access to their encrypted Office documents as they are being created and revised, and by saving the document with a new password after making changes.”

      Wus advisory pointed out that, from the cryptographic point of view, Microsofts implementation of the encryption scheme in early versions of Word “does not provide any security protection.”

      /zimages/3/28571.gifMicrosoft is working on a new version of Microsoft Office aimed specifically at small-business managers. Click here to read more.

      The problem revolves around an encrypted document that is resaved several times by multiple users. In proof-of-concept experiments, Wu found that the misuse of RC4 in Microsoft Word could present a very straightforward attack scenario. “It is quite easy to detect whether the same keystream has been used for more than once. For example, if the document contains only the ASCII characters, then the most significant bit of each plaintext byte remains 0 and we can simply use those bits for detection,” he wrote.

      “Once we obtained two different documents encrypted with the same keystream, a lot of information could be retrieved.”

      Microsofts spokesperson said the company would continue to investigate Wus findings and, if necessary, will provide a security update to protect customers. “This may include providing a security update through our monthly release process, a service pack, or an out-of-cycle security update, depending on customer needs.”

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×