It seems Microsoft is paying more attention to security these days. And while Office XP is more secure than its predecessors, it offers some of the same old security options we've seen before, packaged as though they were new. Even so, Microsoft appears to be heading in the right direction.
Do you use password protection when you save documents in Office? I used to, until I saw how easy it was for anyone to view my Office 2000 document passwords in a simple HEX editor. In one of the sessions I attended at February's Black Hat Windows 2000 Security Briefings, Andrey Malyshev of ElcomSoft demonstrated just how easy it was to crack passwords protecting Word and Excel documents. It turns out that Microsoft Office 97 and 2000 store their passwords as hashes within a document, and because of various export restrictions on strong encryption, these suites have weak encryption methods. Malyshev, whose company sells password recovery software, could uncover most passwords using a generic HEX editor.
The advanced literature states that Microsoft has beefed up its document security within Office XP by offering CryptoAPI. CryptoAPI has actually been available since Windows 95 OS2, and appears here and there in various Microsoft products. CryptoAPI uses a password hash created with a Secure Hash Algorithm. While SHA is a stronger encryption method, the encrypted passwords within Office documents themselves can still be changed or even removed from the protected file with additional software (such as ElcomSoft's password recovery software). Malyshev's recommendation was to use some other form of document security, such as PGP.
Perhaps Microsoft's greatest security weakness in Office is its Outlook software. Office XP incorporates the security patch that was first released in Outlook 2000 SR2. Many have argued that the patch is draconian, and it is, but it will stop most worms from replicating themselves via Outlook's Address Book. However, Outlook 2002 will frustrate those who encounter it for the first time.
Peter Deegan of Woody's Newsletters, long a critic of the original Outlook security patch, has a solution: A program that reclassifies what Microsoft calls Level 1 files (just about every file type used today) into Level 2 files (all other files in use today). Instead of blocking the Level 2 files entirely, this program allows users to save them and open them later (and if necessary, scan them using antivirus software).
So how foolproof is Outlook 2002's security? A UK publication, The Register, which has been running Outlook 2002 on a beta version of Windows XP, reported last week that two viruses slipped into their system, even though they had selected Outlook's default settings. The security in Outlook 2002 may not be perfect, but once it's in offices world wide, it will slow the spread of viruses and worms like ILOVEYOU and Anna, which use the Address Book to propagate and, therein, replicate.
Some advances in Office XP are worth noting. For example, each application in Office XP now comes with standardised security options, and for the first time, PowerPoint also offers document protection. Want to change the security options in Excel or Access? It's as easy as going to Tools menu and selecting Options. In addition--although I'm not sure how successful digital signatures will be in the corporate world--Office XP provides users with the option of digitally signing their documents.
