On Fri, 7 Nov 1997, Aleph One wrote:
> I discovered what looks like a major hole in Microsoft Office (95 and 97)
> passworded files.
>
> While the files are encrypted (and I know that the Office 95 file
> encryption is laughably weak), *the file attachments are not.* So if you
> attach a Visio picture or Excel spreadsheet to a passworded Word file,
> they are saved in the clear. Any ASCII file viewer can be used to easily
> verify this.
>
> Needless to say, one can get a lot of information from attachments.
I am no expert on Win32 / OLE-COM-ACtiveX; but it seems that
this isn't Office Fault; but OLE one's.
AFAIK, every OLE container is responsible of its own data;
in this case, you tell Word to cipher his own data, and
Excel/Visio/etc... data is not Word bussiness so it's not
ciphered.
Remember: When you talk to OLE objects, you delegate them
a part of your file + archiving capabilities.
I will take a look at OLE/COM spec to see if there's a
way to tell a COM object to cipher itself, but I seriously
doubt there is one...
So long,
--
Iñigo Gonzalez <igonzalez@ati.es> - cfingerd maintainer
e-mail fileserver available: mail me with 'send pgp-key'
for my public key. Use 'send help' for instructions.
(don't expect inmediate response: I'm on a dialup)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBNGgnO6QKqXTm2TCtAQGVEAQAuErcnRH8FuUk6cAVMeL0loXFu30Yj2NI
Qt0fElda8YvbBcavfVN8KS0ZgZdvhAnw/9sFvYSiwMFMailC4DEf52bvDxHmWuFV
t2zj8U7rkuXewk8VBEHgTLV9femHo6JroT7YfQneRc4tiIRtdhupNNMTpj5b5PGd
49MyG04Dh5s=
=v9Dc
-----END PGP SIGNATURE-----