Major flaws in Microsoft Office file encryption

A Chinese academic has revealed a major problem with the way Microsoft's encryption tool handles Word and Excel files. This flaw could allow a cracker with basic cryptography skills to decrypt the files.

A Chinese cryptographer/mathematician has found serious vulnerabilities in the encryption used to protect a common class of Excel and Word files.


Q: What's worse than no cryptography?

A: Weak cryptography.

Why? Because if you have weak encryption (which few programmers, let alone users, really understand), users, managers, and corporate management believe their secrets are protected. At least, if you have no encryption, then no one is surprised to learn that documents can be easily compromised.

Many companies and individuals rely on the encryption technology provided by Microsoft for Office users but this is not a seriously secure encryption tool, as a recent academic paper demonstrates.

Hongjun Wu has discovered that RC4 is being critically misused in both Microsoft Word and Excel file encryption. RC4 is a stream cipher that can be applied with up to a 128-bit encryption level on any Word or Excel file.

A report in CNETasia highlighted this problem on January 10. The problem isn't terribly complex; in fact, it is a very basic vulnerability where multiple files are being encrypted using a fixed algorithm and the same password. This can easily be overcome by using different initialization vectors, but Microsoft Office fails to do this in some very common circumstances.

Note on basic encryption

For those who aren't familiar with even basic cryptography technology, it is common to use the same password and encryption algorithm. If you do this twice with similar information, then cracking one document is almost a trivial exercise when a second example is available. The use of XOR to compare two versions of a document is a well-known decryption tool. The way around this is simple—use a different factor as a starting point for each separate document being encrypted.

Microsoft Office does use a different initialization vector for each new document but the problem lies in the way it treats edited documents. Every time you open, edit, and resave the document, it is encrypted using the same key—since many documents are saved in multiple versions or are backed up, cracking the document can be relatively easy. This could apply to stolen backups, stolen PCs, discarded hard drives, or when multiple users pass an encrypted file back and forth.

Details proving the problem are available in an academic paper. This doesn't include an exploit, and getting plaintext data out of the encrypted files isn't a job for a script kiddie; however, a serious security professional would find the task relatively simple.


This vulnerability affects Microsoft Excel and Word documents saved using the provided Microsoft encryption system.

Mitigating factors

You would still need a basic knowledge of cryptography and access to multiple copies of a similar file encrypted using the same password, but that only provides protection against very unskilled attackers.


There is no way to fix this on your own until Microsoft, which has acknowledged the problem, provides a fix. Otherwise, all you can do is turn to a more secure encryption technology, especially when sharing files between different editors/contributors.

Final word

I can't emphasize enough that this vulnerability isn't some esoteric flaw, but an extremely basic error in simple cryptographic thinking that, even worse, was widely publicized in the crypto-community back in 1999 by Bruce Schneider of Counterpane Internet Security.

I always cringe when programmers tell me that they can easily write a crypto-algorithm but couldn't tell me the difference between a Prime and a Mersenne Prime. This was a hot button topic when I wrote a developer security newsletter for another CNET Web site, but that only reinforced my belief that encryption is the most vital and most poorly applied security technology in use today. Personally, I studied both quantum physics and the math needed to understand it and, despite a serious decades-long interest in cryptography, I would never attempt to create an end-to-end encryption scheme.

Those with knowledge of history, or who are fans of war movies, will recognize that decrypting very similar files is relatively easy and that this has been widely recognized for a long time.

Also watch for …

  • Oracle has released its quarterly security updates, some covering quite serious vulnerabilities. An 11-page PDF document explains the patches for 23 separate vulnerabilities in different versions of the database software. The document is extremely well-organized and provides lots of useful details about just what vulnerability exists where and how to repair it. Oracle has set a new standard for the way complex security updates should be documented.
  • The HIPPA deadline is looming on April 14, just the thing to cheer managers on the day before tax deadline. The Health Insurance Portability and Accountability Act (HIPPA) (Public Law 104-191) provides for severe penalties if those handling medical records get careless. This includes companies with information about employees as well as any medical-related businesses. There are some useful, publicly-accessible documents at the AICPA site (American Institute of Certified Public Accountants, Inc.). The overview document carries a good summary that you can pass along to upper management or even your accounting department.

Editor's Picks

Free Newsletters, In your Inbox