Bradley Mountford, a digital forensics expert, today discovered a security vulnerability in Microsoft Office Excel 2007 regarding login information of external data sources.
Basically, there are two sides to this issue, if you password protect an entire Excel 2007 document entirely, it’s no longer a true XML document, rather, it’s an XML document wrapped in an OLE container1. If you tell your Excel document NOT to save the password to your data connection, but only password protect the Excel document against edits (not reads and edits), the password IS saved — in plain text!
Here’s how to recreate the issue:
- Create new MS Access database.
- Open the new DB in Exclusive mode.
- Create a simple table to query.
- Go to the Database tools tab, choose “Encrypt with Password”, and set your password (“grapes” for this example).
- Create a new Excel worksheet.
- Open the new worksheet and select a Cell.
- Choose the Data tab and then “From other sources” and select “From Microsoft Query”.
- Choose “MS Access Database*” and browse to the DB you just created.
- Enter the password when prompted and select the data to be returned to Excel.
- The query should populate. Now lets make sure we are not saving the password (or at least that we are telling Excel not to).
- Select the “Data” tab and click “Connections”.
- Double click the query to bring up the properties sheet.
- Select the “Definition” tab and ensure that the “Save Password” box is unchecked (default).
- If you open the Excel document with notepad, the passwords do not appear in plaintext. Great!
- Now for some fun. Rename your excel doc to a .zip from .xlsx
- Open the zip and then open the “xl” directory.
- Now open the connections.xml file and Ta Da! There is your PWD plain as day.
If you encrypt the workbook with a password to open, you are okay, but a password to edit is not enough and you can still see the PWD.
What all this boils down to is: If you select the option not to save the password in Excel, why is Excel saving in the XML?
- Excel Spreadsheet(Note: the data connection is hard-coded to a specific path to the database)
- Access Database
- Both, zipped
- OOXML: Defective by Design?
- OOXML: Security Flaw Found, Microsoft Lies About It Again, African Revolt Against It, and ISO in Great Danger