Microsoft Word documents that use the software"s built-in password protection to avoid unauthorized editing can easily be modified using a relatively simple hack that was recently published on a security Web site.
Known as the Password to Modify feature, the password-protection mechanism in Microsoft Word can be bypassed, disabled or deleted with the help of a simple programming tool called a hex editor. The hack does not leave a trace, meaning an unauthorized user could remove the password protection from a document, edit it and replace the original password.
Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. In a Knowledge Base article published in early December, Microsoft denied there was a problem because, the company said, the password-protection feature is not intended to provide "fool-proof protection for tampering or spoofing," but is "merely a functionality to prevent accidental changes of a document." "(When) you use the Password to Modify feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature," the technical support document explained. "The behavior occurs because the feature was never designed to protect your document or file from a user with malicious intent."