Stories
Slash Boxes
Comments

SoylentNews is people

Excel Workbook and Worksheet Protections Easily Removed

posted by martyb on Monday July 08 2019, @04:00AM   Printer-friendly
from the Zippity-do-dah dept.

An Anonymous Coward writes:

Excel workbook protection and sheet protection are commonly used as if they provide file security. It turns out that these mechanisms do NOT provide file security, nor were they ever intended to do so. Section 18.2.29 of ECMA-376-1:2016, the latest version of the standard governing Office Open XML, says the following:

Applications might use workbook protection to prevent anyone from accidentally changing, moving, or deleting important data. This protection can be ignored by applications which choose not to support this optional protection mechanism.

The same section contains an additional note:

Worksheet or workbook element protection should not be confused with file security. It is not meant to make your workbook safe from unintentional modification, and cannot protect it from malicious modification.

Both sheet protection and workbook protection may be removed without the protection password in four basic steps:

  1. Unzip the .xlsx or .xlsm file so that its contents may be modified in the following steps. Excel workbook files are actually ZIP files with a different file name extension.
  2. Remove the <workbookProtection ... /> XML tag from the xl\workbook.xml file.
  3. Remove the <sheetProtection ... /> XML tag from any .xml file in the xl\worksheets\ directory.
  4. Zip the modified Excel workbook file contents, using the .xlsx or .xlsm filename extension for the resulting ZIP file.

I have published a detailed PDF guide for accomplishing these steps using only File Explorer and Notepad on Windows.

Is anyone else surprised by how easy it is to bypass these protections?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Excel Workbook and Worksheet Protections Easily Removed | Log In/Create an Account | Top | 28 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday July 08 2019, @06:04AM (1 child)

    by Anonymous Coward on Monday July 08 2019, @06:04AM (#864360)

    365, 2019, and my personal copy of 2016 all warned for me, but I could see if I can get my hands on older/other ones.

    Curious what version you used to save said file. I double checked the specifications, and I was looking at an older version (plus there are various differences between older versions of the ISO/IEC versions and the ECMA ones). Originally, it was encoded plain text, then they came up with their own hash (now called the Legacy Password Hash) to hash the password (after truncating it), then they allowed some less secure hash algorithms, then they added much stronger ones and allowed for repeated iterations of hashes. But, interestingly most software uses the "transitional" schema or an older revision which does allow for the LPH or plain text (which I've run into the most, but that might be sample bias the more I think about it).

  • (Score: 0) by Anonymous Coward on Monday July 08 2019, @07:06AM

    by Anonymous Coward on Monday July 08 2019, @07:06AM (#864381)

    Curious what version you used to save said file.

    Home & Student 2016, Version 1906.