Excel workbook protection and sheet protection are commonly used as if they provide file security. It turns out that these mechanisms do NOT provide file security, nor were they ever intended to do so. Section 18.2.29 of ECMA-376-1:2016, the latest version of the standard governing Office Open XML, says the following:
Applications might use workbook protection to prevent anyone from accidentally changing, moving, or deleting important data. This protection can be ignored by applications which choose not to support this optional protection mechanism.
The same section contains an additional note:
Worksheet or workbook element protection should not be confused with file security. It is not meant to make your workbook safe from unintentional modification, and cannot protect it from malicious modification.
Both sheet protection and workbook protection may be removed without the protection password in four basic steps:
I have published a detailed PDF guide for accomplishing these steps using only File Explorer and Notepad on Windows.
Is anyone else surprised by how easy it is to bypass these protections?
(Score: 0) by Anonymous Coward on Monday July 08 2019, @08:28AM (1 child)
Amazing. Its in the spec. and people claiming to be rational, even intelligent, walk around with delusions -- the popping of which they find oh so worthwhile to share! ... now where's that xkcd cartoon ... just one in the 10,000 who learned that something today.
it'll be cool to watch how long it takes for the poster to start calling hirself a security-researcher.
(Score: 0) by Anonymous Coward on Monday July 08 2019, @02:19PM
Same anon as the poster here.
I've never turned on these protections in a file myself but needed to remove them from a file someone else sent me. What boggled my mind is that people rely on these mechanisms for security when the spec says not to. My coworkers were surprised by it, so I guess the lack of awareness of what the spec says is pretty common.