SoylentNews is people
SoylentNews
Excel workbook protection and sheet protection are commonly used as if they provide file security. It turns out that these mechanisms do NOT provide file security, nor were they ever intended to do so. Section 18.2.29 of ECMA-376-1:2016, the latest version of the standard governing Office Open XML, says the following:
Applications might use workbook protection to prevent anyone from accidentally changing, moving, or deleting important data. This protection can be ignored by applications which choose not to support this optional protection mechanism.
The same section contains an additional note:
Worksheet or workbook element protection should not be confused with file security. It is not meant to make your workbook safe from unintentional modification, and cannot protect it from malicious modification.
Both sheet protection and workbook protection may be removed without the protection password in four basic steps:
- Unzip the .xlsx or .xlsm file so that its contents may be modified in the following steps. Excel workbook files are actually ZIP files with a different file name extension.
- Remove the <workbookProtection ... /> XML tag from the xl\workbook.xml file.
- Remove the <sheetProtection ... /> XML tag from any .xml file in the xl\worksheets\ directory.
- Zip the modified Excel workbook file contents, using the .xlsx or .xlsm filename extension for the resulting ZIP file.
I have published a detailed PDF guide for accomplishing these steps using only File Explorer and Notepad on Windows.
Is anyone else surprised by how easy it is to bypass these protections?
(Score: 3, Insightful) by Runaway1956 on Monday July 08 2019, @10:17AM (4 children)
Isn't there an option 4?
4. Use FUD to convince people that they can't edit a file.
My employer, for instance, would call unlocking an .xml file "hacking", and fire the guilty party. Which isn't really much different from the physical paper copy you mentioned. "Oh, you can't make marks on that!"
Your reference to a paper printout reminds me of the various forms I've used over the decades. Warnings like "Do not fold, spindle, or mutilate." "Make no marks in this area." Or, "Make no marks outside of this area." Tests answer sheets that consisted of 4 columns of little circles, where you darkened one of the circles with a #2 pencil. And, people followed along, obeying whatever instructions were printed.
That doesn't even touch on all the many forms with "Press hard, you are making xx copies." Anywhere from three to 12 copies, with each copy destined to fill some other person's in-basket.
And, FUD always guaranteed that all those copies got to their proper destinations.
(Score: 2) by sgleysti on Monday July 08 2019, @12:26PM (2 children)
As a Quaker, I abstain from filling out forms in triplicate (or higher).
(Score: 0) by Anonymous Coward on Monday July 08 2019, @01:03PM (1 child)
Q. for the Quaker -- do you ever sit around in a small group and quake (bodies shaking or shuddering)? Couldn't find a quick reference, but I seem to remember this was part of the history of the sect.
(Score: 2) by sgleysti on Monday July 08 2019, @02:21PM
Not really a Quaker, just making a bad joke. It could be something like you suggest; see https://www.etymonline.com/word/quaker [etymonline.com]
(Score: 2) by EJ on Tuesday July 09 2019, @02:07AM
Your examples are more like handicapped parking signs. It's not FUD. It's not telling you that you cannot park there. It's telling you that you're not ALLOWED to park there.