Excel workbook protection and sheet protection are commonly used as if they provide file security. It turns out that these mechanisms do NOT provide file security, nor were they ever intended to do so. Section 18.2.29 of ECMA-376-1:2016, the latest version of the standard governing Office Open XML, says the following:
Applications might use workbook protection to prevent anyone from accidentally changing, moving, or deleting important data. This protection can be ignored by applications which choose not to support this optional protection mechanism.
The same section contains an additional note:
Worksheet or workbook element protection should not be confused with file security. It is not meant to make your workbook safe from unintentional modification, and cannot protect it from malicious modification.
Both sheet protection and workbook protection may be removed without the protection password in four basic steps:
I have published a detailed PDF guide for accomplishing these steps using only File Explorer and Notepad on Windows.
Is anyone else surprised by how easy it is to bypass these protections?
(Score: 3, Funny) by toddestan on Tuesday July 09 2019, @02:14AM (1 child)
"So, what do you like to do for fun?"
"I like running unzip on random files on my filesystem to see what happens..."
(Score: 0) by Anonymous Coward on Tuesday July 09 2019, @09:34AM
Actually, I figured it out when I opened the file up in a hex editor. The first few characters can sometimes give away a file type. I had opened zip files in the past that way, and when I opened up a Excel or Word document, I found that out. Zipping it back up and keeping it functional can sometimes be a challenge. I'm not sure exactly what settings it uses.