-1

If I can decrypt or "unprotect" a sheet or a workbook in Excel in a matter of 2-3 minutes (faster then it usually takes to read the linked article!), by a means of simple .zip archive modification then should Office 2007+ files be still treated as secure?

To make things even more sad, I can modify contents of such "protected" document without anyone knowing this.

Side question:

  1. Can we consider sheet or workbook protection in security means or do these two things have nothing in common?
  2. How it is possible that such "feature" exists for 13+ years and Microsoft did nothing about it?
  3. Is anyone using this feature? If yes, then for which reasons, if it can be broken by a kid?

Note that I am not asking about Office document's encryption and decryption. I am talking precisely about "protecting" a sheet or workbook with a password where contents of such "protected" document can be revealed by a person having 10+ years old child IT knowledge, by simple .zip file modification.

A question quite similar to my now seven years old one about .zip files itself.

schroeder
  • 125,553
  • 55
  • 289
  • 326
trejder
  • 3,619
  • 5
  • 24
  • 35
  • 2
    You have a logic error in your question. "should Office 2007+ files be still treated as secure?" Why? Because a convenience feature in Excel can be broken? "Secure" from what? In the "Tell Me More" link in Excel when you go to protect the sheet, the very first bullet point is telling users that the feature is not a security feature. You are making sweeping generalisations about the general security of the entire Office suite by critiquing a non-security feature in Excel. – schroeder Jul 19 '20 at 16:08
  • 1
    So, to make your question more relevant, your question should be "should "protect worksheet" in Excel be considered secure?" and the answer is provided by Microsoft itself. – schroeder Jul 19 '20 at 16:24
  • 2
    Ah, ***you*** are the author of the blog article... You changed it to remove the "encryption" part, which was a pretty egregious error, but the underlying problem and your logic error remain. – schroeder Jul 19 '20 at 18:25

1 Answers1

4

Apparently, the author of the article you linked to doesn't know the difference between protecting an excel file and encrypting it. Protecting does not equal to encrypting. Microsoft knows about this and does nothing about it because this is not meant to be a security feature. Nor is its purpose detecting changes in the document. Its only purpose is to prevent unintended changes.

From Microsoft support's article on protecting Excel sheets

To prevent other users from accidentally or deliberately changing, moving, or deleting data in a worksheet, you can lock the cells on your Excel worksheet and then protect the sheet with a password. Say you own the team status report worksheet, where you want team members to add data in specific cells only and not be able to modify anything else. With worksheet protection, you can make only certain parts of the sheet editable and users will not be able to modify data in any other region in the sheet.

Important

▪ Worksheet level protection is not intended as a security feature. It simply prevents users from modifying locked cells within the worksheet.

▪ Protecting a worksheet is not the same as protecting an Excel file or a workbook with a password.

TL;DR

What you are referring to as 'decrypting' or unprotecting is in fact not a security feature and therefore does not impact the security of Office files.

If you really want to prevent others from changing your Office files without being noticed, use digital signatures. If you want to prevent them for viewing the file, encrypt it.

nobody
  • 11,341
  • 2
  • 41
  • 60
  • 1
    Confirmed. Encrypt the file and the steps in the blog post fail on step 1. Protect the worksheet and then thesteps in the blog post work. The blog author did not know what they were doing. The author kept saying that Microsoft calls protection "encryption" but offers no proof, and there is plenty of proof that it is not. Including the fact that the contents were not encrypted ... – schroeder Jul 19 '20 at 15:58