This article describes how to exploit a known Microsoft Excel 2007 bug in order to encrypt a workbook (or add-in) without entering a password. Along the same lines, file users will not be asked for a file-open password while opening this special type of encrypted workbook (or add-in). Pretty cool, huh?
File encryption can be used to protect VBA projects and customUI ribbon XML code against hacking or tampering, in addition to other methods. This bug has been fixed by Microsoft in Office 2010. Our Unviewable+ application offers similar file encryption (AES Agile), which can be used in any Excel version (2007 or later), alongside the classic locking methods.
I would like to thank Stéphane from France, Hasan from Austria (Unviewable+ VBA developers) and Shigeo Mitsunari (MVP security expert from Japan) for their contributions in understanding the inner workings of this exploit.
File encryption can be used to protect VBA projects and customUI ribbon XML code against hacking or tampering, in addition to other methods. This bug has been fixed by Microsoft in Office 2010. Our Unviewable+ application offers similar file encryption (AES Agile), which can be used in any Excel version (2007 or later), alongside the classic locking methods.
I would like to thank Stéphane from France, Hasan from Austria (Unviewable+ VBA developers) and Shigeo Mitsunari (MVP security expert from Japan) for their contributions in understanding the inner workings of this exploit.
What Is The File-Open Password
When an Excel file is encrypted, it is being locked with a password. Nobody except the author will be able to open an encrypted workbook, unless the password is shared. To learn more about encryption in Excel, please review our file-open password article.
The tell-tale sign when you or another user tries to open a normal encrypted file, is the following dialog:
The tell-tale sign when you or another user tries to open a normal encrypted file, is the following dialog:
Excel 2007 Version
The Excel 2007 version used to create our demo files is shown below. The exploit is most likely available in earlier versions of Office 2007. Please share your experience in the comments section at the end of this page.
How The Exploit Works
All you have to do is protect the Workbook Structure with a password in Excel 2007 as shown and save your file! Please note that your file will not be encrypted if you leave the password field blank. However, the password used to protect Workbook Structure is not used for file encryption.
How To Verify File Encryption
Hundreds of thousands, if not millions, of Excel 2007 users who protected the structure of their spreadsheets have ended up saving their workbooks in an encrypted format without their knowledge, as there is no password prompt during file open.
There are several ways to test, if an Excel Open-XML file (4 letter extension) is encrypted with this particular method. First, make a backup copy of your file and rename its file extension to zip. Then either...
There are several ways to test, if an Excel Open-XML file (4 letter extension) is encrypted with this particular method. First, make a backup copy of your file and rename its file extension to zip. Then either...
- Open the zip file in 7-Zip application (it's free, open source software). If the encryption file parts shown below exist, the your file is encrypted with the AES algorithm.
- Just click on the Zip file in Windows Explorer. You should see the error message below. The same message will be shown if an Excel file is severely damaged, so please verify that your workbook or add-in can be opened in Excel.
- Click the Encryption Report button available in the Unviewable+ VBA application.
Unviewable+ Enterprise version
Security Advantages
|
File parts in encrypted Open-XML workbooks or add-ins are no longer accessible, so hackers can neither hex edit a VBA project to remove its password, nor read the customUI ribbon XML code, if present.
|
Problems With Office File Encryption
- Encrypted files can no longer be read by programs that manipulate the Open-XML format, such as the Password Remover Pro or the Formula Auditor add-ins powered by the Ribbon Commander (RC) framework.
- VBA projects in encrypted files cannot be cleaned by the Ribbon Commander Code Cleaner
- Files saved in Excel 2010 or later revert to the standard unencrypted Office file format, unless a particular trick is used. This tip is disclosed privately to Unviewable+ VBA perpetual license holders.
Unviewable+ users can encrypt files that can be opened in any Excel version (2007 or later) without a file-open password. Our Delphi application is using Shigeo's Mitsunari open-source cryptography command line tool for Office. - An encrypted add-in can no longer be installed in Excel's default folders. The workaround is to launch such an add-in from a non-Excel folder or use a standard helper add-in to open it.
