Question: When is a security feature not a security feature? Answer: When it's the document-protection system in Microsoft Word.

It's called Protect Documents
This tool allows the owner of a document to prevent its readers from tracking changes, making comments, or changing the content in forms. It can be used, for instance, to make sure a customer can't alter a price quote before printing it out and signing it. (You can locate this feature by selecting Tools > Protect Document.)

It's different from the encryption security feature, which locks an entire document from modification. (The latter is available by selecting Tools > Options > Security.)

Many businesses and individuals are unaware that "protected" documents they send out are in fact susceptible to modification.

Even Microsoft admits that the Protect Document feature is not a true security feature. But the software giant hasn't gone out of its way to tell its customers. As a result, many businesses and individuals are unaware that "protected" documents they send out are in fact susceptible to modification. I think that's just plain irresponsible.

The vulnerability of the Protect Document feature came to light recently, when Thorsten Delbrouck, chief information officer of security company Guardeonic Solutions, announced on the security newsgroup Bugtraq that he could make changes in a "protected" document--without the owner of the document having any proof he did so. Delbrouck says he notified Microsoft of this flaw in November 2003. (You can read his post if you want the technical details of how he did this.)

Microsoft knew about it
Turns out this isn't exactly breaking news. Back in 2001, at the Black Hat Win2k Security Briefing, members of Russian software company ElcomSoft demonstrated the relative insecurity of all the Microsoft Excel, Word, VBA, and Outlook file-protection schemes. (You can download their PowerPoint presentation by clicking here.) In fact, during the 2001 presentation, ElcomSoft suggested the same method that Mr. Delbrouck outlined in his Bugtraq post.

According to the ElcomSoft presenters, the password-protection flaws exist in part because of the U.S. export rules regarding high-end encryption. In other words, to provide a truly secure Word and Excel, Microsoft would have to sell two versions: a high-encryption version in the United States and a low-encryption version for the rest of the world.

What's unfortunate is that while Microsoft acknowledged ElcomSoft's claims in a March 2001 technical newsletter, the company didn't include this information in its online FAQ about securing Word and Excel.

To ensure that your documents won't be edited by their readers, I recommend using non-Microsoft software.

Only after Delbrouck revived interest in the matter did Microsoft publish a new document that redefines the Protect Document feature as a collaboration tool. Needless to say, the average Office user isn't necessarily going to know about this new definition. And certainly the name--Protect Document--implies (to me at least) security more than collaboration.

Secure your documents
If you want to ensure that your documents won't be edited by their readers, I recommend using non-Microsoft software. You could save your files as Adobe PDF files, although now OCR software can open and even modify PDFs. Another option is to encrypt the document with PGP Personal for Windows 8.0, an industrial-strength encryption program that costs about $50 for the full version. A free version is also available. This app will make sure that only your intended recipients can read or modify your documents.

I should mention that the latest Microsoft Office System includes digital-rights management systems for Word 2003, Excel 2003, and other apps, which provide better security for your documents. Of course, to get this protection, you'd need to invest in the new Office, which costs anywhere from $150 to $500. Given the software giant's uneven security reputation, I'd put my faith in a third-party solution instead.

Is Microsoft doing a good enough job when it comes to software security? Why or why not? Tell me about it--TalkBack to me!