4 Security Considerations

The password verifier features available in the file format (see Password Verifier Algorithm) are used to prevent accidental modification, rather than being used as security features. It is possible to remove the passwords by removing the records containing the verifier values.

The translation of passwords from a double-byte Unicode string to a new character string in the ANSI code page of the current system converts any Unicode character that cannot be mapped to the ANSI code page of the current system to the 0x3F character in that code page (as described in [ECMA-376] part 4, 3.2.29). Replacing these characters with 0x3F when the hash is verified will generate positive hash value matches. In certain locales this can be a significant portion of the everyday character set.

When a file in this format is saved with obfuscation or encryption (see Encryption), there are two primary security considerations. First, only certain storages and streams are encoded during encryption (see Encryption). Second, for the records that are encrypted, the record type and size are not encrypted in the BIFF streams. Therefore, the list of records present in the file can be read from the file without actually decrypting it. Further security considerations regarding the file encryption algorithms are described in [MS-OFFCRYPTO] section 4.1.3.