Microsoft Office 2013’s enhanced protection scheme cracked ahead of official launch

I found this to be very interesting: Microsoft Office 2013’s enhanced protection scheme cracked ahead of official launch. Its incredible how such a big company, one of the tech leaders in the world, is vulnerable to people who think outside the box.

In addition to a host of improvements and other changes, Microsoft beefed up the encryption scheme used to secure users’ data in Office 2013. With Office 2010, Microsoft used an SHA-1 class algorithm with a 128-bit key to encrypt plain-text password-protected documents. With Office 2013, though, Microsoft has moved to a technically more secure SHA-2 class SHA512 algorithm to calculate the hash values for the encryption keys, but it appears even that wasn’t enough. ElcomSoft, a privately owned company headquartered in Moscow, has announced that it has already developed tools to crack Microsoft’s latest protection schemes. Shocking, I know.

A post on the ElcomSoft Advance Password Cracking blog claims that the company’s Advanced Office Password Recovery and Distributed Password Recovery tools now have the ability to crack Office 2013 plain text passwords, just weeks before the productivity suite’s official release. The post isn’t very detailed and doesn’t explain exactly how ElcomSoft pulled it off, but it does say that it is not strictly a brute force method. In fact, ElcomSoft claims that brute force attacks on Office 2013’s encryption scheme are virtually useless.