OpenOffice password crack is open to abuse
Security experts have warned that password recovery tools for OpenOffice, the open-source application suite, are vulnerable to abuse.
The release of version 1.0.4 of Intelore's OpenOffice Password Recovery software on Thursday allows IT managers and systems administrators to recover OpenOffice passwords and discard formatting and editing restrictions--for example, locked cell protection and permissions. The software allows password recovery through brute force and dictionary-based attacks, or a combination of both.
"Even if you have lost passwords for all your OpenOffice programs and documents, Intelore's solution can help you quicker than any similar program--OpenOffice Password Recovery supports simultaneous processing of several recovery projects with different attack profiles," said Dmitry Rozenbaum, chief executive officer of Intelore.
Although password recovery tools for Microsoft applications have been available for at least six years, OpenOffice Password Recovery is one of the first commercially available tools for open-source products. But security experts have warned that such tools could be open to abuse.
"These kinds of tools can be used for both good and bad," said Graham Cluley, senior technology consultant for security vendor Sophos. "It's a grey area in software. Cottage industries for such tools are mushrooming. These applications can help people, but in the wrong hands they're a bit of a security concern." Cluley added that IT managers could set policies about who could have access to such tools on a business network.
Paul Wood, senior analyst at e-mail security vendor MessageLabs, said that it opened a possible attack vector from disgruntled employees. "One attack vector is if a rogue employee has access to file-share password-protected documents. They can copy them, take them offline, and brute-force them at their leisure." Wood added that companies should lock down privileges, and consider encryption for sensitive documents.
OpenOffice Password Recovery version 1.0.4 is available to download for evaluation. The full business version costs $129. The product offers Unicode support and allows for recovery of multi-language passwords. OpenOffice Password Recovery version 1.0.4 can also recover a password containing typing errors, according to Interlore.
Security problem? I've had Microsoft Office password cracking software in my toolkit for at least 10 years. It is a "must have" utility if you support a lot of users.
Application password protection is OK for keeping out the mildly curious. If you need real security you need GPG/PGP.