Simple identity theft in Office 365, Skydrive and more

Office for Mere Mortals helps people around the world get more from Word, Excel, PowerPoint and Outlook. Delivered once a week. free.


A new patch for a major security lapse in Microsoft’s user account system.

Among the December 2013 patches is one that deserves more attention and concern than it’s got so far.

The problem is headlined by Microsoft as “Vulnerability in Microsoft Office Could Allow Information Disclosure” and categorized as ‘Important’ – not the highest level. The ‘Impact’ of this security breach is merely called ‘Information Disclosure’.

That heading sounds bad but remember that it’s in Microsoft’s interest to downplay understate the severity of any security lapse. This is a classic example of Redmond’s spin doctoring of bad news.

The vulnerability is actually an amazing simple way to gain access to your Office 365, Sharepoint, Skydrive Pro or other Microsoft account hosted systems from Office 2013.

It’s taken Microsoft six months to make and release a patch for this gaping security breach.

Yes – there is now a patch and it’s really important. Most likely Windows Update has downloaded the patch but you can download the Office 2013 patches separately – 32-bit and 64-bit. Office 2013 RT computers have to use Windows Update to apply the patch.

I know you often hear about ‘important’ patches, so often that its easy to become complacent.  This time the patch isn’t important – it’s vital.  While this security lapse hasn’t been publically used, it’s so simple that hackers will start exploiting it.   In this case the consequences of a successful attack could be dreadful as everything you have stored on Office 365, Sharepoint etc becomes available to strangers.

Microsoft has been lucky that the person who discovered the problem was honest and that, amazingly, no-one else figured it out before the patch was released.

We’re concerned that the problem wasn’t fixed a lot faster given the relatively simple hack and the very high danger to customer’s information (hosted by Microsoft).

Finally, the simple nature of the hack makes us very doubtful about Microsoft’s quality of security. Security is supposed to be the most important thing at Microsoft – so how did such a simple vulnerability get through? The process of authenticating should not be so open and exposed to allow hackers to see how it works, let alone provide a way to gain access.


Who is affected?

Anyone who uses Office 365, Sharepoint, Skydrive Pro with Office 2013.

That’s pretty much everyone with Office 2013 because the software will pester you mercilessly to create and use a Microsoft account of some sort, even if you save all your documents on your computer.

It’s that login process that’s vulnerable unless patched. A hacker can get your login details to access your entire online account – not just a few documents.


How it works

Noam Liran has a great explanation here, we’ll try to give a simple overview.

When your computer gets information from a Microsoft server, there’s an exchange of information to confirm your identity and, in theory, that it’s really a Microsoft server. The key part of that is a ‘private authentication token’ which is the key to opening your files and information on Microsoft’s servers.

The hack is absurdly simple – setup a web server that pretends to be a Microsoft server and sends the right responses when Office software connects. Making a fake Microsoft server is fairly simple because all the exchanges between your computer and the Microsoft server can be read and copied.

Then send out spam emails with a hacked document attached, some people will (foolishly) open the document. The document tells Word to contact the bogus server and will send the token!

That’s right – it will send the vital key that gives access to your entire online account! It’s the cloud equivalent of giving away the key to your front door each time someone knocks.


Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.