In the most recent ' Security Now 'Podcast #893' by Steve Gibson, he discussed the fact that Microsoft has chosen not to fix a well understood security vulnerability currently in their OME (Office Method Encryption), that has existed for years, a commonly used system, which claims to have a means to encrypt text in Office, say before sending it or storing it.
BUT they use ECB 'Electronic Code book' as a 'secure' method, which is well known to leak information. ECB is well known to be insecure. Microsoft has refused to fix or patch the Windows Office method. I have personally examined ECB in the past, and its problems are obvious and well known. Especially for cases like stolen or diverted data. (Ransomware?) A major issue for assumed security in MS Office.
Much more here https://www.grc.com/sn/SN-893-Notes.pdf
More on ECB Here: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#ECB
Following, but please report any patching of this so I can inform followers.
No comments:
Post a Comment