Concern Over MS Office Security Issue Gathers Momentum

27 Jan ’05

Neowin is reporting that concerns are mounting over a flaw in MS Office’s implementation of the RC4 encryption algorithm.  Bruce Schneier and Phil Zimmerman have both commented.  Money quote:

Not happy with the response from Microsoft, today Phil Zimmermann, the creator of PGP Encryption, talked to and expressed his concern about the weakness. Zimmermann said that he thought it was a seriously problem, and described it as "highly exploitable. It is not a theoretical attack." Security expert Bruce Schneier (Neowin Interview) further described the flaw as an “amateur crypto mistake”, and noted that a virtually identical issue emerged almost 5 years ago with Windows NT.

Naturally, Microsoft’s response is to criticize those commenting on the issue:

Microsoft expressed concern at the way in which the flaw was disclosed, and urged people who do find problems with their products to follow the standard industry practise of reporting the problem to the company directly, and reduce the potential risk to their customers.

“Standard industry practice”?  I doubt that this approach makes any sense for anyone other than Microsoft.  I think the fear of visible public criticism of poor security design is a powerful motivator to get it right the first time.

Previous post:

Next post: