[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing



Yes, it comes in very handy for those who need to ensure that the documents 
they placed on open shares be held at the printer for security.  

I love this part: "The adversary can then either print two copies of the 
victim's file and leave
one on the printer for the victim, or print one copy of the victim's file and 
photocopy it before
leaving the original on the printer for the victim, or print one copy of the 
victim's file and take it
resulting in the victim thinking that perhaps they didn't click the print icon 
after all."

They forgot to add "Or, the attacker could open the spreadsheet from the 
share."  LOL

t 

From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Cal Leeming 
[Simplicity Media Ltd]
Sent: Monday, January 31, 2011 6:19 AM
To: Ed Murphy
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft 
Excel secure printing

Wtf, I've never heard heard of a 'secure' print :S

On Mon, Jan 31, 2011 at 8:01 AM, Ed Murphy <ed.b.murphy@xxxxxxxxx> wrote:
Hello list,

Stumbled across this today.  It appears Excel spreadsheets store
printer information including the PIN you might use when trying to do
a "secure" print.

http://insecureprinting.com/Microsoft_Excel_Spreadsheets_Expose_User_PIN_Used_for_Confidential_Secure_Printing.pdf

The paper is quite thorough and shows that in most cases the PIN is
stored in clear text in the spreadsheet, though some printer vendors
try to obfuscate the PIN (though not very successfully).

Thanks,
Ed

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/