[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing



> I assume it is embedded so that cancelled or queued jobs can still require 
> PIN.  You can't have one job pause all other jobs in the queue, so it would 
> need some way of continuing from bypass.  The whole "vulnerability" angle is 
> pretty lame.
>   

How it works on our Xerox printers is you hit a button to pull up the
jobs and the secure ones are held (in memory, on the printer) until the
user enters the same code embedded in the job. The primary purpose is to
target the resistance against departmental printers under the "privacy"
angle. Jobs that don't have this tag print FIFO ("secure" jobs are a
separate queue internally).

The PIN just an attribute sent by the postscript driver and embedded in
the job. I have seen print drivers and hardware that do operate in a
"secure" manner (we have ID printers that do this), but IMHO that's more
for license compliance than actual security of the information.

The fact that Excel stores it as a printing default is interesting, but
hardly a vulnerability. If you have access to the document to see the
printing PIN in metadata, you obviously can read the document itself ..
It'd be like saying "OMG! Excel remembers what size paper I like to use".

One could argue the whole "creatures of habit" aspect around the PIN
(dammit, now I need to change my luggage), but the whole "secure print"
thing is sort of a misnomer and more of a marketing trick (internally
and externally) than anything else.

Cheers,

Michael Holstein
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/