Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerability discloses PIN used in Microsoft Excel secure printing
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Mon, 31 Jan 2011 15:34:32 -0500

I assume it is embedded so that cancelled or queued jobs can still require PIN.  You can't have one job pause all 
other jobs in the queue, so it would need some way of continuing from bypass.  The whole "vulnerability" angle is 
pretty lame.

How it works on our Xerox printers is you hit a button to pull up the
jobs and the secure ones are held (in memory, on the printer) until the
user enters the same code embedded in the job. The primary purpose is to
target the resistance against departmental printers under the "privacy"
angle. Jobs that don't have this tag print FIFO ("secure" jobs are a
separate queue internally).

The PIN just an attribute sent by the postscript driver and embedded in
the job. I have seen print drivers and hardware that do operate in a
"secure" manner (we have ID printers that do this), but IMHO that's more
for license compliance than actual security of the information.

The fact that Excel stores it as a printing default is interesting, but
hardly a vulnerability. If you have access to the document to see the
printing PIN in metadata, you obviously can read the document itself ..
It'd be like saying "OMG! Excel remembers what size paper I like to use".

One could argue the whole "creatures of habit" aspect around the PIN
(dammit, now I need to change my luggage), but the whole "secure print"
thing is sort of a misnomer and more of a marketing trick (internally
and externally) than anything else.


Michael Holstein
Cleveland State University

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]