Excel's dirty little secret

Microsoft Excel, the predominant spreadsheet in use today, contains a feature that could expose sensitive corporate data once the document is distributed within a company or among trading partners.

That feature is drawing an increased level of attention from researchers and Excel users alike as its implications become more fully understood. One expert calls it "as potentially damaging" as many of the most recent viruses.

Excel has features that allow spreadsheet creators to hide, lock and/or password-protect data and mathematical calculations used in original documents. These features seemingly provide a measure of data security to conceal specified data from prying eyes.

In reality, that data can be exposed by any end user who can execute a simple copy-and-paste procedure. It takes fewer steps to reverse the security than it does to set it up.

When Excel data is copied using the "copy all" command and pasted into a new spreadsheet, it exposes the hidden and password-protected cells, which may contain data such as employee salaries, return-on-investment or expense report calculations, or request-for-proposal formulas. Excel users must execute an "unhide" command in Excel before they see the previously protected data in the spreadsheet copy, but in non-Microsoft spreadsheets the hidden cells are automatically revealed.

Unless access to the document is locked down, Excel cannot protect any information, although the program gives the illusion that it can, critics say.

The result for large corporations is that millions of Excel documents shared between co-workers and business partners could become a security breach for confidential data.

"I thought there was some security. I had no idea," says Jeff Ostroff, the owner of a Web site that offers car-buying tips and free spreadsheets designed to calculate deals. Ostroff's site states that password protection is used on Excel so viewers cannot manipulate or hijack his formulas. "I'm surprised it is that easy to expose the data," he adds.

Ostroff believes that 99% of users don't know the secret. "We get requests for the passwords all the time from people who want to change the formulas."

Some say the issue creates a major security concern.

"The method of password-protecting data in Excel is something companies around the world rely on," says Rick Sturm, president of Enterprise Management Associates (EMA), a consulting and research firm that encountered the security hole when it was creating spreadsheets to share with clients. "This is like putting a password on a document while also supplying a Post-It Note revealing the password. It's as potentially damaging as some of these recent viruses that have spread around the world."

A simple example, according to EMA researchers, is that a user could copy and paste an expense report to another spreadsheet as a way to expose a password-protected mileage calculation formula. The mileage reimbursement figure could be increased from .31 to .81. The user would then save the document with the same name as the original and send it back, even password-protecting the new formula.

Microsoft officials say the ability to password-protect and hide data is not a "security" feature but a "display" feature. That means that while creators of spreadsheets can hide data from display, or protect it from manipulation on the original document, they cannot safeguard or secure it from view or manipulation if another user copies and pastes the data.

Experts say perception is the critical factor.

"The key question is what does the typical Excel user expect," says Richard Smith, an independent Internet Security and Privacy consultant and former CTO of the Privacy Foundation.

"The user is led to believe you get some level of security," Smith says. "People's expectations of the feature are different from Microsoft's. It's a classic overselling of a feature and when issues are revealed Microsoft backtracks. How are customers supposed to read Microsoft's mind?"

Many have not, but Microsoft officials say Excel is no way to safeguard data.

"If you give someone read access to an unencrypted file, there is really no way to protect the data," says Jeanne Sheldon, director of engineering services for Microsoft Office. "If you are trying to protect data this is not the way to do it."

Microsoft suggests a relational database for that level of security. However, Sheldon says Microsoft will clarify the intended use and limitations of hidden and password features in the next version of Excel, which likely won't ship until 2003.

"There is little awareness in the public on this because Microsoft appears to uphold the password protection [in the original document], creating an illusion of security when in fact there is none," says Ned Endler, EMA's IT manager. He says it is clear that people are making security assumptions based on the words "password" and "hidden" and the online help menus within Excel that say data is "protected" and can't be "unhidden."

Endler cites the U.S. Department of Agriculture's Web site, which includes a set of guidelines for producing secure documents that includes the method for securing Excel documents that is foiled by the technique.

"It's a disservice because of the ambiguity for the average user," Endler says.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Computerworld
Show Comments

Brand Post

Bitdefender 2018

With determination and drive, you achieve outstanding performance! Get Bitdefender Total Security 2018 Now!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?