Excel's dirty little secret

Microsoft Excel, the predominant spreadsheet in use today, contains a feature that could expose sensitive corporate data once the document is distributed within a company or among trading partners.

That feature is drawing an increased level of attention from researchers and Excel users alike as its implications become more fully understood. One expert calls it "as potentially damaging" as many of the most recent viruses.

Excel has features that allow spreadsheet creators to hide, lock and/or password-protect data and mathematical calculations used in original documents. These features seemingly provide a measure of data security to conceal specified data from prying eyes.

In reality, that data can be exposed by any end user who can execute a simple copy-and-paste procedure. It takes fewer steps to reverse the security than it does to set it up.

When Excel data is copied using the "copy all" command and pasted into a new spreadsheet, it exposes the hidden and password-protected cells, which may contain data such as employee salaries, return-on-investment or expense report calculations, or request-for-proposal formulas. Excel users must execute an "unhide" command in Excel before they see the previously protected data in the spreadsheet copy, but in non-Microsoft spreadsheets the hidden cells are automatically revealed.

Unless access to the document is locked down, Excel cannot protect any information, although the program gives the illusion that it can, critics say.

The result for large corporations is that millions of Excel documents shared between co-workers and business partners could become a security breach for confidential data.

"I thought there was some security. I had no idea," says Jeff Ostroff, the owner of a Web site that offers car-buying tips and free spreadsheets designed to calculate deals. Ostroff's site states that password protection is used on Excel so viewers cannot manipulate or hijack his formulas. "I'm surprised it is that easy to expose the data," he adds.

Ostroff believes that 99% of users don't know the secret. "We get requests for the passwords all the time from people who want to change the formulas."

Some say the issue creates a major security concern.

"The method of password-protecting data in Excel is something companies around the world rely on," says Rick Sturm, president of Enterprise Management Associates (EMA), a consulting and research firm that encountered the security hole when it was creating spreadsheets to share with clients. "This is like putting a password on a document while also supplying a Post-It Note revealing the password. It's as potentially damaging as some of these recent viruses that have spread around the world."

A simple example, according to EMA researchers, is that a user could copy and paste an expense report to another spreadsheet as a way to expose a password-protected mileage calculation formula. The mileage reimbursement figure could be increased from .31 to .81. The user would then save the document with the same name as the original and send it back, even password-protecting the new formula.

Microsoft officials say the ability to password-protect and hide data is not a "security" feature but a "display" feature. That means that while creators of spreadsheets can hide data from display, or protect it from manipulation on the original document, they cannot safeguard or secure it from view or manipulation if another user copies and pastes the data.

Experts say perception is the critical factor.

"The key question is what does the typical Excel user expect," says Richard Smith, an independent Internet Security and Privacy consultant and former CTO of the Privacy Foundation.

"The user is led to believe you get some level of security," Smith says. "People's expectations of the feature are different from Microsoft's. It's a classic overselling of a feature and when issues are revealed Microsoft backtracks. How are customers supposed to read Microsoft's mind?"

Many have not, but Microsoft officials say Excel is no way to safeguard data.

"If you give someone read access to an unencrypted file, there is really no way to protect the data," says Jeanne Sheldon, director of engineering services for Microsoft Office. "If you are trying to protect data this is not the way to do it."

Microsoft suggests a relational database for that level of security. However, Sheldon says Microsoft will clarify the intended use and limitations of hidden and password features in the next version of Excel, which likely won't ship until 2003.

"There is little awareness in the public on this because Microsoft appears to uphold the password protection [in the original document], creating an illusion of security when in fact there is none," says Ned Endler, EMA's IT manager. He says it is clear that people are making security assumptions based on the words "password" and "hidden" and the online help menus within Excel that say data is "protected" and can't be "unhidden."

Endler cites the U.S. Department of Agriculture's Web site, which includes a set of guidelines for producing secure documents that includes the method for securing Excel documents that is foiled by the technique.

"It's a disservice because of the ambiguity for the average user," Endler says.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?