I think it is moreso a misuse of the product. I've read many security policies and most of them say that sensitive/secure data needs to be encrypted. But I've never seen one that said MS Office encryption is the encryption to use. Now, most policies insist on 256bit AES or higher encryption for documents. Definitely not what MS Office is giving. I guess it really comes down to how secure is the product and how secure is it marketed.. I've never seen an MS document that says you can use MS Office encryption to secure government secrets. It's just not what the product was designed for.

If you are using MS Office to secure something that is worth the time of a cracker to find another encrypted copy and work through this, then you are not doing your job properly.

Does Word really need to do 256 AES encryption when there are so many other tools that do it so well? Word isn't a security product, it is a word processor. Leave the encryption to true encryption packages. It just amazes me that the experts in the field still love to find products that are not intended for secure use and then bash them. I guess they have to keep their name in the media somehow.

I just checked the MS Office 2k3 help file and this is what it says- "Note Requiring a password to modify a file does not encrypt the contents of the file."

So why the hell are these guys even writing the articles when the product documentation says it is not really encrypting the contents??????? The help file doesn't make a distinction between the weak XOR that is default and the MS Strong encryption that they used in this article, but either way. I'm not going to use a product for security purposes when the help file clearly says what I posted above.