OFFICE By Mary Branscombe Inside every Office file is a hierarchy of formats and XML markup. If you understand these structures, you can use that know
[See the full post at: Understanding Office document formats]
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Understanding Office document formats
Home » Forums » Newsletter and Homepage topics » Understanding Office document formats
- This topic has 10 replies, 6 voices, and was last updated 7 months ago.
AuthorTopicMary Branscombe
AskWoody MVPApril 29, 2024 at 2:44 am #2665257Viewing 5 reply threadsAuthorReplies-
MikeLainhart
AskWoody Plus -
Mary Branscombe
AskWoody MVP
-
-
bbotz
AskWoody PlusApril 29, 2024 at 1:24 pm #2665435I knew how to get to the zip format for Excel, but never looked for the other formats. I must say you did a great job explaining the file storage structure. Thanks!!!
1 user thanked author for this post.
-
RetiredGeek
AskWoody_MVPApril 29, 2024 at 1:39 pm #2665437Mary,
Great article! This is very useful information.
RG
1 user thanked author for this post.
-
TechTango
AskWoody PlusApril 29, 2024 at 10:28 pm #2665571Mary, thank you for all the handy information. This leads me to a question:
I’m an Office 365 subscriber and occasionally will password protect Word docx files which also encrypts them with SHA-256 military encryption. It certainly passes the HEX editor test, but as complex as MS Word has become I sometimes wonder if this can create vulnerabilities in the SHA-256 structure.
What is your take on this?
Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad. -
Mary Branscombe
AskWoody MVPMay 16, 2024 at 1:45 pm #2672143TechTango, the complexity of what you’re encrypting doesn’t affect the protection you get from an encryption scheme. Although there’s the possibility of collisions with SHA-256, the numbers involved are astronomically large and the amount of computation required is currently unfeasible assuming the cryptography has been implemented well (and as Mike points out, Microsoft’s implementation has been audited and widely tested). Although there are tools that can crack password hashes, they work best if people have used weak passwords so you can protect yourself by making sure you pick a strong one. In fact, the fact that Microsoft had to make a tool called DocRecrypt for IT admins to switch Office document encryption to be managed by certificates that allow the IT team to unlock documents when people forget their password suggests that the password protection is pretty secure. The main threat is people guessing your password, so again, make sure it’s a good one!
-
-
Mike
GuestMay 2, 2024 at 8:36 am #2666589IIRC, Microsoft began using the OPC (Open Packaging Conventions) containers to store office files circa ~2006/2007? I think it debuted publicly in Office 2007.
@TechTango AES256 (vs SHA256) would be used for the encryption. I have never personally validated it’s implementation as used for Office files, but I recall writing decryptors for such files in the past and the data successfully decrypted.Encryption done correctly (initialization vectors, random padding, feedback, etc.) theoretically mitigates many of the publicly known vulnerabilities. It’s highly likely many have analyzed MSFT’s implementation to confirm it was done correctly. That doesn’t stop MSFT from screwing the code up again later. A larger threat is the push to move to ECC, FIDO/2 and other “just trust us, we deleted the seed values so it’s secure” crypto systems.
My advice: For anything that must be kept absolutely secure– don’t store it on a computer. If you must store it on a computer, don’t interface with it using Windows.
Good luck!
-
Mary Branscombe
AskWoody MVPMay 16, 2024 at 1:50 pm #2672148yes, Office Open XML has been around for a while: Office 2000 and 2003 let you create documents programmatically using .NET and XML but the new file format came in with Office 2007 and then got standardised through ECMA. But it turned out we’d never written up how you could use it for more than just saving files!
-
-
TechTango
AskWoody PlusMay 16, 2024 at 8:57 pm #2672273The main threat is people guessing your password, so again, make sure it’s a good one!
Thank for your detailed response. VERY helpful, and yes, my PW is a super solid assortment of numbers, characters, upper & lower letters. 20 of them = brute force over 19qn years.
Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad. -
Mary Branscombe
AskWoody MVPOctober 18, 2024 at 11:08 am #2711183returning to this to note that NIST guidance on secure passwords is changing from the hard to remember mix of special characters and cases to longer strings made up of a multiword phrase; PickAMemorablePhrase (or the classic BatteryHorseStaple) should be easier to remember but just as hard to crack. Making security simple enough for people to use properly improves security.
1 user thanked author for this post.
-
Viewing 5 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
You can’t handle me
by
Susan Bradley
12 minutes ago -
Chrome Can Now Change Your Weak Passwords for You
by
Alex5723
1 hour, 10 minutes ago -
Microsoft: Over 394,000 Windows PCs infected by Lumma malware, affects Chrome..
by
Alex5723
2 hours, 18 minutes ago -
Signal vs Microsoft’s Recall ; By Default, Signal Doesn’t Recall
by
Alex5723
2 hours, 29 minutes ago -
Internet Archive : This is where all of The Internet is stored
by
Alex5723
2 hours, 41 minutes ago -
iPhone 7 Plus and the iPhone 8 on Vantage list
by
Alex5723
2 hours, 47 minutes ago -
Lumma malware takedown
by
EyesOnWindows
10 hours ago -
“kill switches” found in Chinese made power inverters
by
Alex5723
11 hours, 34 minutes ago -
Windows 11 – InControl vs pausing Windows updates
by
Kathy Stevens
11 hours, 28 minutes ago -
Meet Gemini in Chrome
by
Alex5723
15 hours, 34 minutes ago -
DuckDuckGo’s Duck.ai added GPT-4o mini
by
Alex5723
15 hours, 42 minutes ago -
Trump signs Take It Down Act
by
Alex5723
23 hours, 41 minutes ago -
Do you have a maintenance window?
by
Susan Bradley
10 hours, 50 minutes ago -
Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms
by
Nibbled To Death By Ducks
1 hour, 53 minutes ago -
Cox Communications and Charter Communications to merge
by
not so anon
1 day, 3 hours ago -
Help with WD usb driver on Windows 11
by
Tex265
1 day, 8 hours ago -
hibernate activation
by
e_belmont
1 day, 11 hours ago -
Red Hat Enterprise Linux 10 with AI assistant
by
Alex5723
1 day, 15 hours ago -
Windows 11 Insider Preview build 26200.5603 released to DEV
by
joep517
1 day, 18 hours ago -
Windows 11 Insider Preview build 26120.4151 (24H2) released to BETA
by
joep517
1 day, 18 hours ago -
Fixing Windows 24H2 failed KB5058411 install
by
Alex5723
14 hours, 54 minutes ago -
Out of band for Windows 10
by
Susan Bradley
1 day, 23 hours ago -
Giving UniGetUi a test run.
by
RetiredGeek
2 days, 6 hours ago -
Windows 11 Insider Preview Build 26100.4188 (24H2) released to Release Preview
by
joep517
2 days, 14 hours ago -
Microsoft is now putting quantum encryption in Windows builds
by
Alex5723
9 hours, 54 minutes ago -
Auto Time Zone Adjustment
by
wadeer
2 days, 18 hours ago -
To download Win 11 Pro 23H2 ISO.
by
Eddieloh
2 days, 16 hours ago -
Manage your browsing experience with Edge
by
Mary Branscombe
15 hours, 45 minutes ago -
Fewer vulnerabilities, larger updates
by
Susan Bradley
1 day, 9 hours ago -
Hobbies — There’s free software for that!
by
Deanna McElveen
9 hours, 23 minutes ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.