This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Why does clicking on an attached password-protected MS Word file launch the file and bypasses the password protection?

  • 6 cavab
  • 1 has this problem
  • 2 views
  • Last reply by Matt

more options

Using Thunderbird 24.6.0 under Windows 7 I received a MS Word file (docx format) as an attachment. The file was passord-protected, with the password supplied in a separate e-mail. To launch the file, I double-clicked on the attachment icon. The file opened and displayed the full contents without any prompt for the password. (Saving the file to my computer and opening it from Word triggered the password prompt as expected.)

The whole point of sending password-protected files by e-mail is that anyone intercepting the file should not be able to open it without the password. Why does Thunderbird bypass this protection?

Using Thunderbird 24.6.0 under Windows 7 I received a MS Word file (docx format) as an attachment. The file was passord-protected, with the password supplied in a separate e-mail. To launch the file, I double-clicked on the attachment icon. The file opened and displayed the full contents without any prompt for the password. (Saving the file to my computer and opening it from Word triggered the password prompt as expected.) The whole point of sending password-protected files by e-mail is that anyone intercepting the file should not be able to open it without the password. Why does Thunderbird bypass this protection?

Chosen solution

seriously you and you associate should investigate S/Mime.

Whilst business certificates cost, they are free from Comodo for personal use, so the learning can be done without cost.

But if both of you have a certificate and install it. (you have to digitally sign your mail.) encrypting mail content including attachments is as simple as clicking Options menu > encrypt this message when you compose your mail.

No passwords, no email with password and subsequent attachments in another mail. From your end, you get a guarantee that the message you receive is unchanged from what it showed when it was sent and anyone who intercepts the message in transit would need the key that is installed on the recipients computer to decode the contents, unlike the normal plain text that is sent. And you do not notice anything other than a couple of icons when you read the mail as decryption is done on the fly.

Note that email certificates are delivered to your browser when you click a link in an email from the supplier and must be exported from the browser certificate store and imported to Thunderbird's certificate store.

Read this answer in context 👍 0

All Replies (6)

more options

Thunderbird has no idea what a socx file is, other than that there is a MIME type for them.

When you open an attachment, the file is written to a systems temporary folder, and either the pre recorded helper application that knows what such a file is, is called with the file as a parameter or windows is passed the file name and your asked what to do with it.

Thunderbird does not read, open or edit the attachment in any way. So if anything you have uncovered a security bug in word.

more options

BTW S/Mime is the encrypted version of email using digital signatures and is the real way to ensure your mail is not snooped and not modified.

Unfortunately it appears getting and using email certificates is beyond the capacity of most people. Or at least that was what the Microsoft server mailing list overwhelmingly replied when I asked.

more options

Clear, thanks. Next stop a bug report to Microsoft.

more options

I would be interested to hear how you get on.... Not everyday you hear of something like this.

more options

Since my original post, I have done some more digging, by trying to make the problem happen. Turns out not to be a bug, but a misused feature. The guy who sent me the file invoked Word password protection in a way that I wasn't aware of: If you do this via Word "Save As", then select Tools, General Options, you are prompted for "Password to Open" and "Password to Modify". If you choose the "Password to Modify" option and save, then opening the file from Word gives you the option of entering the password or opening Read-Only. However, if you launch from an e-mail attachment, the helper application sees that the file is in a temporary sytstems folder and automatically opens it read-only, therefore bypassing the password prompt.

So where I was expecting a secure document with a "password to open", I received an insecure document with a "password to modify".

more options

Seçilmiş Həll

seriously you and you associate should investigate S/Mime.

Whilst business certificates cost, they are free from Comodo for personal use, so the learning can be done without cost.

But if both of you have a certificate and install it. (you have to digitally sign your mail.) encrypting mail content including attachments is as simple as clicking Options menu > encrypt this message when you compose your mail.

No passwords, no email with password and subsequent attachments in another mail. From your end, you get a guarantee that the message you receive is unchanged from what it showed when it was sent and anyone who intercepts the message in transit would need the key that is installed on the recipients computer to decode the contents, unlike the normal plain text that is sent. And you do not notice anything other than a couple of icons when you read the mail as decryption is done on the fly.

Note that email certificates are delivered to your browser when you click a link in an email from the supplier and must be exported from the browser certificate store and imported to Thunderbird's certificate store.