Does the woot16-paper RMS whitepaper still apply to Sensitivity labels?

Question

A user sent in https://www.usenix.org/system/files/conference/woot16/woot16-paper-grothe.pdf regarding our new sensitivity labels.

Is there a CVE for this specific incident and does that apply to the sensitivity labels encryption on files?

Answer 1

I believe that the attack will be still sucessful, since the protection mechanism has not changed. Anyway, the attack will be sucessful only if you have some rights on the content e.g. you can request a use license.

Some information is also available on the researchers web site https://web-in-security.blogspot.com/2016/07/how-to-break-microsoft-rights.html

Martin

Answer 2

@JonasSysadmin
Thank you for the quick response! For the MSRC case, I'd recommend reaching out to our Microsoft Security Response Center via their webpage.

When it comes to sensitivity labels, it's recommended to Migrate from AD RMS to Azure Information Protection(AIP). With AIP, you must be the owner of the file to remove protection, or been granted permissions to remove protection (the Rights Management permission of Export or Full Control). For more info. Lastly, with the Unified labeling client, labeling and protection actions aren't supported. However, for an AD RMS deployment, the viewer can open protected documents when you use the Active Directory Rights Management Services Mobile Device Extension.

I hope this helps!
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.