One
of the most important rules of stream ciphers is to never use the same
keystream to encrypt two different documents. If someone does, you can
break the encryption by XORing the two ciphertext streams together. The
keystream drops out, and you end up with plaintext XORed with plaintext
— and you can easily recover the two plaintexts using letter frequency
analysis and other basic techniques.
It's an amateur crypto mistake. The easy way to prevent this attack
is to use a unique initialization vector (IV) in addition to the key
whenever you encrypt a document.
Microsoft uses the RC4 stream cipher in both Word and Excel. And they make this mistake. Hongjun Wu has details (link is a PDF).
In this report, we point out a serious security flaw in
Microsoft Word and Excel. The stream cipher RC4 [9] with key length up
to 128 bits is used in Microsoft Word and Excel to protect the
documents. But when an encrypted document gets modified and saved, the
initialization vector remains the same and thus the same keystream
generated from RC4 is applied to encrypt the different versions of that
document. The consequence is disastrous since a lot of information of
the document could be recovered easily.
This isn't new. Microsoft made the same mistake in 1999 with RC4 in WinNT Syskey. Five years later, Microsoft has the same flaw in other products. [Schneier on Security]