Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word 2007 Flaws Are Features, Not Bugs

Posted by Zonk on from the i-thought-that-was-just-a-programmer-joke dept.

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

34 of 411 comments (clear)

  1. Ok. by Anonymous Coward · · Score: 1, Insightful
    In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on.

    And what about the document you were working on?

  2. Let me see... by AKAImBatman · · Score: 4, Insightful

    ...if I understand this correctly. Basically, a security researcher believes he's found a buffer overflow. However, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none. Correct?

    I hate to say it, but I'm going to have to come down on Microsoft's side on this one. If it's a non-exploitable crash, then it's a simple bug in handling corrupt documents and nothing more. The researcher can ring everyone again once an exploit has been found.

    As for the DoS potential... seriously, why is everything a "Denial of Service" with these guys? It's a bad document. Word crashes. Life goes on. It's not like your computer is going to become unusable because Word crashed. You get minorly inconvenienced by the jerk who sent you the document, you figure out that the doc is bad, then you move on.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Let me see... by belmolis · · Score: 4, Insightful

      If the facts are as you've described, I agree that there isn't a security issue here. There is, however, still a bug. Anytime a program crashes for reasons other than hardware failure, there is a bug. If it takes really unusual input to do it and there are no security consequences, it may be a minor bug, but it is still a bug.

    2. Re:Let me see... by Deadbolt · · Score: 5, Insightful

      I hope you're not serious; if you are, I'm never letting you near any code I'm responsible for.

      By definition, the app crashing is a denial of service. It's no different than sending a Christmas tree packet to an ancient unpatched router: it goes boom, shuts down the network, no network service. Word crashes: boom, document maybe lost, no use of Word.

      A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.

      --
      "Honey, it's not working out; I think we should make our relationship open-source."
    3. Re:Let me see... by tkinnun0 · · Score: 3, Insightful

      Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state. In an unsafe language, like C++, as is the case with Word, once you have encountered undefined behavior, all bets are off. There is no way to be sure from within your program that you are not already running the attacker's code. The only thing you can do is tell the OS to shut down your program and hope the call goes through.

      In a safe language, like Java, and with a program that can be expressed as a work queue, you can isolate changes to global state and, in the case of a work item failing, provided your thread isn't in an endless loop, ignore the results from the item and carry on. Of course this doesn't mean that the global state is valid. In fact, a failing work item may be an indication that the program is being moved towards an invalid state, and the proper thing would be to crash.
    4. Re:Let me see... by Anonymous Coward · · Score: 1, Insightful

      Sounds like you're calling any crash a DoS. If that's the case, then DoS is pretty meaningless and is only used to sensationalize an issue.
      BTW, when Word crashes, the documents are saved in their current state, and the user is given the option to continue working on them next time Word is started.

    5. Re:Let me see... by Jherek+Carnelian · · Score: 3, Insightful

      A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.
      Sounds like you've never heard of a kernel panic.

      Sometimes immediately dying is the best option - when you reach a point in the code that "should never happen" then you can not count on the integrity of anything else within the program at the time. At that point the ONLY safe option is to "go boom" thus assuring that whatever the problem is, at least it won't corrupt anything else.
    6. Re:Let me see... by Eivind · · Score: 2, Insightful
      A kernel panic indicates one of two things:

      Either a bug in the kernel (included loaded modules)

      Or a malfunction or bug in one of the components the kernel needs to run (example: flaky memory)

      The first are the most common; we somehow got into a state we shouldn't be in. Thus we must have messed up, and the safer choice is to refrain from further actions, since we may be insane in general. These are nevertheless bugs, and should offcourse be acknowledged as such and fixed when possible.

      The second isn't really our fault. It's not really possible to write an OS in such a way that it gets the correct results even when the hardware it runs on gets it wrong. If the OS asks the CPU to calculate 2+2 and the CPU comes back with 5, there's not really much the OS can do about it.

      That being said, there's cases where Linux kernel-panics in situations where it'd be possible to recover. A failed disc can panic a kernel, yet that shouldn't really be possible, except for if that disc is used as swapspace. These are bugs, or at the very least missing features.

    7. Re:Let me see... by shutdown+-p+now · · Score: 2, Insightful

      Sometimes immediately dying is the best option - when you reach a point in the code that "should never happen"
      Yes, but no kind of input thrown at your program should result in the "it should never happen" code being reached (it's called that for a reason). If it is, then the program has a bug.
  3. Input validation by Skadet · · Score: 2, Insightful

    I'm going to go ahead and say that it's not necessarily a "security risk" as it is lazy coding. The majority of us here know the importance of input validation; just because the file ends in .DOC doesn't make it a bona-fide, working Word document.

    If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out. Elegant? Not by a long shot. Security risk? Not so much.

    --
    Sony ha
    1. Re:Input validation by idontgno · · Score: 4, Insightful

      If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out.

      You do understand that in many cases, a "crash" is when the software attempted to execute random garbage; and that if you tailored the garbage, you would have an arbitrary code execution vulnerability?

      A crash, frankly, is very often an incompletely exploited code execution vulnerability. That may not be so, here; but if the crash is caused by stack or heap corruption, there's a distinct chance the triggering dataset could be made into a shellcode exploit or the like.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  4. Better recovery... by kebes · · Score: 3, Insightful

    However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on.
    Okay, handling crashing properly (saving some data, logging errors, etc.) is of course nice. However even the most graceful crash is, as far as "recovery mechanisms" go, pretty bad. A proper recovery mechanism would be rather less disruptive to the user... for instance a prompt that warns the user that something bad happened and the document is being rolled back to before the last action occured. Similarly logging of errors can be done properly without crashing the entire application. A log-file is generated, and the user keeps working even though the last action didn't work, hopefully with some feedback indicating why the last action didn't work.

    I am fully aware that writing bug-free software is impossible. Ultimately, it is unavoidable that crashes will occur. When they do occur, they should be handled as gracefully as possible. However one should not defend one's code (and coding flaws) by saying that "sure it crashes--but the crashes are part of our carefully engineered recovery mechanism!" That's a lame excuse, because if you're aware of a consistent crash condition, you should be able to code so that instead of crashing, the program does something more friendly.
  5. But seriously.... by beef623 · · Score: 4, Insightful

    I can see Mr. LeBlanc's point, that it's better to crash than open up your system, but it seems like they are taking this awfully lightheartedly. They're still bugs and they still need fixed. I think they are confusing debug features with release features.

  6. Word is a bug by dbfruth · · Score: 2, Insightful

    Damn. I thought the whole Word app was a giant bug. Turns out it is a feature that they can charge a lot of money for. It was confusing me since it only seemed useful if you wanted to butcher a document.

  7. Re:Let's just get this out of the way then... by Mateo_LeFou · · Score: 3, Insightful

    "Um, read that again, and see if you can find the problem. ;-)"

    I found two:
    1. No one reads TFA
    2. There are plurality of TFAs ...which means there's an error in your statement, which should read
    "Um, read that again, and see if you can find the problems. ;-)"

    There may be a plurality of errors in your statement, not sure ...

    *head explodes

    --
    My turnips listen for the soft cry of your love
  8. Re:I didn't know that by Skadet · · Score: 5, Insightful

    Why spend on testing, when you got paying consumers to do the bug reports for you?
    Because anything more complex than calc.exe is going to have weird bugs that can't discovered within a realistic timeframe to keep release dates. And if I'm not mistaken, open-source software does the same thing. BugZilla anyone? If it weren't for user feedback, a great majority of bugs wouldn't get fixed.
    --
    Sony ha
  9. Re:"That's the way it was designed!" by castle · · Score: 2, Insightful

    WAD is my most favored TLA for such responses, with a parenthetical 4 letter variant WA(P)D. Respectively Working As Designed and Working As (Poorly) Designed.

    Odds are with this particular component, they were on the way to reducing functionality in their core component to force you into buying a third party developed component that was actually well designed and or useful.

  10. To be even more pedantic for a moment... by poopdeville · · Score: 2, Insightful

    Unless you distribute a Word document exploiting the bug by email, for instance.

    --
    After all, I am strangely colored.
  11. explosive code? by Ajehals · · Score: 4, Insightful

    From the linked blog...

    1) Your code blew up, and you're about to get 0wn3d. Yup, it's exploitable, and the customers are not going to be happy.
    2) Your code blew up, and maybe it is exploitable, maybe not.
    3) Your code blew up, and you meant it to blow up, and it's clearly not exploitable.

    Since you are not coding specifically for your application to crash (Or I hope not) surely there can be no 3. 2 is as good as it gets, you have done everything you can to prevent your code "blowing up" you have tried to handle anything that can be thrown at it gracefully, and you have done everything to ensure that when if and when things do go wrong they can do no damage, that's 2, not 3. If you cannot foresee and prevent every possible thing that could cause your application to crash (which you can't), then how can you foresee every possible way in which that unforeseeable crash could be exploited. All you can ever do is your best.

    Next up, from the article:

    Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted. The third, Aharoni suggested, could be used to introduce remote attack code after an exploit causes an overflow of "wwlib.dll," a crucial Word library. But "code execution is not trivial," he added.

    If described correctly then these bugs all pose a risk. sure the first two are minor risks, the later is major, but all three are bugs that should be listed as security vulnerabilities. I would suggest that the reason that they are currently not being seen as such by Microsoft, is simply that no one can be sure if the conditions required to trigger them could be utilised by anyone wishing to take advantage of them, and thus they are theoretically less threatening than many of the other issues that have plagued Microsoft Applications in the past.

    In the end however we should be simply sating that a problem exists, it may be a security risk, and until it is fixed, we will treat it as such. Anything else (rightly or wrongly) simply smells like someone is covering up issues, and lets be frank, Microsoft doesn't have enough good will for that to be acceptable.

  12. Firefox crashes on malformed intput too by 140Mandak262Jamuna · · Score: 3, Insightful

    Almost all the programs crash on invalid input, even Firefox and OpenOffice. So, hate to say it, MSFT is right in claiming that it is better to crash than to give a command line shell. But so many of the MSFT buffer overrun problems start out as crashes and people keep probing and probing and bingo, it becomes a remote code execution flaw. I thing the Windows Meta File graphics handling bug was a low priority crash bug for a long time before it became a remote code execution vulnerability. So while porturing it as "not a bug", hope they quietly work in the background and fix the issue.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  13. Re:He's got half a point by Anonymous Coward · · Score: 1, Insightful

    It's a fine solution. But call a spade a spade and say:
    "Sorry guys, but we're leaving this bug open for now because it's too hard to fix it securely."

    Do not come up with lies like:
    "This is a well-designed application and even those crashes you experience are an intentional part of our security design."

  14. OOPS, I ripped my pants! by Anonymous Coward · · Score: 1, Insightful

    Has anyone seen the Spongebob episode where he keeps everyone laughing by ripping his pants on purpose?

    (Think about it, it's not offtopic.)

  15. Programmer as a dog by The+Media+Mechanic · · Score: 1, Insightful

    according to this guy, you train a programmer as if it were a dog. You punish it by yanking on the leash, when they make too many bugs. You reward it by giving it a biscut when it does something good, like write an amazing piece of software with crappy design documents as input.

    Do managers really think this way ? Are we looked upon as professionals ? Or merely some kind of, easily trained, excitable, bark at the mailman, get lonely when the master leaves us alone and doesn't play fetch with us, peculiar species of mammal ?

    --
    I can throw as many stones as I wish; my house is made of transparent aluminum.
  16. Insightful?! by Ahnteis · · Score: 1, Insightful

    Come on mods. Funny? Yes! Insightful? Not even close.

    We all get it--Linux is better; Windows is for Losers; OSX is pretty but someone else with money can buy it.

    Many people use Windows daily without the problems that caused you such trauma that you continue to rant about it daily. Get over it.

    Don't like Windows for idealogical reasons? Fine.
    Don't like it from a security standpoint? Fine.
    Don't like it because it looks ugly and stole your candy? Fine.

    But it's impossible to take you seriously when you employ the *same tactics* of FUD that you like to claim every single time Microsoft says anything.

    1. Re:Insightful?! by Anonymous Coward · · Score: 0, Insightful

      See, that is the disconnect between many OSS users and many of you Windows users. Those "features" you mention are important to you. So, therefore, they are important to everybody, right?

      But you fail to think that someone may not care about that. What if you don't play games (*gasp*)? What if you don't want to use the software from the stores? Hum?

  17. I guess it is an attitude problem. by alberion · · Score: 3, Insightful

    I guess it is an attitude problem.
    If they said their software is sold "as it is" and that it possibibly had problems and were humble enough to admit it, there would be fewer MS-haters out there.
    I agree with you on the impossibility of completly testing a software of the complexity of Word. No argument there.

    BTW, calc.exe already GPFed on me. :)

  18. I would have been given an F by Dancindan84 · · Score: 2, Insightful

    I'm not 100% certain, but I'm pretty sure that my programming professors would have given me an F if as part of input validation I had put:

    if (isExploit){
    crashApplication();} // this is to prevent abusing an exploit Prof. X... no really...

    ... so how is it that Microsoft (or anyone else) thinks they can argue that this is intended? Does it stop the exploit from being used? Possibly, but that does not mean that they should get to shrug this off as "not an issue". There -has- to be a more elegant way to handle it.

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  19. Straw man by Thrip · · Score: 1, Insightful

    Microsoft never said it's a feature or denied it's a bug. Their only contention is that it's not a security risk, and they back that up pretty well. Please stop diluting the force of my well-targeted anti-Microsoft rants with these mindless assaults on straw men.

    --
    I'm awake! The answer is BONK!
  20. Pre-processing doesn't work? by guruevi · · Score: 2, Insightful

    I don't know how exactly the bug came above, but don't you think that inputting any UTF-8 text into Word shouldn't crash the system? Ok, I can agree that you don't want to accept bad data, but just reject it then. I mean, Word 2007 is now based on XML (or so they say). If the XML is wrong, it would be simple to detect that using an XML parser, which you could perfect and use for several applications. It's not THAT difficult to create a good set of XML/data parsers which gives you the status OK or NOT OK and then allows it to go into the system.

    In software programming, just as much as in web programming, there is a saying: never trust the input, no matter where (you think) it comes from.

    If it crashes in any other way (overwriting memory, input through plugins like SOAP or so) the same is true, it is Bad Programming (c) because you either didn't check the input, or didn't protect your share of memory.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  21. Re:We work on data driven apps (police RMS) by DaleGlass · · Score: 2, Insightful

    I think your sort of crash is an intentional abort.

    There's a BIG difference between an application writing junk to memory and crashing somewhere in malloc because things are completely hosed, and an application deciding data makes no sense and orderly aborting the operation.

    Your program seems to do the second one, which is good. It's perfectly appropiate for the program to quit if it's for example a commandline program for batch processing. Were it a GUI program you'd stop processing, produce an error, and let the user retry or whatever. You could do that because your program is still working and in a sane state.

    The Word crash isn't that, the application fails completely with an access violation. If you were running it under an IDE you'd be looking at the debugger and a stack trace. MS Word couldn't continue in this situation because at this point the state is corrupt -- there's no hope of recovering from it.

  22. Re:He's got half a point by Anonymous Coward · · Score: 1, Insightful

    No, he doesn't have half a point. Because:

    1) If the spokedroid said "we have a bad bug there, and fixing it will be too costly because it will slow the opening of well-formed document, so we implemented the emergency exit as a workaround before we can provied a real fix", then he may have half a point. But this is NOT what he said.

    2) Furthermore, if they can detect the issue when it occurs, then can exit nicely (putting a MsgBox, then exiting). Because, if they don't tell the user that the document he opened caused the crash, then the user will try again

    3) In any case it is a bug, and cannot be turned into a feature by the spokedroid, or the ActiveApologists

    Anyway, when the most powerful development shop on the planet, owned by the richest guy in the world pretend that a crash in the most used application ever is not important, then, there is something rotten in computer science.

  23. Walk into a store by Peaker · · Score: 3, Insightful

    Hahahaha!
    That is so early 90's!
    Hello?? We have the internet!
    Software can be downloaded!

    In Windows, I can't just type in "office", click the resulting "kde office" and "open office" programs, and have them automatically downloaded for me, without fuel being burnt to get the bits from there to my computer. Amazing!

    Also, I can just type in almost anything I may want my computer to do - and behold, one of more than 10,000 programs shows up which can be installed with a single click!

    Oh wait, there's more. When I play a movie in full-screen, a bunch of "Would you like to update me?" dialogs of various programs don't jump up at me!
    In fact, *all* (and that means all software you have) updating is done from a central location - by clicking the update icon.

    Oh, Windows doesn't have that? Pitty, maybe I should stick to Linux!

  24. Re:I didn't know that by xero314 · · Score: 3, Insightful

    You can write bug free software, it's just several orders of magnitude more expensive and time consuming to write it. I was gonna let all this slide by but after reading that line I had to jump in. This is complete rubish. An absolute line made up by supporters of Agile development and Frauds out to suck millions of dollars from ignorant venture capitalists. Look I'm sick of hearing this. As a software Engineer I have experienced bad software development and good software development, and believe it or not, good, solid, bug free (99.9%) software takes less time to design, write and test, than the majority of the crap beta software corporations like MS spits out to the unsuspecting public. And that's not even getting into the fact that programs like word are far more complex than they need to be to accomplish exactly what they end up doing.

    I'd apologize for the rant but this kind of bullshit spouted by slack ass "Programmers" and "Developers" just pisses me off to no end. Keep thinking your gonna have that job security you always wanted by making sure there's no one else that can weed threw your garbled mesh of spaghetti, when in reality making software that actually works if far more job securing. But then again I would probably be out of work if the "developers" of the world actually did their shit right since organizations would need people like me to clean it all up.

    Fuck the karma, some one had to finally clear this up, too bad no one in a position to actually change things will read this.
  25. Re:I didn't know that by xero314 · · Score: 2, Insightful

    I will assert that the reason you don't find critical bugs in your programs is because they are either trivial or because they aren't stressed enough. You can assert all you would like, but you would be wrong. Oddly enough, bug riddled software like Office Suites are far more trivial, being common place, ordinary and even of little importance, than the most bug free software, including projects I have lead. Non-trivial software, such as where lives are at stake, does not have these types of flaws, or are less likely to have these flaws.

    Even the acknowledged experts in this field such as the OpenSSL and OpenBSD... Anyone that has known me realizes I am no supporter of Software projects that allow pretty much anyone to put their hands in the code (which is not to be confused with the concept of free or open source software), so using the examples of OpenSSL and OpenBSD developers as an example of "experts" is not going to go far. But that being said both of those projects are well above average in quality and that is without the ability to use strict engineering techniques.

    If you are looking for a "silver bullet" to all the woes of software development you are not going to find it, just like the architects and physical engineers of the world have never found one in their fields. But what Engineers have found is that building something right the first time is the most effective (a.k.a. cheapest) way to build. It may be sad but if we started allowing users and clients to sue for bugs in software you would see software become more stable and bug free fast. Yes it does take a lot of resources to build something that will last the test of time, but it's far more effective than rebuilding it for eternity (could you image trying to keep the Great Pyraminds standing had they been built from cheap materials like card board, or should I say papyrus board).