Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word 2007 Flaws Are Features, Not Bugs

Posted by Zonk on from the i-thought-that-was-just-a-programmer-joke dept.

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

8 of 411 comments (clear)

  1. He's got half a point by Red+Flayer · · Score: 3, Interesting

    Say you have a known vulnerability in your code, which fixing would require rebuilding your app from scratch (or damn near close enough to make it too expensive to fix). Also say that you have the capability to detect an attempt to take advantage of the flaw before any damage is done, and that shutting down the app will prevent further damage.

    Wouldn't it be a good idea to shut down the app to prevent your whole network getting hosed? And doesn't the pain-in-the-assitude for the user maybe prevent them from opening shady docs the next time around?

    Admittedly, it would be best if the flaw never existed in the first place. But if fixing the flaw outright is out of the question, why isn't this a good solution?

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  2. Re:Let me see... by Ckwop · · Score: 5, Interesting

    owever, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none.

    The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."

    I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.

    Simon

  3. Re:Let me see... by kebes · · Score: 4, Interesting
    I totally agree that calling this a security flaw or DoS is silly. Until it is actually used to exploit the program, it's not a confirmed security flaw.

    However using bad documents to crash Word is still a flaw in Word, in my opinion. The application should just say "Can't open bad/corrupted document" and let the user keep working. In the blog he says:

    The theory is that it is better to crash (at least with client apps) than it is to be running the bad guy's shell code.
    I understand the rationale, but I would argue it's rather sloppy programming that uses a crash as a means to prevent such bad things from happening. Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.

    Obviously it is better to crash than to execute arbitrary enemy code. However it's better still to just refuse to execute arbitrary code, but otherwise keep running. The problem with using crashing as a security system is that then the "bad guys" will try to crash your application on purpose (calling it a DoS is a stretch, mind you), which opens up new security problems. (A crashing app may expose other security vulnerabilities, disclose otherwise protected information, destabilize other apps/the OS, etc.)
  4. Taking a page from Apple... literally by PCM2 · · Score: 5, Interesting

    The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:

    feature n. A bug, as described by the marketing department.

    --
    Breakfast served all day!
  5. Re:I don't see the problem by qualidafial · · Score: 5, Interesting
    During the last EclipseCon, Hugh Thompson (of in-flight Tetris crashing fame) showed us a hack in notepad discovered using fuzz testing. Open up a fresh notepad and type in the words, "this app can break" (without the quotes). Then save the document to file, close notepad, and double-click the file you just saved to bring it back up in notepad. Everything will appear as squares. Not a major exploit, and definitely not a DoS, but kind of interesting.

    Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.

  6. Re:Let me see... by misleb · · Score: 4, Interesting

    The point is that a malformed documented shouldn't throw a word processor into an unrecoverable state. That is a bug. I don't know whether or not it is a denial of service attack. That is debatable, but not properly handling an exception in a document is definitely a bug. A word processor can simply tell the user, "hey, this document is fucked, I can't open it." If it just crashes, the user could possibly lose data in other open documents. And that is a Bad Thing(tm).

    -matthew

    --
    "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
  7. Re:What by hey! · · Score: 3, Interesting

    Actually, in my opinion he's right.

    People act as if a crash is the worst thing in the world. Generations of programmers have been trained to think of a crash bug as the ultimate badge of shame. The problem is that it is not, by far, the ultimate mistake.

    I think it's useful to keep this in perspective. It's better that you crash the user's car than run over the user's baby. I always tell guys who work for to to place bugs in the following order of severity (1 is highest severity):

    1) user's system security is compromised.
    2) user's data is corrupted or lost.
    3) give wrong answers that aren't obvious (2 and three might be interchanged in some circumstances)
    4) crash bugs and obvious garbage output

    It's not that crash bugs are good. It's that given a choice between a crash and things higher on the list, you ought to choose the crash.

    This is not a choice that, once upon a time, we had to make. Crashes happen when a condition you hadn't anticipated happen, so they were not (as a rule) a matter of choice.

    Java checked exceptions changed that, and required that I develop clear priorities. For non-programmers, an exception is a condition (usually abnormal) that can occur some place in your program. A checked exception is one that it is mandatory to handle some place in your program, otherwise your program is not valid.

    I'm not religiously against checked exceptions, other than that they're a bad choice for default. The problem is that the places where exceptions occur are often not the right place to handle them. The temptation is to mishandle the exception, particularly exceptions that are rare, at a low level. Sometimes this is a temporary measure so you can get to some initial tests you want to do, and you never get back to undoing it. Sometimes it happens because the programmer doesn't know a good way to handle the exception, so he papers it over.

    The result is that you convert a crash bug into some other kind of bug. Often a bug that's higher on the severity list. That's why converting a checked exception into a non-checked exception is often the best course of action, even though it creates a possible crash condition later on.

    Automated testing does, or potentially can, stand in for the function of checked exceptions with less risk. Some kind of annotation that was integrated with unit testing might be ideal.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Re:My favourite Windows error message by Matt+Perry · · Score: 3, Interesting

    "Error: the operation completed successfully"
    I kid you not! This was common in Win98 and observed also in Win2k - if an app crashed, causing DrWatson to pop up and offer to save some kind of crash log, just click the save as button, and then cancel the save. Voila.
    I knew I saved this error message for a reason. Years ago some colleagues and I saw this error while installing some high-priced, fancy-pants software and just had to get a screenshot.
    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.