Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word 2007 Flaws Are Features, Not Bugs

Posted by Zonk on from the i-thought-that-was-just-a-programmer-joke dept.

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

3 of 411 comments (clear)

  1. Re:Let me see... by Ckwop · · Score: 5, Interesting

    owever, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none.

    The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."

    I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.

    Simon

  2. Taking a page from Apple... literally by PCM2 · · Score: 5, Interesting

    The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:

    feature n. A bug, as described by the marketing department.

    --
    Breakfast served all day!
  3. Re:I don't see the problem by qualidafial · · Score: 5, Interesting
    During the last EclipseCon, Hugh Thompson (of in-flight Tetris crashing fame) showed us a hack in notepad discovered using fuzz testing. Open up a fresh notepad and type in the words, "this app can break" (without the quotes). Then save the document to file, close notepad, and double-click the file you just saved to bring it back up in notepad. Everything will appear as squares. Not a major exploit, and definitely not a DoS, but kind of interesting.

    Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.