Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word 2007 Flaws Are Features, Not Bugs

Posted by Zonk on from the i-thought-that-was-just-a-programmer-joke dept.

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

42 of 411 comments (clear)

  1. English-to-Microsoft dictionary by Anonymous Coward · · Score: 5, Funny

    Word 2007 Flaws Are Features, Not Bugs
    That's right and the price you pay for it is an investment, not a complete waste of resources.

    What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again?
    1. Re:English-to-Microsoft dictionary by eneville · · Score: 3, Funny

      Word 2007 Flaws Are Features, Not Bugs
      That's right and the price you pay for it is an investment, not a complete waste of resources.

      What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again? The denial of the denial of service is what really grinds my gears. There are so many companies who listen to their customers about things like this. With a high profile product the company should really bring it to the attention of their developers.
      --
      Why UNIX?
  2. Re:Let's just get this out of the way then... by Mateo_LeFou · · Score: 5, Informative

    Um, it's defined in the twelve words after "fuzzer" in TFA

    "a tool that probes an application for vulnerabilities by sending random input"

    This is known as an appositive phrase.

    --
    My turnips listen for the soft cry of your love
  3. Re:Let's just get this out of the way then... by MassEnergySpaceTime · · Score: 3, Informative

    From wiki:

    "Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted."

    --
    Respect the laws of physics, for the laws of physics have no respect for you.
  4. I Wish by Mockylock · · Score: 5, Funny

    I wish I could just pass out when my wife asks me some stupid question that I don't want to answer. Better yet, when I'm asked to fix a bug at work, it would be nice to just roll over and hit the snooze. Let's apply this everywhere.

    --
    "Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
  5. Let me see... by AKAImBatman · · Score: 4, Insightful

    ...if I understand this correctly. Basically, a security researcher believes he's found a buffer overflow. However, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none. Correct?

    I hate to say it, but I'm going to have to come down on Microsoft's side on this one. If it's a non-exploitable crash, then it's a simple bug in handling corrupt documents and nothing more. The researcher can ring everyone again once an exploit has been found.

    As for the DoS potential... seriously, why is everything a "Denial of Service" with these guys? It's a bad document. Word crashes. Life goes on. It's not like your computer is going to become unusable because Word crashed. You get minorly inconvenienced by the jerk who sent you the document, you figure out that the doc is bad, then you move on.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Let me see... by belmolis · · Score: 4, Insightful

      If the facts are as you've described, I agree that there isn't a security issue here. There is, however, still a bug. Anytime a program crashes for reasons other than hardware failure, there is a bug. If it takes really unusual input to do it and there are no security consequences, it may be a minor bug, but it is still a bug.

    2. Re:Let me see... by Deadbolt · · Score: 5, Insightful

      I hope you're not serious; if you are, I'm never letting you near any code I'm responsible for.

      By definition, the app crashing is a denial of service. It's no different than sending a Christmas tree packet to an ancient unpatched router: it goes boom, shuts down the network, no network service. Word crashes: boom, document maybe lost, no use of Word.

      A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.

      --
      "Honey, it's not working out; I think we should make our relationship open-source."
    3. Re:Let me see... by drinkypoo · · Score: 5, Informative

      Exactly. It's expected than any app will crash if you feed it malicious junk.

      Sorry, I don't buy it. The only way that is a valid expectation is if you explicitly tell it to crash when it gets malformed data, which is offensive and stupid. The proper thing to do is to tell it to alert the user if there is malformed data, and then clean up and get ready to parse another document.

      Crashing is definitely a sign that something bad is happening. Traditionally, when an app crashes because of an invalid document, it's writing to some memory it shouldn't be. This is a sign of lazy or stupid programmers not doing proper checking of the input.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Let me see... by Ckwop · · Score: 5, Interesting

      owever, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none.

      The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."

      I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.

      Simon

    5. Re:Let me see... by kebes · · Score: 4, Interesting
      I totally agree that calling this a security flaw or DoS is silly. Until it is actually used to exploit the program, it's not a confirmed security flaw.

      However using bad documents to crash Word is still a flaw in Word, in my opinion. The application should just say "Can't open bad/corrupted document" and let the user keep working. In the blog he says:

      The theory is that it is better to crash (at least with client apps) than it is to be running the bad guy's shell code.
      I understand the rationale, but I would argue it's rather sloppy programming that uses a crash as a means to prevent such bad things from happening. Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.

      Obviously it is better to crash than to execute arbitrary enemy code. However it's better still to just refuse to execute arbitrary code, but otherwise keep running. The problem with using crashing as a security system is that then the "bad guys" will try to crash your application on purpose (calling it a DoS is a stretch, mind you), which opens up new security problems. (A crashing app may expose other security vulnerabilities, disclose otherwise protected information, destabilize other apps/the OS, etc.)
    6. Re:Let me see... by tkinnun0 · · Score: 3, Insightful

      Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state. In an unsafe language, like C++, as is the case with Word, once you have encountered undefined behavior, all bets are off. There is no way to be sure from within your program that you are not already running the attacker's code. The only thing you can do is tell the OS to shut down your program and hope the call goes through.

      In a safe language, like Java, and with a program that can be expressed as a work queue, you can isolate changes to global state and, in the case of a work item failing, provided your thread isn't in an endless loop, ignore the results from the item and carry on. Of course this doesn't mean that the global state is valid. In fact, a failing work item may be an indication that the program is being moved towards an invalid state, and the proper thing would be to crash.
    7. Re:Let me see... by misleb · · Score: 4, Interesting

      The point is that a malformed documented shouldn't throw a word processor into an unrecoverable state. That is a bug. I don't know whether or not it is a denial of service attack. That is debatable, but not properly handling an exception in a document is definitely a bug. A word processor can simply tell the user, "hey, this document is fucked, I can't open it." If it just crashes, the user could possibly lose data in other open documents. And that is a Bad Thing(tm).

      -matthew

      --
      "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
    8. Re:Let me see... by Jherek+Carnelian · · Score: 3, Insightful

      A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.
      Sounds like you've never heard of a kernel panic.

      Sometimes immediately dying is the best option - when you reach a point in the code that "should never happen" then you can not count on the integrity of anything else within the program at the time. At that point the ONLY safe option is to "go boom" thus assuring that whatever the problem is, at least it won't corrupt anything else.
  6. Better recovery... by kebes · · Score: 3, Insightful

    However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on.
    Okay, handling crashing properly (saving some data, logging errors, etc.) is of course nice. However even the most graceful crash is, as far as "recovery mechanisms" go, pretty bad. A proper recovery mechanism would be rather less disruptive to the user... for instance a prompt that warns the user that something bad happened and the document is being rolled back to before the last action occured. Similarly logging of errors can be done properly without crashing the entire application. A log-file is generated, and the user keeps working even though the last action didn't work, hopefully with some feedback indicating why the last action didn't work.

    I am fully aware that writing bug-free software is impossible. Ultimately, it is unavoidable that crashes will occur. When they do occur, they should be handled as gracefully as possible. However one should not defend one's code (and coding flaws) by saying that "sure it crashes--but the crashes are part of our carefully engineered recovery mechanism!" That's a lame excuse, because if you're aware of a consistent crash condition, you should be able to code so that instead of crashing, the program does something more friendly.
  7. He's got half a point by Red+Flayer · · Score: 3, Interesting

    Say you have a known vulnerability in your code, which fixing would require rebuilding your app from scratch (or damn near close enough to make it too expensive to fix). Also say that you have the capability to detect an attempt to take advantage of the flaw before any damage is done, and that shutting down the app will prevent further damage.

    Wouldn't it be a good idea to shut down the app to prevent your whole network getting hosed? And doesn't the pain-in-the-assitude for the user maybe prevent them from opening shady docs the next time around?

    Admittedly, it would be best if the flaw never existed in the first place. But if fixing the flaw outright is out of the question, why isn't this a good solution?

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  8. But seriously.... by beef623 · · Score: 4, Insightful

    I can see Mr. LeBlanc's point, that it's better to crash than open up your system, but it seems like they are taking this awfully lightheartedly. They're still bugs and they still need fixed. I think they are confusing debug features with release features.

  9. Re:Let's just get this out of the way then... by ZachPruckowski · · Score: 4, Funny

    Um, it's defined...in TFA

    Um, read that again, and see if you can find the problem. ;-)

  10. Re:Let's just get this out of the way then... by rucs_hack · · Score: 3, Funny

    there you go, expecting a slashdotter to rtfa. Shame on you...

  11. Re:Let's just get this out of the way then... by Mateo_LeFou · · Score: 3, Insightful

    "Um, read that again, and see if you can find the problem. ;-)"

    I found two:
    1. No one reads TFA
    2. There are plurality of TFAs ...which means there's an error in your statement, which should read
    "Um, read that again, and see if you can find the problems. ;-)"

    There may be a plurality of errors in your statement, not sure ...

    *head explodes

    --
    My turnips listen for the soft cry of your love
  12. Re:I didn't know that by Skadet · · Score: 5, Insightful

    Why spend on testing, when you got paying consumers to do the bug reports for you?
    Because anything more complex than calc.exe is going to have weird bugs that can't discovered within a realistic timeframe to keep release dates. And if I'm not mistaken, open-source software does the same thing. BugZilla anyone? If it weren't for user feedback, a great majority of bugs wouldn't get fixed.
    --
    Sony ha
  13. Re:Let's just get this out of the way then... by Anonymous Coward · · Score: 4, Funny

    Would any bright egg here care to explain what the hell an 'appositive phrase' is?

    Yes I could google it, but so will 100,000 other slashdotters, so let's just post the answer here and be done with it.

  14. But, But... by ColdWetDog · · Score: 4, Funny

    Aharoni said he found the flaws using a "fuzzer," a tool that probes an application for vulnerabilities by sending random input. Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted.
    Emphasis mine.

    OK, gotcha, but how do you differentiate this from normal Windows behavior?

    --
    Faster! Faster! Faster would be better!
    1. Re:But, But... by camperdave · · Score: 4, Funny

      Because in normal Windows behaviour, the odds would be three out of three.

      --
      When our name is on the back of your car, we're behind you all the way!
  15. explosive code? by Ajehals · · Score: 4, Insightful

    From the linked blog...

    1) Your code blew up, and you're about to get 0wn3d. Yup, it's exploitable, and the customers are not going to be happy.
    2) Your code blew up, and maybe it is exploitable, maybe not.
    3) Your code blew up, and you meant it to blow up, and it's clearly not exploitable.

    Since you are not coding specifically for your application to crash (Or I hope not) surely there can be no 3. 2 is as good as it gets, you have done everything you can to prevent your code "blowing up" you have tried to handle anything that can be thrown at it gracefully, and you have done everything to ensure that when if and when things do go wrong they can do no damage, that's 2, not 3. If you cannot foresee and prevent every possible thing that could cause your application to crash (which you can't), then how can you foresee every possible way in which that unforeseeable crash could be exploited. All you can ever do is your best.

    Next up, from the article:

    Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted. The third, Aharoni suggested, could be used to introduce remote attack code after an exploit causes an overflow of "wwlib.dll," a crucial Word library. But "code execution is not trivial," he added.

    If described correctly then these bugs all pose a risk. sure the first two are minor risks, the later is major, but all three are bugs that should be listed as security vulnerabilities. I would suggest that the reason that they are currently not being seen as such by Microsoft, is simply that no one can be sure if the conditions required to trigger them could be utilised by anyone wishing to take advantage of them, and thus they are theoretically less threatening than many of the other issues that have plagued Microsoft Applications in the past.

    In the end however we should be simply sating that a problem exists, it may be a security risk, and until it is fixed, we will treat it as such. Anything else (rightly or wrongly) simply smells like someone is covering up issues, and lets be frank, Microsoft doesn't have enough good will for that to be acceptable.

  16. Firefox crashes on malformed intput too by 140Mandak262Jamuna · · Score: 3, Insightful

    Almost all the programs crash on invalid input, even Firefox and OpenOffice. So, hate to say it, MSFT is right in claiming that it is better to crash than to give a command line shell. But so many of the MSFT buffer overrun problems start out as crashes and people keep probing and probing and bingo, it becomes a remote code execution flaw. I thing the Windows Meta File graphics handling bug was a low priority crash bug for a long time before it became a remote code execution vulnerability. So while porturing it as "not a bug", hope they quietly work in the background and fix the issue.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  17. Upon additional consultation... by Chris+Mattern · · Score: 3, Funny

    Microsoft declared that they are not crashes at all; they are "rest breaks".

    Chris mattern

  18. Re:Input validation by idontgno · · Score: 4, Insightful

    If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out.

    You do understand that in many cases, a "crash" is when the software attempted to execute random garbage; and that if you tailored the garbage, you would have an arbitrary code execution vulnerability?

    A crash, frankly, is very often an incompletely exploited code execution vulnerability. That may not be so, here; but if the crash is caused by stack or heap corruption, there's a distinct chance the triggering dataset could be made into a shellcode exploit or the like.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  19. I guess it is an attitude problem. by alberion · · Score: 3, Insightful

    I guess it is an attitude problem.
    If they said their software is sold "as it is" and that it possibibly had problems and were humble enough to admit it, there would be fewer MS-haters out there.
    I agree with you on the impossibility of completly testing a software of the complexity of Word. No argument there.

    BTW, calc.exe already GPFed on me. :)

    1. Re:I guess it is an attitude problem. by Achromatic1978 · · Score: 3, Informative
      Small hint: they do exactly that.

      To quote Para. 16 of the Windows XP Home EULA:

      Except for the Limited Warranty and to the maximum extent permitted by applicable law, Microsoft and its suppliers provide the Software and support services (if any) AS IS AND WITH ALL FAULTS, and hereby disclaim all other warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of reliability or availability, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the Software, and the provision of or failure to provide support or other services, information, software, and related content through the Software or otherwise arising out of the use of the Software. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THE SOFTWARE.

      Seems pretty much the case to me.

      Don't even try the "Click throughs not legally binding!". It doesn't need to be binding for this - but to claim they don't sell software AS IS is an absolute fallacy, trivially demonstrable.

  20. RTFA - not just Word crashing by PCM2 · · Score: 4, Informative

    ...if I understand this correctly. Basically, a security researcher believes he's found a buffer overflow. However, he has not yet found a way to exploit that overflow because Word keeps crashing.

    Actually, according to the Computerworld article, two of the bugs discovered will peg the processor at 100 percent, forcing a cold reboot that potentially will do a lot more damage than just corrupting your Word documents. Whatever your philosophy otherwise, that really is a denial of service.

    --
    Breakfast served all day!
  21. Taking a page from Apple... literally by PCM2 · · Score: 5, Interesting

    The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:

    feature n. A bug, as described by the marketing department.

    --
    Breakfast served all day!
    1. Re:Taking a page from Apple... literally by dgatwood · · Score: 4, Funny

      My sad realization about that definition is that I just looked it up to see if you were serious. You were. Perhaps an even sadder realization is that I was able to reach up to the shelf above my desk and instantly grab a copy of the Apple ][ Reference Manual---right between The TeXbook and an Imagewriter II owner's manual that I used to use as an ASCII table reference before the rise of Google or asciitable.com.

      Sigh. I am, indeed, a geek. I suppose there's no escaping it.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Taking a page from Apple... literally by xsspd2004 · · Score: 3, Funny

      Actually, you can escape it with a backslash (\) on *ix or a caret (^) on Windows.

      --
      This is not an illusion, a rip-off, or a ninja technique!
  22. Re:Let's just get this out of the way then... by alisson · · Score: 4, Funny

    1) It's too much effort to read the article.
    2) It's um... Can you repeat this one, I didn't read it.

  23. Re:Let's just get this out of the way then... by Anonymous Coward · · Score: 4, Informative

    a phrase that is placed in apposition to a noun or another phrase, usually serving to clarify the meaning or intent.

    an appositional phrase, a phrase that clarifies meaning, is a fancy way of saying "redundant"

  24. Re:I don't see the problem by qualidafial · · Score: 5, Interesting
    During the last EclipseCon, Hugh Thompson (of in-flight Tetris crashing fame) showed us a hack in notepad discovered using fuzz testing. Open up a fresh notepad and type in the words, "this app can break" (without the quotes). Then save the document to file, close notepad, and double-click the file you just saved to bring it back up in notepad. Everything will appear as squares. Not a major exploit, and definitely not a DoS, but kind of interesting.

    Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.

  25. Re:What by hey! · · Score: 3, Interesting

    Actually, in my opinion he's right.

    People act as if a crash is the worst thing in the world. Generations of programmers have been trained to think of a crash bug as the ultimate badge of shame. The problem is that it is not, by far, the ultimate mistake.

    I think it's useful to keep this in perspective. It's better that you crash the user's car than run over the user's baby. I always tell guys who work for to to place bugs in the following order of severity (1 is highest severity):

    1) user's system security is compromised.
    2) user's data is corrupted or lost.
    3) give wrong answers that aren't obvious (2 and three might be interchanged in some circumstances)
    4) crash bugs and obvious garbage output

    It's not that crash bugs are good. It's that given a choice between a crash and things higher on the list, you ought to choose the crash.

    This is not a choice that, once upon a time, we had to make. Crashes happen when a condition you hadn't anticipated happen, so they were not (as a rule) a matter of choice.

    Java checked exceptions changed that, and required that I develop clear priorities. For non-programmers, an exception is a condition (usually abnormal) that can occur some place in your program. A checked exception is one that it is mandatory to handle some place in your program, otherwise your program is not valid.

    I'm not religiously against checked exceptions, other than that they're a bad choice for default. The problem is that the places where exceptions occur are often not the right place to handle them. The temptation is to mishandle the exception, particularly exceptions that are rare, at a low level. Sometimes this is a temporary measure so you can get to some initial tests you want to do, and you never get back to undoing it. Sometimes it happens because the programmer doesn't know a good way to handle the exception, so he papers it over.

    The result is that you convert a crash bug into some other kind of bug. Often a bug that's higher on the severity list. That's why converting a checked exception into a non-checked exception is often the best course of action, even though it creates a possible crash condition later on.

    Automated testing does, or potentially can, stand in for the function of checked exceptions with less risk. Some kind of annotation that was integrated with unit testing might be ideal.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  26. Re:My favourite Windows error message by Matt+Perry · · Score: 3, Interesting

    "Error: the operation completed successfully"
    I kid you not! This was common in Win98 and observed also in Win2k - if an app crashed, causing DrWatson to pop up and offer to save some kind of crash log, just click the save as button, and then cancel the save. Voila.
    I knew I saved this error message for a reason. Years ago some colleagues and I saw this error while installing some high-priced, fancy-pants software and just had to get a screenshot.
    --
    Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  27. Walk into a store by Peaker · · Score: 3, Insightful

    Hahahaha!
    That is so early 90's!
    Hello?? We have the internet!
    Software can be downloaded!

    In Windows, I can't just type in "office", click the resulting "kde office" and "open office" programs, and have them automatically downloaded for me, without fuel being burnt to get the bits from there to my computer. Amazing!

    Also, I can just type in almost anything I may want my computer to do - and behold, one of more than 10,000 programs shows up which can be installed with a single click!

    Oh wait, there's more. When I play a movie in full-screen, a bunch of "Would you like to update me?" dialogs of various programs don't jump up at me!
    In fact, *all* (and that means all software you have) updating is done from a central location - by clicking the update icon.

    Oh, Windows doesn't have that? Pitty, maybe I should stick to Linux!

  28. In case you want to know why this happens by Taagehornet · · Score: 3, Informative

    While perhaps producing some rather amusing results, this is a unfortunate but unavoidable consequence of Notepad having to support a variety of encodings of text files.

    It's not really news though, and I doubt Hugh Thompson deserves any credit, Raymond Chen explained why things behave like this back in 2004.

  29. Re:I didn't know that by xero314 · · Score: 3, Insightful

    You can write bug free software, it's just several orders of magnitude more expensive and time consuming to write it. I was gonna let all this slide by but after reading that line I had to jump in. This is complete rubish. An absolute line made up by supporters of Agile development and Frauds out to suck millions of dollars from ignorant venture capitalists. Look I'm sick of hearing this. As a software Engineer I have experienced bad software development and good software development, and believe it or not, good, solid, bug free (99.9%) software takes less time to design, write and test, than the majority of the crap beta software corporations like MS spits out to the unsuspecting public. And that's not even getting into the fact that programs like word are far more complex than they need to be to accomplish exactly what they end up doing.

    I'd apologize for the rant but this kind of bullshit spouted by slack ass "Programmers" and "Developers" just pisses me off to no end. Keep thinking your gonna have that job security you always wanted by making sure there's no one else that can weed threw your garbled mesh of spaghetti, when in reality making software that actually works if far more job securing. But then again I would probably be out of work if the "developers" of the world actually did their shit right since organizations would need people like me to clean it all up.

    Fuck the karma, some one had to finally clear this up, too bad no one in a position to actually change things will read this.