Slashdot Mirror

← Back to Stories (view on slashdot.org)

Word 2007 Flaws Are Features, Not Bugs

Posted by Zonk on from the i-thought-that-was-just-a-programmer-joke dept.

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

9 of 411 comments (clear)

  1. English-to-Microsoft dictionary by Anonymous Coward · · Score: 5, Funny

    Word 2007 Flaws Are Features, Not Bugs
    That's right and the price you pay for it is an investment, not a complete waste of resources.

    What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again?
  2. Re:Let's just get this out of the way then... by Mateo_LeFou · · Score: 5, Informative

    Um, it's defined in the twelve words after "fuzzer" in TFA

    "a tool that probes an application for vulnerabilities by sending random input"

    This is known as an appositive phrase.

    --
    My turnips listen for the soft cry of your love
  3. I Wish by Mockylock · · Score: 5, Funny

    I wish I could just pass out when my wife asks me some stupid question that I don't want to answer. Better yet, when I'm asked to fix a bug at work, it would be nice to just roll over and hit the snooze. Let's apply this everywhere.

    --
    "Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
  4. Re:Let me see... by Deadbolt · · Score: 5, Insightful

    I hope you're not serious; if you are, I'm never letting you near any code I'm responsible for.

    By definition, the app crashing is a denial of service. It's no different than sending a Christmas tree packet to an ancient unpatched router: it goes boom, shuts down the network, no network service. Word crashes: boom, document maybe lost, no use of Word.

    A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.

    --
    "Honey, it's not working out; I think we should make our relationship open-source."
  5. Re:I didn't know that by Skadet · · Score: 5, Insightful

    Why spend on testing, when you got paying consumers to do the bug reports for you?
    Because anything more complex than calc.exe is going to have weird bugs that can't discovered within a realistic timeframe to keep release dates. And if I'm not mistaken, open-source software does the same thing. BugZilla anyone? If it weren't for user feedback, a great majority of bugs wouldn't get fixed.
    --
    Sony ha
  6. Re:Let me see... by drinkypoo · · Score: 5, Informative

    Exactly. It's expected than any app will crash if you feed it malicious junk.

    Sorry, I don't buy it. The only way that is a valid expectation is if you explicitly tell it to crash when it gets malformed data, which is offensive and stupid. The proper thing to do is to tell it to alert the user if there is malformed data, and then clean up and get ready to parse another document.

    Crashing is definitely a sign that something bad is happening. Traditionally, when an app crashes because of an invalid document, it's writing to some memory it shouldn't be. This is a sign of lazy or stupid programmers not doing proper checking of the input.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:Let me see... by Ckwop · · Score: 5, Interesting

    owever, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none.

    The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."

    I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.

    Simon

  8. Taking a page from Apple... literally by PCM2 · · Score: 5, Interesting

    The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:

    feature n. A bug, as described by the marketing department.

    --
    Breakfast served all day!
  9. Re:I don't see the problem by qualidafial · · Score: 5, Interesting
    During the last EclipseCon, Hugh Thompson (of in-flight Tetris crashing fame) showed us a hack in notepad discovered using fuzz testing. Open up a fresh notepad and type in the words, "this app can break" (without the quotes). Then save the document to file, close notepad, and double-click the file you just saved to bring it back up in notepad. Everything will appear as squares. Not a major exploit, and definitely not a DoS, but kind of interesting.

    Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.