Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Word 2007 Flaws Are Features, Not Bugs

Zonk posted more than 7 years ago | from the i-thought-that-was-just-a-programmer-joke dept.

Security 411

PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"

Sorry! There are no comments related to the filter you selected.

English-to-Microsoft dictionary (5, Funny)

Anonymous Coward | more than 7 years ago | (#18722311)

Word 2007 Flaws Are Features, Not Bugs
That's right and the price you pay for it is an investment, not a complete waste of resources.

What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again?

Let's just get this out of the way then... (0)

inviolet (797804) | more than 7 years ago | (#18722321)

Would any bright egg here care to explain what the hell a 'fuzzer' is?

Yes I could google it, but so will 100,000 other slashdotters, so let's just post the answer here and be done with it.

Re:Let's just get this out of the way then... (1)

Mipoti Gusundar (1028156) | more than 7 years ago | (#18722345)

LOL @ U, n00by!

Re:Let's just get this out of the way then... (5, Informative)

Mateo_LeFou (859634) | more than 7 years ago | (#18722347)

Um, it's defined in the twelve words after "fuzzer" in TFA

"a tool that probes an application for vulnerabilities by sending random input"

This is known as an appositive phrase.

Re:Let's just get this out of the way then... (4, Funny)

ZachPruckowski (918562) | more than 7 years ago | (#18722491)

Um, it's defined...in TFA

Um, read that again, and see if you can find the problem. ;-)

Re:Let's just get this out of the way then... (3, Insightful)

Mateo_LeFou (859634) | more than 7 years ago | (#18722579)

"Um, read that again, and see if you can find the problem. ;-)"

I found two:
1. No one reads TFA
2. There are plurality of TFAs ...which means there's an error in your statement, which should read
"Um, read that again, and see if you can find the problems. ;-)"

There may be a plurality of errors in your statement, not sure ...

*head explodes

Geek is Geek (0)

Anonymous Coward | more than 7 years ago | (#18722913)

Did a dotcom refugee [com.ccm] work on Word?

Re:Let's just get this out of the way then... (3, Funny)

rucs_hack (784150) | more than 7 years ago | (#18722519)

there you go, expecting a slashdotter to rtfa. Shame on you...

OOPS, I ripped my pants! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18722809)

Has anyone seen the Spongebob episode where he keeps everyone laughing by ripping his pants on purpose?

(Think about it, it's not offtopic.)

Re:Let's just get this out of the way then... (4, Funny)

Anonymous Coward | more than 7 years ago | (#18722603)

Would any bright egg here care to explain what the hell an 'appositive phrase' is?

Yes I could google it, but so will 100,000 other slashdotters, so let's just post the answer here and be done with it.

Re:Let's just get this out of the way then... (3, Informative)

MassEnergySpaceTime (957330) | more than 7 years ago | (#18722393)

From wiki:

"Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted."

Re:Let's just get this out of the way then... (1)

piGeek31415 (1054990) | more than 7 years ago | (#18722447)

I checked http://en.wikipedia.org/wiki/Fuzz_testing [wikipedia.org] .

Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted.

Fuzz testing is often used in large software development projects that perform black box testing. These usually have a budget to develop test tools, and fuzz testing is one of the techniques which offers a high benefit to cost ratio.
Seems like something that should have been caught in testing.

But, But... (4, Funny)

ColdWetDog (752185) | more than 7 years ago | (#18722643)

Aharoni said he found the flaws using a "fuzzer," a tool that probes an application for vulnerabilities by sending random input. Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted.
Emphasis mine.

OK, gotcha, but how do you differentiate this from normal Windows behavior?

Re:But, But... (4, Funny)

camperdave (969942) | more than 7 years ago | (#18722893)

Because in normal Windows behaviour, the odds would be three out of three.

Insightful?! (1, Insightful)

Ahnteis (746045) | more than 7 years ago | (#18722911)

Come on mods. Funny? Yes! Insightful? Not even close.

We all get it--Linux is better; Windows is for Losers; OSX is pretty but someone else with money can buy it.

Many people use Windows daily without the problems that caused you such trauma that you continue to rant about it daily. Get over it.

Don't like Windows for idealogical reasons? Fine.
Don't like it from a security standpoint? Fine.
Don't like it because it looks ugly and stole your candy? Fine.

But it's impossible to take you seriously when you employ the *same tactics* of FUD that you like to claim every single time Microsoft says anything.

Re:fuzzer (1)

Technician (215283) | more than 7 years ago | (#18722541)

Umm RTFM, I mean article

Would any bright egg here care to explain what the hell a 'fuzzer' is?

For those who didn't read the article and want to know what a fuzzer is;

"Aharoni said he found the flaws using a "fuzzer," a tool that probes an application for vulnerabilities by sending random input"

Snipped from the article.

Somehow clipping a line from the article doesn't make me feel light a bright egg.

Re:fuzzer (2, Funny)

shystershep (643874) | more than 7 years ago | (#18723215)

How does saying "light" when you meant "like" make you feel?

Me, I feel like having another beer.

I don't see the problem (0)

dedazo (737510) | more than 7 years ago | (#18722353)

When the input box/message box loop of death "DDoS" thing that traps you in a page and forces you to manually kill the process was brought up to Mozila they said it wasn't a problem. Why is a similar DDoS/crash situation an issue for a Microsoft product again? In the past IE crashes have also been tagged as vulnerabilities even though they involved no further penetration into the target box or escalation of privileges.

The fact is, you can probably DDoS just about anything more complex than a text editor.

Re:I don't see the problem (2, Informative)

HolyCrapSCOsux (700114) | more than 7 years ago | (#18722429)

That could be considered a flaw of word as well. It's more complicated than a text editor should be.

To be pedantic for a moment... (2, Informative)

AKAImBatman (238306) | more than 7 years ago | (#18722453)

DoS (Denial of Service), not DDoS (Distributed Denial of Service). There is no "distributed" in crashing these desktop apps.

Re:To be pedantic for a moment... (1)

GooberToo (74388) | more than 7 years ago | (#18722577)

There is no "distributed" in crashing these desktop apps.

What if I'm running remote desktop while I do it? Aha! ;)

To be even more pedantic for a moment... (2, Insightful)

poopdeville (841677) | more than 7 years ago | (#18722639)

Unless you distribute a Word document exploiting the bug by email, for instance.

Re:I don't see the problem (0)

Anonymous Coward | more than 7 years ago | (#18722549)

You can probably DDoS notepad too.

Re:I don't see the problem (1)

ajs (35943) | more than 7 years ago | (#18722967)

Could you cite the bug # for Mozilla? I'm curious of the specifics, and not to say that you're not a trustworthy guy, but this is Slashdot after all. It reminds me of the time that Linus Torvalds said that Linux was a waste of his time....

Re:I don't see the problem (0)

Afrosheen (42464) | more than 7 years ago | (#18723219)

Actually you can DOS notepad pretty easily in Windows. Just tell it to load a 5 to 10 meg text file. KABOOM!

Ok. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18722375)

In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on.

And what about the document you were working on?

Re:Ok. (1)

forgotten_my_nick (802929) | more than 7 years ago | (#18722489)

> And what about the document you were working on?

Odds on it still has that as well, which is why a fair few places don't allow their employees to automatically send crash reports to Microsoft.

I didn't know that (2, Interesting)

alberion (1086629) | more than 7 years ago | (#18722383)

Windows is filled with these nice features too. Microsoft is sure to include them in every piece of software they release.
Why spend on testing, when you got paying consumers to do the bug reports for you?
It may be unethical, but they ARE getting richer by the minute.

Re:I didn't know that (5, Insightful)

Skadet (528657) | more than 7 years ago | (#18722583)

Why spend on testing, when you got paying consumers to do the bug reports for you?
Because anything more complex than calc.exe is going to have weird bugs that can't discovered within a realistic timeframe to keep release dates. And if I'm not mistaken, open-source software does the same thing. BugZilla anyone? If it weren't for user feedback, a great majority of bugs wouldn't get fixed.

I guess it is an attitude problem. (3, Insightful)

alberion (1086629) | more than 7 years ago | (#18722943)

I guess it is an attitude problem.
If they said their software is sold "as it is" and that it possibibly had problems and were humble enough to admit it, there would be fewer MS-haters out there.
I agree with you on the impossibility of completly testing a software of the complexity of Word. No argument there.

BTW, calc.exe already GPFed on me. :)

I Wish (5, Funny)

Mockylock (1087585) | more than 7 years ago | (#18722405)

I wish I could just pass out when my wife asks me some stupid question that I don't want to answer. Better yet, when I'm asked to fix a bug at work, it would be nice to just roll over and hit the snooze. Let's apply this everywhere.

Let me see... (4, Insightful)

AKAImBatman (238306) | more than 7 years ago | (#18722411)

...if I understand this correctly. Basically, a security researcher believes he's found a buffer overflow. However, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none. Correct?

I hate to say it, but I'm going to have to come down on Microsoft's side on this one. If it's a non-exploitable crash, then it's a simple bug in handling corrupt documents and nothing more. The researcher can ring everyone again once an exploit has been found.

As for the DoS potential... seriously, why is everything a "Denial of Service" with these guys? It's a bad document. Word crashes. Life goes on. It's not like your computer is going to become unusable because Word crashed. You get minorly inconvenienced by the jerk who sent you the document, you figure out that the doc is bad, then you move on.

Re:Let me see... (0)

bendodge (998616) | more than 7 years ago | (#18722477)

Exactly. It's expected than any app will crash if you feed it malicious junk.

Re:Let me see... (5, Informative)

drinkypoo (153816) | more than 7 years ago | (#18722591)

Exactly. It's expected than any app will crash if you feed it malicious junk.

Sorry, I don't buy it. The only way that is a valid expectation is if you explicitly tell it to crash when it gets malformed data, which is offensive and stupid. The proper thing to do is to tell it to alert the user if there is malformed data, and then clean up and get ready to parse another document.

Crashing is definitely a sign that something bad is happening. Traditionally, when an app crashes because of an invalid document, it's writing to some memory it shouldn't be. This is a sign of lazy or stupid programmers not doing proper checking of the input.

Re:Let me see... (1)

goatpunch (668594) | more than 7 years ago | (#18722955)

Traditionally, when an app crashes because of an invalid document, it's writing to some memory it shouldn't be.
It could also crash because of a divide by zero, null pointer dereference, etc. No memory problems in these cases. Could be a sign of lazy programming, or just a misguided sense of 'improving performance' by not making 'unnecessary' checks.

Re:Let me see... (1)

drinkypoo (153816) | more than 7 years ago | (#18723039)

It could also crash because of a divide by zero, null pointer dereference, etc. No memory problems in these cases. Could be a sign of lazy programming, or just a misguided sense of 'improving performance' by not making 'unnecessary' checks.

Sure, I don't dispute that. But regardless of how you look at it, it's a program error, not desirable behavior. Also, I did say "traditionally" - although "typically" is closer to what I wanted to say :) But both leave wiggle room.

Re:Let me see... (1)

alexhs (877055) | more than 7 years ago | (#18723227)

I guess you weren't paying attention when MS decided that a crash was more user friendly than a "malformed document" dialog box :)

I mean, if the application crash, any user will know that something bad happened. If you give the average user a dialog box, he will automatically click OK without reading it (he has been trained to do that), then go puzzled : "huh, where's my document ?".

Therefore MS choice :)

I think i shall add some more :) :) :) just in case someone could take that seriously, after all it's MS we're talking about :)

Re:Let me see... (1, Flamebait)

sqlrob (173498) | more than 7 years ago | (#18722715)

No, it's not. Any well written app should be able to handle any junk thrown at it without crashing.

Re:Let me see... (4, Insightful)

belmolis (702863) | more than 7 years ago | (#18722535)

If the facts are as you've described, I agree that there isn't a security issue here. There is, however, still a bug. Anytime a program crashes for reasons other than hardware failure, there is a bug. If it takes really unusual input to do it and there are no security consequences, it may be a minor bug, but it is still a bug.

Re:Let me see... (5, Insightful)

Deadbolt (102078) | more than 7 years ago | (#18722557)

I hope you're not serious; if you are, I'm never letting you near any code I'm responsible for.

By definition, the app crashing is a denial of service. It's no different than sending a Christmas tree packet to an ancient unpatched router: it goes boom, shuts down the network, no network service. Word crashes: boom, document maybe lost, no use of Word.

A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.

Re:Let me see... (0)

Anonymous Coward | more than 7 years ago | (#18722831)

Feeding Word an Oracle dmp is a denial of service too? Crashing is almost always better than invalid output escpecially in the long run.

Word crashes: boom, document maybe lost, no use of Word.
No use of Word for that one invalid document. You can open it back up again with other documents. How is this a DOS? Do you expect Word to open up the Oracle dmp and allow you to run queries on it. Or does just by Word popping up a box saying invalid input make it all ok now?

Allowing (or forcing) a crash is NOT acceptable.
People pay good money for the Office suite. Apparently they find it acceptable.

Re:Let me see... (0)

Anonymous Coward | more than 7 years ago | (#18723083)

People pay good money for the Office suite. Apparently they find it acceptable.
Wrong!

Sophism::ArgumentumAtPopulum [wikipedia.org]

Thanks for coming, and feel free to try again!

Re:Let me see... (1)

zappepcs (820751) | more than 7 years ago | (#18722839)

I agree with you but would like to point out that there are times and circumstances where a crash/reset is a better option. In RT comms systems, down time is far more expensive than a crash/reset could be. If a critical system or process is thrown into an unrecoverable circumstance such as corrupt table index etc. it is much preferable to crash/reset and start anew than to wait and stop processing traffic for 2 hours until the technician arrives to push the reset button. The recovery process associated with startup fixes some things.

I agree that this is unacceptable behavior for a word processing app, but still, some times in some circumstances, the crash and reset process if curative and beneficial.

Re:Let me see... (1)

d-rock (113041) | more than 7 years ago | (#18723061)

I run a pretty big network and if my primary router resets because the watchdog timer trips (basically what you're describing here), we send the crashdump log to the vendor and they fix the bug. I've never had a vendor say "oh, a crash is normal and appropriate behavior."

Derek

Re:Let me see... (5, Interesting)

Ckwop (707653) | more than 7 years ago | (#18722633)

owever, he has not yet found a way to exploit that overflow because Word keeps crashing. Microsoft says that the crash is preventing any security hazard, and therefore there is none.

The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."

I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.

Simon

Re:Let me see... (0)

Anonymous Coward | more than 7 years ago | (#18723067)

BABY KILLER!

Re:Let me see... (4, Interesting)

kebes (861706) | more than 7 years ago | (#18722689)

I totally agree that calling this a security flaw or DoS is silly. Until it is actually used to exploit the program, it's not a confirmed security flaw.

However using bad documents to crash Word is still a flaw in Word, in my opinion. The application should just say "Can't open bad/corrupted document" and let the user keep working. In the blog he says:

The theory is that it is better to crash (at least with client apps) than it is to be running the bad guy's shell code.
I understand the rationale, but I would argue it's rather sloppy programming that uses a crash as a means to prevent such bad things from happening. Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.

Obviously it is better to crash than to execute arbitrary enemy code. However it's better still to just refuse to execute arbitrary code, but otherwise keep running. The problem with using crashing as a security system is that then the "bad guys" will try to crash your application on purpose (calling it a DoS is a stretch, mind you), which opens up new security problems. (A crashing app may expose other security vulnerabilities, disclose otherwise protected information, destabilize other apps/the OS, etc.)

Re:Let me see... (0)

Anonymous Coward | more than 7 years ago | (#18722835)

Denial of Service attack... is of course if your system can be compromised while playing solitaire. Now people would be worried about that, but I agree, word? That's always a good excuse to postpone your work "OOpss, it crashed, I'm playing solitaire in the mean time".

Did you see the implications of hacking Solitaire!?....mmm.. that might be a good science project.

Re:Let me see... (1)

Cristofori42 (1001206) | more than 7 years ago | (#18722987)

it's not like your computer is going to become unusable because Word crashed.

Actually, I would argue that it would become more usable because Word crashed.

RTFA - not just Word crashing (4, Informative)

PCM2 (4486) | more than 7 years ago | (#18723029)

...if I understand this correctly. Basically, a security researcher believes he's found a buffer overflow. However, he has not yet found a way to exploit that overflow because Word keeps crashing.

Actually, according to the Computerworld article, two of the bugs discovered will peg the processor at 100 percent, forcing a cold reboot that potentially will do a lot more damage than just corrupting your Word documents. Whatever your philosophy otherwise, that really is a denial of service.

Crashes are often exploitable. (0)

Anonymous Coward | more than 7 years ago | (#18723079)

While not every crash is exploitable, usually the crash means that you can corrupt memory.

The trick is being able to control HOW you corrupt memory. If you can do that to a sufficient degree, you can 0wn someone's computer. It's NOT always obvious whether or not an overflow is exploitable. More than once, someone has said "this isn't exploitable" because they didn't fully understand the bug, only to have someone who knows it better corrupt the memory just so, and turn a crash into an exploit.

Also, even DoS isn't a good thing, as you might know if you'd ever been under attack. Yes, it's hard, sometimes incredibly hard, to protect yourself. But unless you do, you can expect to be kicked offline any time some wanker goes after you. And if you think it doesn't happen, you're kidding yourself. I've seen security websites be attacked by "l33t d00dz" who hated them, I've seen Christian sites flooded by those who hate them, I've seen total wankers attack people for no damn reason at all. I'd tell you to check out Attrition.org's defacement mirror, but they took that down a long time ago. There are just as many, if not more, DoS attacks than defacements, you know.

So no, I won't go along with you and say that crashing "prevents" a security hazard. If you can't use your computer, what does it matter if the reason you can't is because it's crashing or because you're 0wn3d?

That's Microsoft PR talking, not anybody with a damn clue.

Re:Let me see... (0)

Anonymous Coward | more than 7 years ago | (#18723115)

Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted.

It's officially 1984 (2, Interesting)

Mateo_LeFou (859634) | more than 7 years ago | (#18722427)

The spokesthing actually contends that the crashes are "a by-design behavior that improves security and stability"

Re:It's officially 1984 (1)

PPH (736903) | more than 7 years ago | (#18722607)

Thats interesting. Its the same way I keep my car from going too fast.

Input validation (2, Insightful)

Skadet (528657) | more than 7 years ago | (#18722433)

I'm going to go ahead and say that it's not necessarily a "security risk" as it is lazy coding. The majority of us here know the importance of input validation; just because the file ends in .DOC doesn't make it a bona-fide, working Word document.

If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out. Elegant? Not by a long shot. Security risk? Not so much.

Re:Input validation (4, Insightful)

idontgno (624372) | more than 7 years ago | (#18722931)

If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out.

You do understand that in many cases, a "crash" is when the software attempted to execute random garbage; and that if you tailored the garbage, you would have an arbitrary code execution vulnerability?

A crash, frankly, is very often an incompletely exploited code execution vulnerability. That may not be so, here; but if the crash is caused by stack or heap corruption, there's a distinct chance the triggering dataset could be made into a shellcode exploit or the like.

"That's the way it was designed!" (2, Interesting)

jojoba_oil (1071932) | more than 7 years ago | (#18722435)

It seems to be a typical response from Microsoft.

Another example I came across recently is here [microsoft.com] . What's the point of designing as such?

Re:"That's the way it was designed!" (2, Insightful)

castle (6163) | more than 7 years ago | (#18722631)

WAD is my most favored TLA for such responses, with a parenthetical 4 letter variant WA(P)D. Respectively Working As Designed and Working As (Poorly) Designed.

Odds are with this particular component, they were on the way to reducing functionality in their core component to force you into buying a third party developed component that was actually well designed and or useful.

Repeat after me (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#18722441)

War is peace.
Freedom is slavery.
Ignorance is strength.

Re:Repeat after me (1)

rucs_hack (784150) | more than 7 years ago | (#18722573)

and hookers that look nice from a distance are actually crusty pensioners.

Of all the scenes in 1984 (the film, not book), that one conveyed the decay of the society more than any other methinks. I also consider it one of richard burtons finest performances, but I'm probably in a minority there.

Ignorance (1)

Bill, Shooter of Bul (629286) | more than 7 years ago | (#18722729)

Ignorance breaks the symmetry of your argument, It should be :

Ignorance is knowledge

What (1, Offtopic)

wumpus188 (657540) | more than 7 years ago | (#18722449)

Crashing means you made a mistake, bad programmer, no biscuit.

So if your application crashes, this is my mistake as the user? ... Great attitude pal, keep it up.

Re:What (1)

Skadet (528657) | more than 7 years ago | (#18722511)

Crashing means you made a mistake, bad programmer, no biscuit.


So if your application crashes, this is my mistake as the user? ... Great attitude pal, keep it up.
Methinks you didn't read your quote thoroughly.

Re:What (1)

wumpus188 (657540) | more than 7 years ago | (#18722585)

Yeah.. my mistake, sorry. No biscuit :)

Re:What (1)

shawnce (146129) | more than 7 years ago | (#18722533)

You may want to reread his statement... the "you" refers to "programmer" not the user.

Re:What (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18722589)

"English, motherfucker, do you speak it?"
 
He's saying that if the app crashes the PROGRAMMER boo-booed, not the user. You fail comprehension? That unpossible.
 
Moron.

Re:What (1)

rwwyatt (963545) | more than 7 years ago | (#18722997)

Biscuits ?, Hell when did we get the upgrade from bananas

Better recovery... (3, Insightful)

kebes (861706) | more than 7 years ago | (#18722457)

However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on.
Okay, handling crashing properly (saving some data, logging errors, etc.) is of course nice. However even the most graceful crash is, as far as "recovery mechanisms" go, pretty bad. A proper recovery mechanism would be rather less disruptive to the user... for instance a prompt that warns the user that something bad happened and the document is being rolled back to before the last action occured. Similarly logging of errors can be done properly without crashing the entire application. A log-file is generated, and the user keeps working even though the last action didn't work, hopefully with some feedback indicating why the last action didn't work.

I am fully aware that writing bug-free software is impossible. Ultimately, it is unavoidable that crashes will occur. When they do occur, they should be handled as gracefully as possible. However one should not defend one's code (and coding flaws) by saying that "sure it crashes--but the crashes are part of our carefully engineered recovery mechanism!" That's a lame excuse, because if you're aware of a consistent crash condition, you should be able to code so that instead of crashing, the program does something more friendly.

He's got half a point (3, Interesting)

Red Flayer (890720) | more than 7 years ago | (#18722473)

Say you have a known vulnerability in your code, which fixing would require rebuilding your app from scratch (or damn near close enough to make it too expensive to fix). Also say that you have the capability to detect an attempt to take advantage of the flaw before any damage is done, and that shutting down the app will prevent further damage.

Wouldn't it be a good idea to shut down the app to prevent your whole network getting hosed? And doesn't the pain-in-the-assitude for the user maybe prevent them from opening shady docs the next time around?

Admittedly, it would be best if the flaw never existed in the first place. But if fixing the flaw outright is out of the question, why isn't this a good solution?

Re:He's got half a point (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18722783)

It's a fine solution. But call a spade a spade and say:
"Sorry guys, but we're leaving this bug open for now because it's too hard to fix it securely."

Do not come up with lies like:
"This is a well-designed application and even those crashes you experience are an intentional part of our security design."

Re:He's got half a point (1)

mikelieman (35628) | more than 7 years ago | (#18722829)

If you can detect someone trying to exploit it, why not just handle the exception properly, not import the document, and not crash?

Re:He's got half a point (1)

Red Flayer (890720) | more than 7 years ago | (#18722951)

If you can detect someone trying to exploit it, why not just handle the exception properly, not import the document, and not crash?As hinted at by the MSFT spokesperson, for data collection about the exploit? Who is going to allow the app to phone home with info unless it seems like something serious is going wrong? Most users will happily allow Word to phone home with details when it crashes... plus if they let the exploit begin, they get a clearer picture of what the exploit looks like in situ.

But seriously.... (4, Insightful)

beef623 (998368) | more than 7 years ago | (#18722481)

I can see Mr. LeBlanc's point, that it's better to crash than open up your system, but it seems like they are taking this awfully lightheartedly. They're still bugs and they still need fixed. I think they are confusing debug features with release features.

Re:But seriously.... (1)

ivan256 (17499) | more than 7 years ago | (#18722847)

I'd like to see the actual code that is forcing the crash. I'd say there's a 50/50 chance that they're hitting an assert. The other 50% is that they're completely full of crap, and they got lucky that this causes a crash instead of an exploit.

Re:But seriously.... (1)

cyber-vandal (148830) | more than 7 years ago | (#18722859)

Sadly his attitude is common to many IT departments.

Re:But seriously.... (1)

PPH (736903) | more than 7 years ago | (#18722877)

"Open up your system"? Its a pretty poorly designed system that allows a rogue application to do damage to itself. Sorry. I forgot who's apps we were talking about for a second.

"Crashing", being defined as an application shutting down unexpectedly with no logs or messages to indicate why, is a sign of lazy programming. It means that insufficient exception handling was incorporated. I don't have a problem with an app. just popping up a message stating that the data was corrupt (better yet, approximately how and where) and that further progress is impossible. Heck, even a core file, or a cryptic 'report the following message to tech support' is better then nothing. Better error handling would confine the effect to the corrupted object. Think of what happens when one 'bad' document can cause the entire Word app. to shut down taking several other perfectly good documents with it.

we've heard this before (0)

Anonymous Coward | more than 7 years ago | (#18722517)

If one's idea of a Feature is something that makes money for the seller of the software, that's one thing. If a Feature is something the buyer wants, or thinks is being paid for, then this is something else, for which coarse language becomes more descriptive.

Word is a bug (2, Insightful)

dbfruth (707400) | more than 7 years ago | (#18722545)

Damn. I thought the whole Word app was a giant bug. Turns out it is a feature that they can charge a lot of money for. It was confusing me since it only seemed useful if you wanted to butcher a document.

How Long Before... (2, Informative)

Evil W1zard (832703) | more than 7 years ago | (#18722637)

Ok so 2 of the 3 bugs result in a DoS type situation and the third could allow for execution of arbitrary code... Using a Fuzzer dont you typically find DoS/Reboot/Crashes first and then more research to include debugging can show where in memory the crash occurs and then you move into the world of tailoring an overflow and allowing for execution of arbitrary code...

To me DoS'ing a client-side app like Word is an annoyance, but I would expect to see exploit code coming that does do code execution or privilege escalation of some sort and then MS will patch it on Tuesday just like they've been doing for years...

My Favorite... (0, Offtopic)

mkw87 (860289) | more than 7 years ago | (#18722645)

My favorite "feature" occurs when I'm trying to work on a pre-2007 word file from my USB Thumb drive. Occasionally a perfectly fine file will delete itself when I try to save it. I open it from the thumb drive, make a few changes, CTRL+S to save, and it says it has a write error, even though the file is not read only, etc. It then proceeds to crash, and DELETE THE FILE.

Now, take the same file (or entire working folder), copy it to a local drive, and it edits and saves just fine. I haven't figured it out yet, probably never will. Luckily every time this has happened to me it's been a group project file and I regularly give my group members backup copies for their own edits, etc.

Error (1)

wumpus188 (657540) | more than 7 years ago | (#18722687)

The operation completed successfully.

explosive code? (4, Insightful)

Ajehals (947354) | more than 7 years ago | (#18722711)

From the linked blog...

1) Your code blew up, and you're about to get 0wn3d. Yup, it's exploitable, and the customers are not going to be happy.
2) Your code blew up, and maybe it is exploitable, maybe not.
3) Your code blew up, and you meant it to blow up, and it's clearly not exploitable.

Since you are not coding specifically for your application to crash (Or I hope not) surely there can be no 3. 2 is as good as it gets, you have done everything you can to prevent your code "blowing up" you have tried to handle anything that can be thrown at it gracefully, and you have done everything to ensure that when if and when things do go wrong they can do no damage, that's 2, not 3. If you cannot foresee and prevent every possible thing that could cause your application to crash (which you can't), then how can you foresee every possible way in which that unforeseeable crash could be exploited. All you can ever do is your best.

Next up, from the article:

Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted. The third, Aharoni suggested, could be used to introduce remote attack code after an exploit causes an overflow of "wwlib.dll," a crucial Word library. But "code execution is not trivial," he added.

If described correctly then these bugs all pose a risk. sure the first two are minor risks, the later is major, but all three are bugs that should be listed as security vulnerabilities. I would suggest that the reason that they are currently not being seen as such by Microsoft, is simply that no one can be sure if the conditions required to trigger them could be utilised by anyone wishing to take advantage of them, and thus they are theoretically less threatening than many of the other issues that have plagued Microsoft Applications in the past.

In the end however we should be simply sating that a problem exists, it may be a security risk, and until it is fixed, we will treat it as such. Anything else (rightly or wrongly) simply smells like someone is covering up issues, and lets be frank, Microsoft doesn't have enough good will for that to be acceptable.

Re:explosive code? (0)

Anonymous Coward | more than 7 years ago | (#18722909)

One time I had a buffer overflow in one of my apps. The overflow went straight off the end of the buffer into unmapped memory. That's right: the end of the buffer is the highest mapped memory address in my program. So my code blew up, I didn't mean it to blow up, and it is clearly not exploitable.

Re:explosive code? (2)

PCM2 (4486) | more than 7 years ago | (#18723153)

3) Your code blew up, and you meant it to blow up, and it's clearly not exploitable.

Since you are not coding specifically for your application to crash (Or I hope not) surely there can be no 3. 2 is as good as it gets

But isn't this the whole point of the exception-handling model of software error recovery? Back in the old days, any bug could potentially take down the whole system, only it didn't matter because the OS wasn't multitasking anyway. Under the exception-handling model, an unforeseen condition generates an exception. You've got two choices: Handle it or don't. If an application exception makes it all the way to the OS level without being handled, it results in an application crash. What it doesn't do, on the other hand, is take down the system (assuming everything else is working right). So while it might be sloppy programming to say to yourself, "this exception will almost certainly never, ever get raised, so I'm just not going to handle it," it seems to me like that would be a legit case of #3, above. If the only possible outcome of a condition is an application crash, then it doesn't seem like an exploitable flaw to me. (But then, I guess it goes back again to whether you agree that an application crash counts as a denial of service. I tend to think not.)

Please quit calling these DOS flaws (1)

NotFamous (827147) | more than 7 years ago | (#18722719)

I hated when they used the term DOS for the Mozilla crashes, I hate when the use it for Microsoft desktop applications. Just say you found a way to crash the program. Woo hoo! It doesn't sound as serious as DOS, but it is more accurate. Leave DOS for server attacks that clog a network, or prevent a server from being accessed. But entering in Chinese unicode characters into a shareware text editor that causes it to crash is not a DOS attack. PUH-lease!

Firefox crashes on malformed intput too (3, Insightful)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18722727)

Almost all the programs crash on invalid input, even Firefox and OpenOffice. So, hate to say it, MSFT is right in claiming that it is better to crash than to give a command line shell. But so many of the MSFT buffer overrun problems start out as crashes and people keep probing and probing and bingo, it becomes a remote code execution flaw. I thing the Windows Meta File graphics handling bug was a low priority crash bug for a long time before it became a remote code execution vulnerability. So while porturing it as "not a bug", hope they quietly work in the background and fix the issue.

Secondary failsafes (1)

ZorbaTHut (126196) | more than 7 years ago | (#18722735)

It's not actually that unreasonable. In my code I do my best to detect invalid input and fail gracefully if possible, but if there's something I haven't thought of I have checks deeper inside that end up cleanly crashing the program if something really unexpected occurs. The fact that it gets past the first checks, and has to crash, is a bug. The fact that it crashes may very well be designed behavior, though, and far better than the alternative.

Of course, their public statement is stupid. What they should be saying is "yes, you have found a bug, the crash is a safe error handling system designed to prevent any security holes, there is nothing to worry about with this bug besides annoyance but we're working on a patch."

No Biscut!!! (1)

The Media Mechanic (1084283) | more than 7 years ago | (#18722745)

WAAAHHH !!! I LIVE FOR BISCUTS!!! Doesn't he know that biscut's are a programmers lifeblood and he will wither and die without a steady supply !

Upon additional consultation... (3, Funny)

Chris Mattern (191822) | more than 7 years ago | (#18722813)

Microsoft declared that they are not crashes at all; they are "rest breaks".

Chris mattern

Programmer as a dog (2, Insightful)

The Media Mechanic (1084283) | more than 7 years ago | (#18722821)

according to this guy, you train a programmer as if it were a dog. You punish it by yanking on the leash, when they make too many bugs. You reward it by giving it a biscut when it does something good, like write an amazing piece of software with crappy design documents as input.

Do managers really think this way ? Are we looked upon as professionals ? Or merely some kind of, easily trained, excitable, bark at the mailman, get lonely when the master leaves us alone and doesn't play fetch with us, peculiar species of mammal ?

We work on data driven apps (police RMS) (1, Interesting)

stratjakt (596332) | more than 7 years ago | (#18722845)

Where a high (100%) level of consistency is absolutely required.

Basically, the default behavior on any exception is to crash, and roll back any open transactions. There's just no way to recover from something unexpected, and still be able to guarantee that the next commit to the DB isn't going to fuck something up.

I have described this behaviour as intentional, and have played it off as a feature - directly comparing it to a competitors product, which took an "ignore error, keep on truckin'" approach. They fired the first shot by finding a bug that made our app crash, and claimed the crashing meant it was buggy. Meanwhile, no crashes on their side means no bugs.

So I showed how I could exploit a bug to start corrupting records, and even found a way to do it willfully (ie; change your parking ticket into a warrant for forced sodomy).

Of course, we treat every crash as a bug - but the fact that it crashes (after writing out as much relevant info as possible into a .log file) is a feature in itself.

Lesser of two evils is still evil. (1)

kinglink (195330) | more than 7 years ago | (#18722899)

Seriously, the recovery system they are mentioning is good.... FOR TESTING! Real software shouldn't crash, if it does crash it better be because of hardware failure because software shouldn't do so much that crashing is an option. That's theory of course but it's a possible and working theory in most cases.

Buffer overflows? Create and use a SAFE version of functions... Like.. I don't know? Try snprintf with only the output buffer's size?

Buffer overflows are the fault of the programmer and there should be no excuse. Telling the system to crash instead of overflowing is a fix, but it's neither a good fix or a feature. It's a BUG that has been paved over by paper. Until you come back with concrete it's not really fixed.

Let's switch it around. If my game company submits a game to the Microsoft certification process which crashes, and we gave this excuse we'd be rejected in 2 seconds. Why is in-house Microsoft products gets a pass on this matter?

crash = unexpected behavior = security issue (1)

seifried (12921) | more than 7 years ago | (#18722953)

Traditionally security is defined as the AIC triad (Availability, Integrity, Confidentiality), any issue that violates one of these is classed as a security issue (i.e. I can bypass passwords, modify information in the system or make the system unavailable to legitimate users). In general crashes are considered a denial of service, and more importantly to me say that the code is behaving in an unexpected way. Had it been expected that processing a malformed file would be a problem the application should do something like "I'm sorry, this file appears malformed, I can try repairing it, but if that doesn't work then you can basically kiss the data goodbye, sorry about that" to the user. In this case the application crashes. Based on previous results, with exploitable Word (and Excel, etc.) flaws that allowed for code execution I'm going to go out on a limb and put my money in the corner with "these flaws are exploitable, it just hasn't been figured out how yet."

Most secure ever! (1)

smitty97 (995791) | more than 7 years ago | (#18723015)

from one of the articles:

"In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document....The sample code in [Aharoni's] postings cause Microsoft Word to crash, and users can restart the application to resume normal operations."

So this play on words is why they say Vista is more secure.....
Crashes less! More secure!

According to their logic, and unlike "Tastes Great! Less filling!", it can't be both!

So? (1)

MadnessASAP (1052274) | more than 7 years ago | (#18723113)

IIRC wasn't one of the UNIX design philosophies that if an application becomes unstable it should crash as quickly as possible and create as much noise and debugging output in the process(or something along those lines)? So going by that it would seem the MS Offices is doing the right thing and IS crashing and generating plenty of errors and debugging info in the process.

office menu button closes apps (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18723209)

I dont have time to log in but I have to point out that the biggest flaw in Office 07 is the office menu, when single clicked it drops a menu, when double clicked it kills the app...fucking redmond retards!

So This Means Word 2007 is designed to crash.... (1)

cppgenius (1009857) | more than 7 years ago | (#18723217)

I could not believe my eyes when I read this ridiculous statement by Microsoft. Do they want to tell us that Microsoft designed these crashes deliberately? The only assumption I can make is that it is a standard function of Word 2007 to crash. It is enough to make you laugh out loud when you read unbelievable, incomprehensible statements like this.

I would have been given an F (2, Insightful)

Dancindan84 (1056246) | more than 7 years ago | (#18723225)

I'm not 100% certain, but I'm pretty sure that my programming professors would have given me an F if as part of input validation I had put:

if (isExploit){
crashApplication();} // this is to prevent abusing an exploit Prof. X... no really...

... so how is it that Microsoft (or anyone else) thinks they can argue that this is intended? Does it stop the exploit from being used? Possibly, but that does not mean that they should get to shrug this off as "not an issue". There -has- to be a more elegant way to handle it.

Judging from the MS response... (1)

sehlat (180760) | more than 7 years ago | (#18723235)

it would appear that Microsoft doesn't consider anything to be a security risk unless it's 0wn3d Bill Gates' personal machine.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?