Word 2007 Flaws Are Features, Not Bugs 411
PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"
I didn't know that (Score:2, Interesting)
Why spend on testing, when you got paying consumers to do the bug reports for you?
It may be unethical, but they ARE getting richer by the minute.
It's officially 1984 (Score:3, Interesting)
"That's the way it was designed!" (Score:2, Interesting)
Another example I came across recently is here [microsoft.com]. What's the point of designing as such?
He's got half a point (Score:4, Interesting)
Wouldn't it be a good idea to shut down the app to prevent your whole network getting hosed? And doesn't the pain-in-the-assitude for the user maybe prevent them from opening shady docs the next time around?
Admittedly, it would be best if the flaw never existed in the first place. But if fixing the flaw outright is out of the question, why isn't this a good solution?
Re:Let me see... (Score:5, Interesting)
The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."
I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.
Simon
Re:Let me see... (Score:5, Interesting)
However using bad documents to crash Word is still a flaw in Word, in my opinion. The application should just say "Can't open bad/corrupted document" and let the user keep working. In the blog he says: I understand the rationale, but I would argue it's rather sloppy programming that uses a crash as a means to prevent such bad things from happening. Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.
Obviously it is better to crash than to execute arbitrary enemy code. However it's better still to just refuse to execute arbitrary code, but otherwise keep running. The problem with using crashing as a security system is that then the "bad guys" will try to crash your application on purpose (calling it a DoS is a stretch, mind you), which opens up new security problems. (A crashing app may expose other security vulnerabilities, disclose otherwise protected information, destabilize other apps/the OS, etc.)
We work on data driven apps (police RMS) (Score:1, Interesting)
Basically, the default behavior on any exception is to crash, and roll back any open transactions. There's just no way to recover from something unexpected, and still be able to guarantee that the next commit to the DB isn't going to fuck something up.
I have described this behaviour as intentional, and have played it off as a feature - directly comparing it to a competitors product, which took an "ignore error, keep on truckin'" approach. They fired the first shot by finding a bug that made our app crash, and claimed the crashing meant it was buggy. Meanwhile, no crashes on their side means no bugs.
So I showed how I could exploit a bug to start corrupting records, and even found a way to do it willfully (ie; change your parking ticket into a warrant for forced sodomy).
Of course, we treat every crash as a bug - but the fact that it crashes (after writing out as much relevant info as possible into a
office menu button closes apps (Score:1, Interesting)
Taking a page from Apple... literally (Score:5, Interesting)
The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:
feature n. A bug, as described by the marketing department.
Re:I didn't know that (Score:2, Interesting)
On a completely different note, I've vista installed on one of my PC and the explorer crashes quite often for a 499$ OS.
My colleagues and friend ask me all the time if they should get vista and I tell them to not waste their time. Even one of my friend bought a laptop with vista preinstalled and he had to revert to XP right after because explorer crashed so often that made the working impossible.
Is it just me or the quality of Microsoft Products is going down?
You'd rather your router crashed than word? (Score:2, Interesting)
If you want a 'big deal' you should check out Words (XP and downwards) file handling bug. Now _that's_ brain-dead. Basically, every time you use the undo function Word opens a new file handler. Keep at it and the OS eventually runs out (especially a problem on the Mac) and you can't save your document or open any files.
Oh, and what was MS's excuse for not fixing this bug sooner? The idiotic teck complained that his debugger crashed because it opened too many handles, so he couldn't fine the bug. Well DUH!
Re:explosive code? (Score:3, Interesting)
There's a reason we call it a crash (or an abend.) It's because we weren't expecting it. We're not talking about a demolition derby here.
If an exception causes the program to quit safely, it's not a crash, it's an expected termination.
Re:I don't see the problem (Score:5, Interesting)
Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.
Re:Let me see... (Score:5, Interesting)
-matthew
Re:What (Score:4, Interesting)
People act as if a crash is the worst thing in the world. Generations of programmers have been trained to think of a crash bug as the ultimate badge of shame. The problem is that it is not, by far, the ultimate mistake.
I think it's useful to keep this in perspective. It's better that you crash the user's car than run over the user's baby. I always tell guys who work for to to place bugs in the following order of severity (1 is highest severity):
1) user's system security is compromised.
2) user's data is corrupted or lost.
3) give wrong answers that aren't obvious (2 and three might be interchanged in some circumstances)
4) crash bugs and obvious garbage output
It's not that crash bugs are good. It's that given a choice between a crash and things higher on the list, you ought to choose the crash.
This is not a choice that, once upon a time, we had to make. Crashes happen when a condition you hadn't anticipated happen, so they were not (as a rule) a matter of choice.
Java checked exceptions changed that, and required that I develop clear priorities. For non-programmers, an exception is a condition (usually abnormal) that can occur some place in your program. A checked exception is one that it is mandatory to handle some place in your program, otherwise your program is not valid.
I'm not religiously against checked exceptions, other than that they're a bad choice for default. The problem is that the places where exceptions occur are often not the right place to handle them. The temptation is to mishandle the exception, particularly exceptions that are rare, at a low level. Sometimes this is a temporary measure so you can get to some initial tests you want to do, and you never get back to undoing it. Sometimes it happens because the programmer doesn't know a good way to handle the exception, so he papers it over.
The result is that you convert a crash bug into some other kind of bug. Often a bug that's higher on the severity list. That's why converting a checked exception into a non-checked exception is often the best course of action, even though it creates a possible crash condition later on.
Automated testing does, or potentially can, stand in for the function of checked exceptions with less risk. Some kind of annotation that was integrated with unit testing might be ideal.
Re:Insightful?! (Score:1, Interesting)
Really? I was looking for a small, fanless mini-itx box the other day for a special purpose. I found this [logicsupply.com] at $525 but still had to get memory, HD, and CD-ROM for it. I'm sure there is cheaper but hard to find the foot-print size.
Then it dawned on me that a Mac Mini is that size. Quiet and with more CPU, a HD, memory and a CD/DVD for less money. But, yeah, the Macbook Pro and G5s are more expensive than a cheap, plastic PC.
Re:I don't see the problem (Score:1, Interesting)
1) Start up Word
2) Type "Dear Katrina," sans quotes
3) Press Enter
4) ???
5) Voila! Profit! er, uh, I mean, CRASH!
This crashed on two different installations of Word 2000 (on Windows XP and 98) but didn't on another.
where do you want to go today? **FATAL EXCEPTION** (Score:3, Interesting)
"If you understand computers, you know that a computer normally is immune to the character of the data it processes," he wrote in the June U.S. Naval Institute's Proceedings Magazine. "Your $2.95 calculator, for example, gives you a zero when you try to divide a number by zero, and does not stop executing the next set of instructions. It seems that the computers on the Yorktown were not designed to tolerate such a simple failure."
Microsoft running a warship? What could possibly go wrong? Oh yeah - absolutely everything, since Microsoft can't be bothered to sanity check input [gcn.com].
FYI, Microsoft screwed up here and it's difficult to defend them in this instance without coming off as a dunce yourself.
Re:My favourite Windows error message (Score:4, Interesting)
Re:Walk into a store (Score:3, Interesting)
You have to type it in a specific text box - that of your package manager.
And then, the various alternatives are 1 click away.
That is never true in Windows, it is much more difficult and involves far more to find, download and install from the web. And far worse, it involves far worse trust in untraceable entities! My packages are signed by the maintainers who registered themselves and are trackable.
I didn't say you couldn't legally download, I said you couldn't download the updates for your entire software repository (including not just Microsoft software, but also your games, your Instant Messangers, Photo editors, etc) from one central location, which remains true.
Talk about nitpicking! Yes, some fuel is burnt (unless wind or solar power is powering those routers, ofcourse), but to compare that to the fuel burnt to power the car to and from the store to carry the bits is absurd.