Word 2007 Flaws Are Features, Not Bugs 411
PetManimal writes "Mati Aharoni's discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic.'"
English-to-Microsoft dictionary (Score:5, Funny)
What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again?
Re: (Score:3, Funny)
That's right and the price you pay for it is an investment, not a complete waste of resources.
What's the matter? Did the Slashdot editors lose their English-to-Microsoft dictionary again?
The denial of the denial of service is what really grinds my gears. There are so many companies who listen to their customers about things like this. With a high profile product the company should really bring it to the attention of their developers.
Re: (Score:3, Funny)
The fact that you changed, for example, 'rtfa!' to 'RTFA!' is _not_ included in Track Changes. Oops.
Reported that a version or two ago, and the report came back (promptly, I might add, as I paraphrase) "That behavior goes all the way back to Word97. We're going to label that 'Behavior by Design'".
If Word were a housecat, it would be conceptually similar to the Robin Williams routine, where Robin prete
I didn't know that (Score:2, Interesting)
Why spend on testing, when you got paying consumers to do the bug reports for you?
It may be unethical, but they ARE getting richer by the minute.
Re:I didn't know that (Score:5, Insightful)
I guess it is an attitude problem. (Score:3, Insightful)
If they said their software is sold "as it is" and that it possibibly had problems and were humble enough to admit it, there would be fewer MS-haters out there.
I agree with you on the impossibility of completly testing a software of the complexity of Word. No argument there.
BTW, calc.exe already GPFed on me.
Re:I guess it is an attitude problem. (Score:4, Informative)
To quote Para. 16 of the Windows XP Home EULA:
Seems pretty much the case to me.
Don't even try the "Click throughs not legally binding!". It doesn't need to be binding for this - but to claim they don't sell software AS IS is an absolute fallacy, trivially demonstrable.
Re: (Score:2, Interesting)
On a completely different note, I've vista installed on one of my PC and the explorer crashes quite often for a 499$ OS.
My colleagues and friend ask me all the time if they should get vista and I tell them to not waste their time. Even one of my friend bought a laptop with vista preinstalled and he had to revert to XP right after because explorer crashed so o
Re:I didn't know that (Score:4, Insightful)
I'd apologize for the rant but this kind of bullshit spouted by slack ass "Programmers" and "Developers" just pisses me off to no end. Keep thinking your gonna have that job security you always wanted by making sure there's no one else that can weed threw your garbled mesh of spaghetti, when in reality making software that actually works if far more job securing. But then again I would probably be out of work if the "developers" of the world actually did their shit right since organizations would need people like me to clean it all up.
Fuck the karma, some one had to finally clear this up, too bad no one in a position to actually change things will read this.
Re: (Score:3, Insightful)
I will assert that the reason you don't find critical bugs in your programs is because they are either trivial or because they aren't stressed enough.
You can assert all you would like, but you would be wrong. Oddly enough, bug riddled software like Office Suites are far more trivial, being common place, ordinary and even of little importance, than the most bug free software, including projects I have lead. Non-trivial software, such as where lives are at stake, does not have these types of flaws, or are less likely to have these flaws.
Even the acknowledged experts in this field such as the OpenSSL and OpenBSD...
Anyone that has known me realizes I am no supporter of Software projects that allow pretty much anyone to put their h
I Wish (Score:5, Funny)
Taking a page from Apple... literally (Score:5, Interesting)
The old Apple ][ Reference Manual included a few pages of technical terms, with definitions. Buried among entries like track, sector, stack, and interrupt was this gem:
feature n. A bug, as described by the marketing department.
Re:Taking a page from Apple... literally (Score:5, Funny)
My sad realization about that definition is that I just looked it up to see if you were serious. You were. Perhaps an even sadder realization is that I was able to reach up to the shelf above my desk and instantly grab a copy of the Apple ][ Reference Manual---right between The TeXbook and an Imagewriter II owner's manual that I used to use as an ASCII table reference before the rise of Google or asciitable.com.
Sigh. I am, indeed, a geek. I suppose there's no escaping it.
Re: (Score:3, Funny)
Let me see... (Score:4, Insightful)
I hate to say it, but I'm going to have to come down on Microsoft's side on this one. If it's a non-exploitable crash, then it's a simple bug in handling corrupt documents and nothing more. The researcher can ring everyone again once an exploit has been found.
As for the DoS potential... seriously, why is everything a "Denial of Service" with these guys? It's a bad document. Word crashes. Life goes on. It's not like your computer is going to become unusable because Word crashed. You get minorly inconvenienced by the jerk who sent you the document, you figure out that the doc is bad, then you move on.
Re:Let me see... (Score:5, Insightful)
If the facts are as you've described, I agree that there isn't a security issue here. There is, however, still a bug. Anytime a program crashes for reasons other than hardware failure, there is a bug. If it takes really unusual input to do it and there are no security consequences, it may be a minor bug, but it is still a bug.
Re:Let me see... (Score:5, Insightful)
By definition, the app crashing is a denial of service. It's no different than sending a Christmas tree packet to an ancient unpatched router: it goes boom, shuts down the network, no network service. Word crashes: boom, document maybe lost, no use of Word.
A program must be able to recognize invalid input and take appropriate action. Allowing (or forcing) a crash is NOT acceptable.
Re: (Score:2)
Re: (Score:2)
Derek
You'd rather your router crashed than word? (Score:2, Interesting)
If you want a 'big deal' you should check out Words (XP and downwards) file handling bug. Now _that's_ brain-dead. Basically, every time you use the undo function Word opens a new file handler. Keep at it and the OS eventually runs out (especially a problem on the Mac) and you can't save your document or open a
Re:Let me see... (Score:5, Interesting)
-matthew
Re:Let me see... (Score:4, Insightful)
Sometimes immediately dying is the best option - when you reach a point in the code that "should never happen" then you can not count on the integrity of anything else within the program at the time. At that point the ONLY safe option is to "go boom" thus assuring that whatever the problem is, at least it won't corrupt anything else.
Re: (Score:3, Insightful)
Either a bug in the kernel (included loaded modules)
Or a malfunction or bug in one of the components the kernel needs to run (example: flaky memory)
The first are the most common; we somehow got into a state we shouldn't be in. Thus we must have messed up, and the safer choice is to refrain from further actions, since we may be insane in general. These are nevertheless bugs, and should offcourse be acknowledged as such and fixed when possible.
The second isn'
Re: (Score:3, Insightful)
Re: (Score:2)
Re:Let me see... (Score:5, Interesting)
The Open BSD guys have a philosophy: "The only difference between a bug and a vulnerability is the intelligence of the attacker."
I wish more programmers held this view! A bug is an undefined state of the program. It's quite clear that this is a dangerous position for your program to be in. Bug really are baby vulnerabilities. It's best to remove them as soon as you find them.
Simon
Re:Let me see... (Score:5, Interesting)
However using bad documents to crash Word is still a flaw in Word, in my opinion. The application should just say "Can't open bad/corrupted document" and let the user keep working. In the blog he says: I understand the rationale, but I would argue it's rather sloppy programming that uses a crash as a means to prevent such bad things from happening. Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.
Obviously it is better to crash than to execute arbitrary enemy code. However it's better still to just refuse to execute arbitrary code, but otherwise keep running. The problem with using crashing as a security system is that then the "bad guys" will try to crash your application on purpose (calling it a DoS is a stretch, mind you), which opens up new security problems. (A crashing app may expose other security vulnerabilities, disclose otherwise protected information, destabilize other apps/the OS, etc.)
Re: (Score:3, Informative)
How would you feel if you opened a word document, which you received in an e-mail from a co-worker, that then crashed Word and made you lose some important work you had just been e
Re: (Score:3, Insightful)
Exceptions can be thrown, but they should be caught and used to halt the "bad actions", and revert back to a normal program state.
In an unsafe language, like C++, as is the case with Word, once you have encountered undefined behavior, all bets are off. There is no way to be sure from within your program that you are not already running the attacker's code. The only thing you can do is tell the OS to shut down your program and hope the call goes through.
In a safe language, like Java, and with a program that can be expressed as a work queue, you can isolate changes to global state and, in the case of a work item failing, provided you
RTFA - not just Word crashing (Score:5, Informative)
Actually, according to the Computerworld article, two of the bugs discovered will peg the processor at 100 percent, forcing a cold reboot that potentially will do a lot more damage than just corrupting your Word documents. Whatever your philosophy otherwise, that really is a denial of service.
Re: (Score:2)
The other article, based on the security researcher's work, calls the same thing a "denial-of-service-like situation":
The disagreement is not over how to describe
where do you want to go today? **FATAL EXCEPTION** (Score:3, Interesting)
It's a bad document. Word crashes. Life goes on.
You're right, you know. And you're not just right about word - this design paradigm clearly extends across the entire Microsoft product line, from the most basic to the most mission-critical:
"If you understand computers, you know that a computer normally is immune to the character of the data it processes," he wrote in the June U.S. Naval Institute's Proceedings Magazine. "Your $2.95 calculator, for example, gives you a zero when you try to divide a number by zero, and does not stop executing the next set
Re:Let me see... (Score:5, Informative)
Sorry, I don't buy it. The only way that is a valid expectation is if you explicitly tell it to crash when it gets malformed data, which is offensive and stupid. The proper thing to do is to tell it to alert the user if there is malformed data, and then clean up and get ready to parse another document.
Crashing is definitely a sign that something bad is happening. Traditionally, when an app crashes because of an invalid document, it's writing to some memory it shouldn't be. This is a sign of lazy or stupid programmers not doing proper checking of the input.
Re: (Score:2)
I mean, if the application crash, any user will know that something bad happened. If you give the average user a dialog box, he will automatically click OK without reading it (he has been trained to do that), then go puzzled : "huh, where's my document ?".
Therefore MS choice
I think i shall add some more
Re: (Score:2)
Sure, I don't dispute that. But regardless of how you look at it, it's a program error, not desirable behavior. Also, I did say "traditionally" - although "typically" is closer to what I wanted to say :) But both leave wiggle room.
Re: (Score:2, Flamebait)
It's officially 1984 (Score:3, Interesting)
Input validation (Score:2, Insightful)
If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out. Elegant? Not by a long shot. Security risk? Not so much.
Re:Input validation (Score:5, Insightful)
If Word went ahead and executed arbitrary code, that's one thing. But as it stands, it just crashes out.
You do understand that in many cases, a "crash" is when the software attempted to execute random garbage; and that if you tailored the garbage, you would have an arbitrary code execution vulnerability?
A crash, frankly, is very often an incompletely exploited code execution vulnerability. That may not be so, here; but if the crash is caused by stack or heap corruption, there's a distinct chance the triggering dataset could be made into a shellcode exploit or the like.
"That's the way it was designed!" (Score:2, Interesting)
Another example I came across recently is here [microsoft.com]. What's the point of designing as such?
Re: (Score:2, Insightful)
Odds are with this particular component, they were on the way to reducing functionality in their core component to force you into buying a third party developed component that was actually well designed and or useful.
Better recovery... (Score:4, Insightful)
I am fully aware that writing bug-free software is impossible. Ultimately, it is unavoidable that crashes will occur. When they do occur, they should be handled as gracefully as possible. However one should not defend one's code (and coding flaws) by saying that "sure it crashes--but the crashes are part of our carefully engineered recovery mechanism!" That's a lame excuse, because if you're aware of a consistent crash condition, you should be able to code so that instead of crashing, the program does something more friendly.
He's got half a point (Score:4, Interesting)
Wouldn't it be a good idea to shut down the app to prevent your whole network getting hosed? And doesn't the pain-in-the-assitude for the user maybe prevent them from opening shady docs the next time around?
Admittedly, it would be best if the flaw never existed in the first place. But if fixing the flaw outright is out of the question, why isn't this a good solution?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If I used Word and lost a document just so that Microsoft could do some data collection, I'd think that they'd have their priorities seriously wrong.
Re: (Score:2)
2. Who ever said that Microsoft had their priorities right?
But seriously.... (Score:4, Insightful)
I can see Mr. LeBlanc's point, that it's better to crash than open up your system, but it seems like they are taking this awfully lightheartedly. They're still bugs and they still need fixed. I think they are confusing debug features with release features.
Re: (Score:2)
Re: (Score:2)
Word is a bug (Score:2, Insightful)
How Long Before... (Score:3, Informative)
To me DoS'ing a client-side app like Word is an annoyance, but I would expect to see exploit code coming that does do code execution or privilege escalation of some sort and then MS will patch it on Tuesday just like they've been doing for years...
explosive code? (Score:5, Insightful)
From the linked blog...
1) Your code blew up, and you're about to get 0wn3d. Yup, it's exploitable, and the customers are not going to be happy.
2) Your code blew up, and maybe it is exploitable, maybe not.
3) Your code blew up, and you meant it to blow up, and it's clearly not exploitable.
Since you are not coding specifically for your application to crash (Or I hope not) surely there can be no 3. 2 is as good as it gets, you have done everything you can to prevent your code "blowing up" you have tried to handle anything that can be thrown at it gracefully, and you have done everything to ensure that when if and when things do go wrong they can do no damage, that's 2, not 3. If you cannot foresee and prevent every possible thing that could cause your application to crash (which you can't), then how can you foresee every possible way in which that unforeseeable crash could be exploited. All you can ever do is your best.
Next up, from the article:
Two of the three bugs result in a denial-of-service-like situation, with the PC's processor maxed out at 100%, making the machine unusable until it's rebooted. The third, Aharoni suggested, could be used to introduce remote attack code after an exploit causes an overflow of "wwlib.dll," a crucial Word library. But "code execution is not trivial," he added.
If described correctly then these bugs all pose a risk. sure the first two are minor risks, the later is major, but all three are bugs that should be listed as security vulnerabilities. I would suggest that the reason that they are currently not being seen as such by Microsoft, is simply that no one can be sure if the conditions required to trigger them could be utilised by anyone wishing to take advantage of them, and thus they are theoretically less threatening than many of the other issues that have plagued Microsoft Applications in the past.
In the end however we should be simply sating that a problem exists, it may be a security risk, and until it is fixed, we will treat it as such. Anything else (rightly or wrongly) simply smells like someone is covering up issues, and lets be frank, Microsoft doesn't have enough good will for that to be acceptable.
Re: (Score:3)
But isn't this the whole point of the exception-handling model of software error recovery? Back in the old days, any bug could potentially take down the whole system, only it didn't matter because the OS wasn't multitasking anyway. Under the exception-handling model, an unforeseen conditi
Re: (Score:3, Interesting)
There's a reason we call it a crash (or an abend.) It's because we weren't expecting it. We're not talking about a demolition derby here.
If an exception causes the program to quit safely, it's not a crash, it's an expected termination.
Firefox crashes on malformed intput too (Score:4, Insightful)
Secondary failsafes (Score:2)
Of course, their public statement is stupid. What they should
Upon additional consultation... (Score:4, Funny)
Chris mattern
Lesser of two evils is still evil. (Score:2)
Buffer overflows? Create and use a SAFE version of functions... Like.. I don't know? Try snprintf with only the output buffer's size?
Buffer overflows are the fault of the programmer and there should be
crash = unexpected behavior = security issue (Score:2)
I would have been given an F (Score:2, Insightful)
if (isExploit){
crashApplication();}
Is this "spin" or is this "twisted"?! (Score:2)
I "grew up" in a computing environment that did not involve mainframe style computing. Everything was on smaller, personal class machines. "Reboot" was considered a solution to a problem. I recall the first time I ever stated that "reboot" is part of any diagnostic procedure in front of a former boss. He cringed noticably because he grew up in
It was only a matter of time... (Score:3, Funny)
http://www.ubersoft.net/d/20030224.html [ubersoft.net]
but more specifically
http://www.ubersoft.net/d/20030228.html [ubersoft.net]
That MS Guy Better Stop Spinning So Fast (Score:2)
Crashing is damn sure a way to provide a DoS. The Computerworld guy is absolutely right - just display an error dialog. Geesh, can't these guys admit a mistake?
Pre-processing doesn't work? (Score:3, Insightful)
In software programming, just as much as in web programming, there is a saying: never trust the input, no matter where (you think) it comes from.
If it crashes in any other way (overwriting memory, input through plugins like SOAP or so) the same is true, it is Bad Programming (c) because you either didn't check the input, or didn't protect your share of memory.
Re:Let's just get this out of the way then... (Score:5, Informative)
"a tool that probes an application for vulnerabilities by sending random input"
This is known as an appositive phrase.
Re:Let's just get this out of the way then... (Score:5, Funny)
Um, read that again, and see if you can find the problem.
Re:Let's just get this out of the way then... (Score:4, Insightful)
I found two:
1. No one reads TFA
2. There are plurality of TFAs
"Um, read that again, and see if you can find the problems.
There may be a plurality of errors in your statement, not sure
*head explodes
Re:Let's just get this out of the way then... (Score:4, Funny)
2) It's um... Can you repeat this one, I didn't read it.
Re:Let's just get this out of the way then... (Score:4, Funny)
Re:Let's just get this out of the way then... (Score:4, Funny)
Yes I could google it, but so will 100,000 other slashdotters, so let's just post the answer here and be done with it.
Re:Let's just get this out of the way then... (Score:4, Informative)
an appositional phrase, a phrase that clarifies meaning, is a fancy way of saying "redundant"
Re: (Score:2, Informative)
Re: (Score:3, Informative)
"Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted."
Re:fuzzer (Score:2)
Would any bright egg here care to explain what the hell a 'fuzzer' is?
For those who didn't read the article and want to know what a fuzzer is;
"Aharoni said he found the flaws using a "fuzzer," a tool that probes an application for vulnerabilities by sending random input"
Snipped from the article.
Somehow clipping a line from the article doesn't make me feel light a bright egg.
Re: (Score:3, Funny)
How does saying "light" when you meant "like" make you feel?
Me, I feel like having another beer.
But, But... (Score:5, Funny)
OK, gotcha, but how do you differentiate this from normal Windows behavior?
Re:But, But... (Score:5, Funny)
Re: (Score:2, Funny)
You REALLY must be new here if you expect anyone on /. to come up with new and original arguments for why Microsoft sucks.
Walk into a store (Score:4, Insightful)
That is so early 90's!
Hello?? We have the internet!
Software can be downloaded!
In Windows, I can't just type in "office", click the resulting "kde office" and "open office" programs, and have them automatically downloaded for me, without fuel being burnt to get the bits from there to my computer. Amazing!
Also, I can just type in almost anything I may want my computer to do - and behold, one of more than 10,000 programs shows up which can be installed with a single click!
Oh wait, there's more. When I play a movie in full-screen, a bunch of "Would you like to update me?" dialogs of various programs don't jump up at me!
In fact, *all* (and that means all software you have) updating is done from a central location - by clicking the update icon.
Oh, Windows doesn't have that? Pitty, maybe I should stick to Linux!
Re: (Score:3, Interesting)
You have to type it in a specific text box - that of your package manager.
An
Re: (Score:2, Informative)
To be pedantic for a moment... (Score:3, Informative)
Re: (Score:2)
What if I'm running remote desktop while I do it? Aha!
To be even more pedantic for a moment... (Score:2, Insightful)
Re: (Score:2)
Or write a worm that modifies all word documents it finds in this fashion then cleanly uninstalls itself after it's propagated to another machine.
Etc.
Re: (Score:2)
Re: (Score:2)
Re:I don't see the problem (Score:5, Interesting)
Apparently that specific line of text exploits the way that notepad determines whether the file is encoded in ASCII or Unicode.
Re: (Score:3, Informative)
Wow. I thought this was a joke; but I just tried this on Windows XP, and it really happens as the poster describes.
In case you want to know why this happens (Score:3, Informative)
It's not really news though, and I doubt Hugh Thompson deserves any credit, Raymond Chen explained why things behave like this back in 2004 [msdn.com].
Re:My favourite Windows error message (Score:4, Interesting)
Re: (Score:3, Informative)
1. The ability to open files larger than 64KB... I'm not kidding, try it.
2. The ability to save and display files in UTF-8 and UCS-2/UTF-16.
A bug in the API that the latter uses is actually part of the problem the grandparent mentioned.
Of course, no one should use Notepad for doing anything useful... As a program, it does even less than its predecessor, MS-DOS's Edit.
Re: (Score:2)
Odds on it still has that as well, which is why a fair few places don't allow their employees to automatically send crash reports to Microsoft.
Re: (Score:2)
Re: (Score:2)
Re:What (Score:4, Interesting)
People act as if a crash is the worst thing in the world. Generations of programmers have been trained to think of a crash bug as the ultimate badge of shame. The problem is that it is not, by far, the ultimate mistake.
I think it's useful to keep this in perspective. It's better that you crash the user's car than run over the user's baby. I always tell guys who work for to to place bugs in the following order of severity (1 is highest severity):
1) user's system security is compromised.
2) user's data is corrupted or lost.
3) give wrong answers that aren't obvious (2 and three might be interchanged in some circumstances)
4) crash bugs and obvious garbage output
It's not that crash bugs are good. It's that given a choice between a crash and things higher on the list, you ought to choose the crash.
This is not a choice that, once upon a time, we had to make. Crashes happen when a condition you hadn't anticipated happen, so they were not (as a rule) a matter of choice.
Java checked exceptions changed that, and required that I develop clear priorities. For non-programmers, an exception is a condition (usually abnormal) that can occur some place in your program. A checked exception is one that it is mandatory to handle some place in your program, otherwise your program is not valid.
I'm not religiously against checked exceptions, other than that they're a bad choice for default. The problem is that the places where exceptions occur are often not the right place to handle them. The temptation is to mishandle the exception, particularly exceptions that are rare, at a low level. Sometimes this is a temporary measure so you can get to some initial tests you want to do, and you never get back to undoing it. Sometimes it happens because the programmer doesn't know a good way to handle the exception, so he papers it over.
The result is that you convert a crash bug into some other kind of bug. Often a bug that's higher on the severity list. That's why converting a checked exception into a non-checked exception is often the best course of action, even though it creates a possible crash condition later on.
Automated testing does, or potentially can, stand in for the function of checked exceptions with less risk. Some kind of annotation that was integrated with unit testing might be ideal.
Re: (Score:2)
Of all the scenes in 1984 (the film, not book), that one conveyed the decay of the society more than any other methinks. I also consider it one of richard burtons finest performances, but I'm probably in a minority there.
Ignorance (Score:2)
Ignorance is knowledge
Re: (Score:3, Insightful)
There's a BIG difference between an application writing junk to memory and crashing somewhere in malloc because things are completely hosed, and an application deciding data makes no sense and orderly aborting the operation.
Your program seems to do the second one, which is good. It's perfectly appropiate for the program to quit if it's for example a commandline program for batch processing. Were it a GUI program you'd stop processing, produce an error, and