Create an Account
username: password:
 
  MemeStreams Logo

Microsoft: Word 2007 crashes aren't a bug, they're a feature
search
Home Agent Weblogs Social Network Post Help About

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Microsoft: Word 2007 crashes aren't a bug, they're a feature
Topic: Technology 9:44 am EDT, Apr 14, 2007

When asked to clarify that statement, she acknowledged Microsoft won't classify the flaws as security problems. Rather, the behavior of Word 2007 is a feature, not a bug. "In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document," the spokeswoman said.

... [sigh]... [deep breath]... ITS F#@&ING INPUT VALIDATION! [Smack] WHERE's MY MONEY? [smack]

Your first problem is to continue rendering something you know is corrupted! Recovery is different from rendering. At first error, the program should stop rendering, shell the file out to a external recovery program which attempts to extract valid data structures and chunks. Any recovered data should be written to a new file and loaded into Word. Worst case is the recovery program crashes, in which case you don't lose Word.

She went on to suggest that it is no big deal if Word 2007 did crash under those circumstances, a scenario that could lead to the loss of any unsaved data. "The sample code in [Aharoni's] postings cause Microsoft Word to crash, and users can restart the application to resume normal operations."

And users can just reboot the box when a blue screen happens, so I guess thats not a DoS either. Jackass.

I'm really surprised the MSRC made an official statement that is to utterly retarded. One things for sure: Kymberlee Price wouldn't have tried to pull this crap. She respects the security community too much to try and keep a straight face when saying something as fucked up as "a crash isn't a DoS."

I think Frank Hayes of Computer World says it best:

If your application code is in control, it can gracefully reject bad input.

If your app code ISN'T in control, you crash. You're already owned.

This suicide-before-capture approach isn't "by-design" behavior. It's lack-of-design behavior.

And a "code guru" of any kind who thinks that's not a security and stability problem that needs fixing doesn't belong in this business.

Microsoft: Word 2007 crashes aren't a bug, they're a feature

Thread [2]


  
 
Powered By Industrial Memetics		RSS2.0