From: Robert Comer 

Totally crazy, if it's by design it should come up with a message saying
"Corrupt document" and refuse to load it, rather than crash
without explanation.

I agree it's not a DoS or vulnerability, but it is bad code with no excuse.

--
Bob Comer


On Sat, 14 Apr 2007 09:48:09 -0400, mike  wrote:

>
>http://www.computerpartner.nl/article.php?news=int&id=5003
>
>===
>The Word 2007 bugs pegged as security vulnerabilities by an Israeli
>researcher are nothing of the sort, Microsoft Corp. said Thursday.
>Instead, the application crashes reported as flaws are actually by
>design.
>
>The researcher who posted details earlier this week of the bugs reacted
>by offering screenshots of the Word crashes and wondering why Microsoft
>disputed his findings.
>
>On Monday, Mati Aharoni of Offensive Security warned of three new flaws
>in Word 2007 on the Milw0rm and SecurityVulns.com security sites, and
>posted malformed Word documents as proof-of-concepts. Microsoft,
>however, seemed unconcerned.
>
>Late Wednesday, a company spokeswoman repeated the company's earlier
>contention that the Microsoft Security Response Center's (MSRC)
>investigation, "found that none of these claims demonstrate a
>vulnerability in Microsoft's Word 2007 or any part of the Microsoft
>Office System."
>
>When asked to clarify that statement, she acknowledged Microsoft won't
>classify the flaws as security problems. Rather, the behavior of Word
>2007 is a feature, not a bug. "In fact, the behavior observed in
>Microsoft Word 2007 in this instance is a by-design behavior that
>improves security and stability by exiting Microsoft Word when it has
>run out of options to try and reliably display a malformed Word
>document," the spokeswoman said.
>
>She went on to suggest that it is no big deal if Word 2007 did crash
>under those circumstances, a scenario that could lead to the loss of any
>unsaved data. "The sample code in [Aharoni's] postings cause Microsoft
>Word to crash, and users can restart the application to resume normal
>operations."
>
>The stance was not out of character for the MSRC, which in the past has
>separated bugs that allow code execution or rights elevation from those
>that result in a denial-of-service-style situation. Previously, it has
>refused to label some crash-inducing problems as vulnerabilities, or
>patch them outside of a service pack.
>
>That's the same position taken by David LeBlanc, one of Microsoft's
>secure code gurus, and Michael Howard, the co-author of the
>just-released Writing Secure Code for Vista. "You may rightfully say
>that crashing is always bad, and having a server-class app background, I
>agree. Crashing means you made a mistake, bad programmer, no biscuit,"
>said LeBlanc in an MSDN blog. "However, crashing may be the lesser of
>the evils in many places. The theory is that it is better to crash, at
>least with client apps, than it is to be running the bad guy's shell
>code."
>
>Office 2007 uses this strategy, said LeBlanc, who, like the MSRC,
>objected to classifying a denial-of-service-like result as an attack. "I
>really take issue with those who would characterize a client-side crash
>as a denial of service," he said. "If you can crash my app so that I
>can't restart it, or have to reboot my system, well, okay, that's a DoS.
>If you blew up my app, and I just don't load that document again, big
>deal."
>
>For his part, Aharoni was puzzled by media reports that claimed
>Microsoft contested the bugs themselves, not that the flaws weren't to
>be considered true vulnerabilities, and responded by posting screenshots
>of the Word 2007 crash. "I've recieved [sic] many mails from full
>disclosure members confirming the crash," he also said on his blog
>today. "I fully hope that Microsoft will find the resources to figure
>this out."
>
>The company said it will continue to investigate, in case earlier
>editions of the word processor, which don't include code that
>purposefully crashes the app, are found to vulnerable. "Our
>investigation into the possible impact of these claims on other versions
>of Microsoft Office is continuing," said the spokeswoman.
>===
>
>  /m

--- BBBS/NT v4.01 Flag-5