Patch Tuesday (when Microsoft releases security patches) has just rolled around and not too surprisingly zero-day vulnerabilities have surfaced. This time in Word 2007. Mati Ahorni of Offensive Security posted three bugs on a security mailing list. These were malformed Word documents. Two crashed the machine and one caused a buffer overflow in wwlib.dll that Ahorni claims could be exploitable, though notes that the code execution would be nontrivial. In and of itself, this is no big deal, given the size and complexity of the code base. Perhaps it is a little surprising since Word documents are now XML and an XML parser should be able to determine whether or not the document was valid OOXML without crashing, but I am no programmer and literally have no idea of the architecture of Word 2007.
What is surprising, is Microsoft’s reaction to the bug report. Apparently, Word taking down your machine is not a bug, it’s a feature! Computerworld cites a Microsoft spokesperson claiming:
In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document.
But it is not just Word that crashes, its your machine crashing, causing you to reboot. This is why some are describing this as a Denial of Service scenario, something that Microsoft has denied. Nor is this an isolated bit of spin by Microsoft marketing as is confirmed by David LeBlanc’s Web Log:
In Office 2007, and quite a few places in other Microsoft code, we’ve made use of my SafeInt class. SafeInt is designed to ensure that arithmetic is either mathematically correct, or an exception happens. You get to pick what sort of exception you like, and whether to catch it. By default, it throws C++ exceptions, but many of the users have chosen to take Win32 exceptions. … If you’re one of those people who like to find issues in our code, and you happen to see this exception, it means that we have caught you, no security bulletin with your name in lights, do not pass go. Obviously, if you have managed to find some other problem, and have managed to first tromp on an exception record, then that was the problem, and this was just the trigger.
Um, thanks.
For more discussion of this, see Frank Hayes post questioning Microsoft’s logic, and see Slashdot (natch).
Again, these are vulnerabilities, not exploits. (Unlike the vulnerability acknowledged by Microsoft that has been exploited in attacks and has yet to be fixed). And again, no big deal. What is a big deal is Microsoft’s apparent willingness to take down your machine and trumpet this as a security feature.
Post a Comment