Microsoft Bugs vs Features

I've been watching the developments of the "Word 2007" doc bugs fiasco. Its seems like Microsoft are calling these crashes "features" rather than bugs.

http://www.computerworld.com.au/index.php/id;377659799;fp;2;fpid;1

I'm not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.

To make things clear - The bugs that I released are proof of concepts which cause denial of service. In their current state, they do not present a real threat to Word 2007 users. However, having an application crash or consume 100% CPU on a machine due to malformed user input - is probably the most classical description of a software bug.



It also seems that there is no mention of the HLP heap overflow, which probably presents more danger than all 3 doc bugs combined.

Microsoft DOC bugs and friends

Wow! Who thought 7 lines of python could go so far.

A few days ago I released a few proof of concepts to full disclosure - http://seclists.org/fulldisclosure/2007/Apr/0325.html

3 doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two.

It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs -http://www.scmagazine.com/uk/news/article/649985/post-patch-tuesday-microsoft-vulnerabilities-posted-exploit-sites/

I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX.

So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out.

PS - The really interesting part is this... Does anyone remember the old HLP heap overflow condition ? - http://www.securityfocus.com/archive/1/archive/1/430871/100/0/threaded

It turns out, that by simply copy/pasting the OLD hlp file mentioned in the post and executing it on a fully patched XP SP2 machine one would have triggered this new heap overflow....QA anyone ?