Friday, April 13, 2007

Microsoft Bugs vs Features

I've been watching the developments of the "Word 2007" doc bugs fiasco. Its seems like Microsoft are calling these crashes "features" rather than bugs.

http://www.computerworld.com.au/index.php/id;377659799;fp;2;fpid;1

I'm not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.

To make things clear - The bugs that I released are proof of concepts which cause denial of service. In their current state, they do not present a real threat to Word 2007 users. However, having an application crash or consume 100% CPU on a machine due to malformed user input - is probably the most classical description of a software bug.



It also seems that there is no mention of the HLP heap overflow, which probably presents more danger than all 3 doc bugs combined.

Wednesday, April 11, 2007

Microsoft DOC bugs and friends

Wow! Who thought 7 lines of python could go so far.

A few days ago I released a few proof of concepts to full disclosure - http://seclists.org/fulldisclosure/2007/Apr/0325.html

3 doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two.

It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs -http://www.scmagazine.com/uk/news/article/649985/post-patch-tuesday-microsoft-vulnerabilities-posted-exploit-sites/

I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX.

So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out.





PS - The really interesting part is this... Does anyone remember the old HLP heap overflow condition ? - http://www.securityfocus.com/archive/1/archive/1/430871/100/0/threaded

It turns out, that by simply copy/pasting the OLD hlp file mentioned in the post and executing it on a fully patched XP SP2 machine one would have triggered this new heap overflow....QA anyone ?