Via ComputerWorld.com -
April 12, 2007 -- The Word 2007 bugs pegged as security vulnerabilities by an Israeli researcher are nothing of the sort, Microsoft Corp. said today. Instead, the application crashes reported as flaws are actually by design.
The researcher who posted details earlier this week of the bugs reacted by offering screenshots of the Word crashes and wondering why Microsoft disputed his findings.
On Monday, Mati Aharoni of Offensive Security warned of three new flaws in Word 2007 on the Milw0rm and SecurityVulns.com security sites, and posted malformed Word documents as proof-of-concepts. Microsoft, however, seemed unconcerned.
Late yesterday, a company spokeswoman repeated the company's earlier contention that the Microsoft Security Response Center's (MSRC) investigation, "found that none of these claims demonstrate a vulnerability in Microsoft's Word 2007 or any part of the Microsoft Office System."
When asked to clarify that statement, she acknowledged Microsoft won't classify the flaws as security problems. Rather, the behavior of Word 2007 is a feature, not a bug. "In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document," the spokeswoman said.
She went on to suggest that it is no big deal if Word 2007 did crash under those circumstances, a scenario that could lead to the loss of any unsaved data. "The sample code in [Aharoni's] postings cause Microsoft Word to crash, and users can restart the application to resume normal operations."
-------------------------------------------------
Muts' original post can be found here. The issues were discovered with a small fuzzer he created.
No comments:
Post a Comment