Of course, a vendor can instead play it on the safe side and just fix a crash bug in case their analysis is flawed and a crash bug is actually a more serious problem...
Richard Word <http://developers.slashdot.org/developers/07/04/13/1738202.shtml> 2007 Flaws Are Features, Not Bugs Posted by Zonk <http://slashdot.org/~Zonk/> on Friday April 13, @02:43PM from the i-thought-that-was-just-a-programmer-joke dept. <http://slashdot.org/search.pl?tid=172> Security PetManimal <http://www.computerworld.com/blogs/blog/19> writes "Mati Aharoni's discovery <http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9016279> of three flaws in Word using a fuzzer (screenshots) <http://secmaniac.blogspot.com/2007/04/microsoft-doc-bugs.html> has been discounted by Microsoft, which claims that the crashes and malformed Word documents are <http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9016401&pageNumber=1> a feature of Word, not a bug. Microsoft's Security Response Center is also refusing to classify the flaws as security problems. According <http://blogs.msdn.com/david_leblanc/archive/2007/03/19/finally-starting-a-b log.aspx> to Microsoft developer David LeBlanc, crashes aren't necessarily DoS situations: 'You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.' Computerworld's Frank Hayes responds to LeBlanc and questions Microsoft's logic <http://www.computerworld.com/blogs/node/5360> .'" <http://slashdot.org/login.pl> [+] defectivebydesign <http://slashdot.org/tags/defectivebydesign> , microsoft <http://slashdot.org/tags/microsoft> , it <http://slashdot.org/tags/it> , programming <http://slashdot.org/tags/programming> , security <http://slashdot.org/tags/security> (tagging beta <http://slashdot.org/faq/tags.shtml> ) * <http://developers.slashdot.org/developers/07/04/13/1738202.shtml> Read More...
image001.gif
Description: GIF image
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
