lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F8EB1CC.29412.347DC338@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: FW: Microsoft Security Bulletin MS03-035

"Alex Mega" <korund@...mail.com> wrote:

> What is the essence of MS Word bug Microsoft Security Bulletin MS03-035: 
> Flaw in Microsoft Word Could Enable Macros to Run Automatically(827653)
> There are no details of bug nature in this bulletin, just general info. 
> What's, in fact, is this Word macro malfunction itself?

Basically there is a "magic bit" that is checked at an early level of 
the "macro security checking" process, but which is not checked at 
other levels of macro functionality __AND__ that is irrelevant to later 
functionality of any macros present.  Thus the early "are theer macros 
to worry about" check can decide "nope -- all clear" and then later 
parts of the file parsing will see the macros and process them.  This 
is especially problematic in this case as the "there are no macros to 
worry about" decision fails open, meaning that the macros that it can 
let "slip by" are processed as if approved by the security checking 
process when, in fact, they were unseen by it.

In short, as is so common with so many Microsoft "security" functions, 
the implementation of the security controls on a measure is almost 
entirely divorced from the actual implementation of the feature itself.

It seems clear that "fail safe" is not part of any standard design 
conception at MS, yet MS wonders why it keeps getting pinged for 
"clearly not understanding security basics".  How many more things like 
this will have to be found in MS products before the coders in Redmond 
accept that self-doubt is a necessary addition to their apparrently 
deluded self-image of "perfection"?


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ