14 DAY TRIAL // OK! Crashes are bad. Microsoft security expert David LeBlanc explained his perspective over crashes vs. exploits. LeBlanc agreed that crashes are an indication of poorly written code. Still, the Microsoft security guru is firmly convinced that a crash is by no means equivalent to an exploit. Just to be clear, we are talking here about a newly reported vulnerability in the Windows .HLP files.
"Just because something crashes does NOT mean it constitutes an exploit. I used to be in the exploit business, first by developing a network assessment tool, and second by having a job as internal penetration tester here. Real exploits gain privilege, gain information, or deprive someone of a needed resource. Causing a client application just to fail is about as much an exploit as ringing someone's doorbell and then running away. It's a childish nuisance, not an attack," LeBlanc explained.
Peter Ferrie, Senior Principal Software Engineer Symantec is disputing LeBlanc's point of view. According to Ferrie, the vulnerability is valid and is achieved via inserting random data into a .HLP file with a fuzzer. Ferrie revealed that the vulnerability resides in both LZ77 decompressor and the RLE decompressor across almost all sections of the .HLP files.
"The two of them are used by almost every section in .hlp files, meaning that the vulnerability isn't specific to the "bm" section. Although the LZ77 and RLE decompressor algorithms are widely used by a variety of programs, the vulnerability is specific to Microsoft's implementation in the Winhlp32.exe program. Additionally, this bug appears to be present in the 16-bit versions of Winhelp.exe, which means that it has gone undetected for over 15 years!" Ferrie added.