Dubious security vulnerability: Manual operations can cause a program to hang
A security vulnerability report came in that went roughly like this:
Copy a huge amount of text to the clipboard, like a half a gigabyte. Run the XYZ program and paste it all. The program crashes. This is a denial of service against program XYZ. A photo of the crash is attached.
First of all, the claim that the program crashes is incorrect. The photo shows that the cursor is a spinning donut, and the title bar says “(Not Responding)”. The program hasn’t crashed. It has stopped responding, probably because it’s busy trying to process a half-gigabyte of data. But, presumably, if you wait long enough, it will eventually finish (or run out of memory).
While it’s true that this could be considered a denial of service against program XYZ, it’s entirely self-inflicted. You chose to paste half a gigabyte of data into program XYZ, so you get to wait for it to finish.
Besides, if you wanted to launch a denial-of-service attack against program XYZ, there’s a much simpler way: Click the red “X” button in the upper right corner to close the program.
Now nobody can use it.
Light
Dark
2 comments
All I can think of is “Stop hitting yourself!”
The X is red?
Also, the clipboard could use a whole set of articles 🙂
A history, which programs use which formats, and why do some use new fangled html-as-image; purely to keep others from getting the image as actual image?
Also, why is there no official column selection for text? Mostly it’s handled by adding a Visual Studio’s “MSDEVColumnSelect” entry.