Dubious security vulnerability: Manual operations can cause a program to hang

Raymond Chen

A security vulnerability report came in that went roughly like this:

Copy a huge amount of text to the clipboard, like a half a gigabyte. Run the XYZ program and paste it all. The program crashes. This is a denial of service against program XYZ. A photo of the crash is attached.

First of all, the claim that the program crashes is incorrect. The photo shows that the cursor is a spinning donut, and the title bar says “(Not Responding)”. The program hasn’t crashed. It has stopped responding, probably because it’s busy trying to process a half-gigabyte of data. But, presumably, if you wait long enough, it will eventually finish (or run out of memory).

While it’s true that this could be considered a denial of service against program XYZ, it’s entirely self-inflicted. You chose to paste half a gigabyte of data into program XYZ, so you get to wait for it to finish.

Besides, if you wanted to launch a denial-of-service attack against program XYZ, there’s a much simpler way: Click the red “X” button in the upper right corner to close the program.

Now nobody can use it.

2 comments

Leave a comment

  • Michael Dunn 1

    All I can think of is “Stop hitting yourself!”

  • Georg Rottensteiner 0

    The X is red?

    Also, the clipboard could use a whole set of articles 🙂
    A history, which programs use which formats, and why do some use new fangled html-as-image; purely to keep others from getting the image as actual image?
    Also, why is there no official column selection for text? Mostly it’s handled by adding a Visual Studio’s “MSDEVColumnSelect” entry.

Feedback usabilla icon