nCircle VERT Blog

In case my posts in the past haven't made this clear, I'm going to state it one more time, I don't see a difference between stability and security bugs. I consider denial of service to be a serious security issue and I know that I'm not alone in that belief. Microsoft even includes denial of service throughout the SDL Security Bug Bar. I used to get rather upset with every browser DoS but I've since accepted that since they'll never all be fixed, there's no use getting upset. This time, however, I want to gripe and I want to gripe about the importance of Email Client Availability.

If you read the bug bar link posted above and look at the client side section, you'll note the following line, "Normal, simple user actions, like previewing mail, viewing local folders, or file shares, are not extensive user interaction." This strikes me as meaning it's something people do on a regular basis and issues in this should be considered slightly more serious than issues in other components of the same product. For today, we're going to focus on previewing mail.

Like most of the business world, nCircle uses Exchange and, by extension, Outlook. Email is, in my opinion, business critical; so when I preview an email and Outlook crashes, I take it pretty seriously. Outlook restarts (minus the preview pane) and I'm good to go but that slight inconvenience can easily become more than an inconvenience if it happens more than once, primarily if an internal application can generate emails that trigger the issue.

I came across this issue by accident, because a piece of software was generating these emails. After it happened, I started digging around and discovered that the culprit was a chunk of HTML, and to be a little more precise that "chunk" is 33 characters long. Now code execution isn't possible, so that takes the issue down a few notches in severity but in my mind it's still an issue.

My mind went "denial of service that hinders my work" and I sent an email off to MSRC. The result of that email… "This is a stability issue; it will be addressed in the next service pack." I find it completely unacceptable that something that can easily interrupt my daily work flow is brushed aside and that I'm required to wait for a service pack release.

Does my little rant have a point? Only to say that if you're going to go out of the way to define "extensive" vs "not extensive" user interaction perhaps it should apply to all issues; that way my issue would be fixed appropriately and I wouldn't have to wait around for a service pack. The days of mail bombing may be long gone, but I fear what would happen if someone decided to target all the employees at a company with this "stability issue". The constant disruption could have serious impact on a business but I guess security isn't concerned with availability.