New Insidious form of Bit Rot

Microsoft has just now announced patches that will remove the ability of Word to read a large class of old formats.

Given the architecture of Windows the rationale seems clear. Software that imports data in any format must remain in control even when encountering data that does not conform to expectations. This specifically means that at least buffer overruns must be guarded against. That legitimate documents were mostly built before the art of malicious documents was so highly developed is little reason for complacence; the perpetrator can easily build new bogus documents in an old format if the code for reading new formats finally becomes difficult to subvert. I suppose that Microsoft wants to avoid the cost of fixing that increasingly unused code and perhaps also to spare customers the pain of exploits that happen before the security holes for the old formats are fixed.

In a capability system a version of Word with the old code to read the old formats intact, can be run in a limited environment such that only possible side effect is to create a document in the modern Word format. If a bogus document subverts this code there is no harm. The output may be bogus but the box is configured so that its output is accessible only to a modern program that is not gullible and requires the new format. This is easy on a capability based platform.

It is good to learn that Microsoft is systematically looking for such vulnerabilities. It would be good if they had better tools to solve these problems than deleting useful code.