|
An interesting article for you.
Today's focus: Gremlins in software features By M. E. Kabay In English and Irish tradition, one could propitiate elves and sprites and gremlins by feeding them savory foods such as milk and cookies to avoid their tricks. Sometimes I think those little critters have found new homes in our most-used software. Microsoft Office products have been known to change input data unexpectedly. Sometimes these changes were frankly bugs. For example, one of the most serious silent transformations used to occur (it doesn't any more) when trying to copy and paste data from one Excel spreadsheet workbook into another; the copied data would be truncated to whatever the number of visible decimal places was in the source document. Thus if 1.23456 were shown as 1.23 in the original cell, then copying it and pasting it into a different file would result in the number 1.230000. Again, this is no longer the case if you are up to date in your patches. But in today's column, I want to talk about features, not bugs. As readers know, I define security to involve protection of confidentiality, control, integrity, authenticity, availability and utility of information. Within this framework, a poorly designed or poorly documented or poorly understood feature can be as bad as a bug from a security standpoint. Let's go back to Excel. In a couple of issues of the RISKS Forum Digest last year (21.94 and 21.95), two correspondents reported mysterious changes to their data in Office applications. For example, both found that grades they were entering into spreadsheets were being modified (e.g., A became A-); one found that incorrect spellings were being forced, even into e-mail addresses. One complained about mysterious lines and bullets appearing in his text. Everything the correspondents described is controlled through options available through the Tools menu item in Office products. Both correspondents illustrate the dangers resulting from the nefarious combination of: * bloatware with * poor user interface design and * inadequate training. |