Blog - About

About David LeBlanc's Web Log

This blog is about whatever security topics come to mind, and may occasionally wander off into other areas, like arcane C++ tricks. I'll primarily cover techniques to achieve more secure code, how to use some of the more interesting facets of the Windows operating system, and sometimes my thoughts about the general state of Internet security.

  • David LeBlanc's Web Log

    Office SP3 and File formats

    • 14 Comments
    In Office 2007, we changed the default to disable a number of older file formats where we saw very low usage and a high security risk in our code that loads these formats. From the security standpoint, this is the right thing to do. From the data we have...
  • David LeBlanc's Web Log

    More on Exception Handlers

    • 2 Comments
    Sitting here at "Blue Hat" watching David Maynor present – pretty cool working for a company that can host its own security conference just to educate employees… A comment just came in that was a good question, and deserves a detailed answer – Arkon...
  • David LeBlanc's Web Log

    How to cause a regression

    • 2 Comments
    This one isn't really security related, except that we security people often want to get rid of old stuff because it's sometimes easier to disable it than to make it really robust. If only a few people use it, good attack surface reduction practices tell...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing – Part 1

    • 1 Comments
    I've written more than once about how interesting restricted tokens are – the earliest article was on Mark Edward's Windows Security web site. Unless it's been taken down recently, the article and source code are still there. In the nearly 8 years since...
  • David LeBlanc's Web Log

    Ptrdiff_t is evil

    • 5 Comments
    Well, not really, but here's a code problem that confounded some really smart devs – and it looks so simple! void IncPtr( unsigned int cElements ) { if( m_pMax - m_pCurrent > cElements ) m_pCurrent += cElements; else throw; } ...
  • David LeBlanc's Web Log

    Don’t Use Office RC4 Encryption. Really. Just don’t do it.

    • 1 Comments
    Yesterday, a BlackHat Europe presentation on Office 2003 encryption was brought to my attention. Seems that Eric Filiol has done quite a bit of work to recover RC4 encrypted Office documents using an issue that was brought to our attention in 2004. Eric...
  • David LeBlanc's Web Log

    New File Converter Coming Soon

    • 11 Comments
    You might have recently heard something about the new "Microsoft Office Isolated Conversion Environment", a tool we are providing to help protect Office 2003 users from malicious content in Office files. You might be asking yourself what it is, and why...
  • David LeBlanc's Web Log

    DREADful

    • 8 Comments
    Both the STRIDE and DREAD systems Michael and I documented in Writing Secure Code have been criticized quite a bit. Neither of them were developed with any real academic rigor, and from a scientific standpoint, neither of them tend to hold up very well...
  • David LeBlanc's Web Log

    DLL Preloading Attacks

    • 2 Comments
    A DLL preloading attack is something that can get you on a lot of different platforms. One of the first variants I heard about was in an ancient telnet daemon on certain versions of UNIX where you could specify environment variables, and one of the things...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing – Part 3

    • 5 Comments
    The third tool we need in order to create a sandboxed app is a desktop. We've said in many places that the desktop is a security boundary. Unfortunately, there's little real security within a desktop – and this isn't something unique to Windows – the...
  • David LeBlanc's Web Log

    Office Crypto Follies

    • 7 Comments
    What I've been working on lately that has kept me from doing nearly anything else can be found at: http://msdn.microsoft.com/en-us/library/cc313071.aspx MS-OFFCRYPTO is very detailed documentation of exactly how we do cryptography for binary and...
  • David LeBlanc's Web Log

    SafeInt 3 on CodePlex!

    • 1 Comments
    I have finally found a stable place to keep SafeInt. It can now be found at http://www.codeplex.com/SafeInt . In terms of the code, this is exactly the same stuff as we're using internally. This version is documented a little better than the master copy...
  • David LeBlanc's Web Log

    Another technique for Fixing DLL Preloading attacks

    • 3 Comments
    Back in February, 2008, I posted on DLL preloading attacks and how to avoid them here . It seems that the problem has recently gotten a lot of attention – currently called "Binary Planting". You can read more about that at the MSRC blog , the SWI...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing, Part 2

    • 4 Comments
    Once you have a process in a restricted token, the next tool you can use to limit what it can do is a job object. Like restricted tokens, these shipped in Windows 2000. A job object is similar to how ulimits work on UNIX(ish) OS's, but don't do some of...
  • David LeBlanc's Web Log

    New, Improved Office Crypto

    • 2 Comments
    If you're enough of an Office crypto geek to stay on top of the most recent changes in MS-OFFCRYPTO, you already know about some of this, but my assumption is that most people aren't going to want to parse something that hard to read. What we're doing...
  • David LeBlanc's Web Log

    Improvements in Office Security

    • 3 Comments
    We now have a pretty neat internal web site where I can easily search for CVE entries and bulletin counts by product. It shows some interesting trends that I hope will continue to hold. First, let me preface this by saying that CVE entry count is a better...
  • David LeBlanc's Web Log

    Evil Compiler Tricks, and Checking for Pointer Math

    • 4 Comments
    My favorite programming geek hobby being integer overflows, this caught my eye – "gcc silently discards some wraparound checks" http://www.kb.cert.org/vuls/id/162289 Basically, what it says is that code which looks like this: ============ snip...
  • David LeBlanc's Web Log

    C++ operator overloading trivia

    • 3 Comments
    Learned something interesting this week that I'll be working into SafeInt 3. It all started out because if you declare a SafeInt class instance, and then try to use it as an array index, the compiler can't figure out which of the several available integer...
  • David LeBlanc's Web Log

    Office 2010 Digital Signatures and XAdES

    • 3 Comments
    Shelley Gu, the program manager for Office signatures, has already posted the PM version of what we've done to improve digital signatures in the Office 2010 Engineering blog back in December. Her post is here . While Shelley did a nice job of an overview...
  • David LeBlanc's Web Log

    Impersonation isn't dangerous

    • 12 Comments
    I was called to task because in Writing Secure Code for Windows Vista, I asserted that from the standpoint of a service , the impersonation privilege isn't dangerous. SeImpersonate is one of the newer privileges in Windows, and has only been put there...
  • David LeBlanc's Web Log

    Office 2003 SP3

    • 2 Comments
    We've just released SP3 for Office 2003, and it's been a lot of work. We're releasing a bit more in this service release than we normally do, but this is part of our response to the current security environment. I joined Office at the very start of the...
  • David LeBlanc's Web Log

    Office 2007 SP2 Encryption Settings

    • 2 Comments
    Now that we've actually shipped SP2, some of you may be curious about how to use the shiny new encryption. Here's the registry settings: Registry keys Base keys (also corresponding Policy keys) HKCU\Software\Microsoft...
  • David LeBlanc's Web Log

    Before We Had MSRC

    • 1 Comments
    Just ran into a post by Gene Schultz - http://blog.emagined.com/2009/07/21/trouble-brewing-in-the-cloud/ - I first ran into Gene when I worked back at ISS – interesting guy. I think we share some of the same concerns about the security of moving things...
  • David LeBlanc's Web Log

    A good reason to install SP3

    • 2 Comments
    If you haven't already seen this , take a look. A brief quote: Microsoft Security Advisory (947563) Vulnerability in Microsoft Excel Could Allow Remote Code Execution Published: January 15, 2008 Microsoft is investigating new public reports of...
  • David LeBlanc's Web Log

    Lies, Damn Lies, Information Leaks, and Statistics

    • 3 Comments
    Robert Hensing posted some criticism of a study that purported to analyze how many users are at risk due to using out of date or unpatched browsers. Rob rightfully points out that you can actually be running a very old version of IE (depending on OS)...
Page 1 of 4 (94 items) 1234