David LeBlanc's Web Log

Just read Michael Howard's post about differentiating secure features, security features and security response, found at http://blogs.msdn.com/sdl/archive/2007/12/17/security-is-not-all-about-security-updates.aspx , and wanted to offer some counterpoints...

This one isn't really security related, except that we security people often want to get rid of old stuff because it's sometimes easier to disable it than to make it really robust. If only a few people use it, good attack surface reduction practices tell...

Larry Osterman's post (er, rant) (found here - http://blogs.msdn.com/larryosterman/archive/2007/11/02/chris-pirillo-s-annoyed-by-the-windows-firewall-prompt.aspx ) about someone's gripe with Firefox and the firewall caused me to remember to add to the...

It seems like every time I've gone out in public recently, I've been asked when we were going to update Writing Secure Code 2. I've been seeing comments about it along the lines of "Good, but dated." Ouch. It has been a while – we published WSC2 in 2002...

Michael put some sample code into WSC2 that showed people how to check passwords using the NetValidatePasswordPolicy API. It's a very flexible API, and it's meant to handle situations where an app maintains its own password database, like SQL Server....

My last post triggered a couple of responses and a URL I thought would be good to not get lost in the comments. Check out http://www.artima.com/cppsource/safebool.html . As I was saying a couple of posts ago, the right tool is usually situational....

Learned something interesting this week that I'll be working into SafeInt 3. It all started out because if you declare a SafeInt class instance, and then try to use it as an array index, the compiler can't figure out which of the several available integer...

In my previous post on threat models, I pointed out situations where TM's are either a complete waste of time, or maybe we've got bigger problems than design issues. To add a little balance and reinforce one of the points I was trying to make, let's look...

I keep getting spam from some bunch of (expletives deleted) as comments to the blog. It's all: Nice. Interesting. Cool! With some bogus URL they're trying to get people to click on, from weird psuedo-Greek names mostly ending in 'os'. They...

I've been reading Larry Osterman's blog lately – he's a smart guy, and one of the very first people at Microsoft I ever met (virtually anyway – it was years before we met in person). Larry came to my defense when Seattle Lab tried to tell us that Windows...

We've just released SP3 for Office 2003, and it's been a lot of work. We're releasing a bit more in this service release than we normally do, but this is part of our response to the current security environment. I joined Office at the very start of the...

Sometimes when I present about secure programming practices, I emphasize education for PM's, testers, and devs, for obvious reasons. Then there's the hard part – educating management. You really have to be able to do that – you need to spend time on security...

Both the STRIDE and DREAD systems Michael and I documented in Writing Secure Code have been criticized quite a bit. Neither of them were developed with any real academic rigor, and from a scientific standpoint, neither of them tend to hold up very well...

Just now had a chance to take a look at the presentation I referenced last post. It's fairly long and detailed, but worth a thorough reading. You can grab it here: http://taossa.com/ Someone commented on my last post that this stuff should be obvious...

Just returned from Blackhat – it always seems that the presentations I most want to see happen at the same time as I'm scheduled to talk. Neel Mehta, John McDonald and Mark Dowd were talking about finding exploitable C++ specific flaws, and I was only...

The third tool we need in order to create a sandboxed app is a desktop. We've said in many places that the desktop is a security boundary. Unfortunately, there's little real security within a desktop – and this isn't something unique to Windows – the...

Once you have a process in a restricted token, the next tool you can use to limit what it can do is a job object. Like restricted tokens, these shipped in Windows 2000. A job object is similar to how ulimits work on UNIX(ish) OS's, but don't do some of...

I've mentioned logon ID SIDs a couple of times, but they're fairly arcane. I first ran into them when I was exploring just what was in a process token, and a group SID came up that I wasn't familiar with. Here's how a SID is defined: typedef struct...

I've written more than once about how interesting restricted tokens are – the earliest article was on Mark Edward's Windows Security web site. Unless it's been taken down recently, the article and source code are still there. In the nearly 8 years since...

Someone asked how dependencies should be handled if you're depending on another team at the same company. As you may well imagine, this is a very common issue here – for example, a bunch of apps we ship use SharePoint as a platform, which in turn uses...

I ran up on something the other day that isn't very well documented in one place. When you're dealing with restricted tokens, and in a few other limited scenarios, the default DACL on the process token becomes important. We can look at the default DACL...

There's been an interesting little tempest in a teapot going on WRT IE and Firefox. I in general don't pay a whole lot of attention to the browser vuln du jour, but this one caught my eye - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId...

Sorry about not posting recently – been distracted by a bunch of stuff. One of the more fun distractions was riding my horse for 100 miles over 2 days on June 2 and 3. We completed looking good despite the fact it was over 100 degrees during the afternoon...

Sitting here at "Blue Hat" watching David Maynor present – pretty cool working for a company that can host its own security conference just to educate employees… A comment just came in that was a good question, and deserves a detailed answer – Arkon...

You might have recently heard something about the new "Microsoft Office Isolated Conversion Environment", a tool we are providing to help protect Office 2003 users from malicious content in Office files. You might be asking yourself what it is, and why...