Blog - About

About David LeBlanc's Web Log

This blog is about whatever security topics come to mind, and may occasionally wander off into other areas, like arcane C++ tricks. I'll primarily cover techniques to achieve more secure code, how to use some of the more interesting facets of the Windows operating system, and sometimes my thoughts about the general state of Internet security.

  • David LeBlanc's Web Log

    It Might Not Be A Vulnerability If…

    • 3 Comments
    There's some things that just aren't vulnerabilities. If the exploit starts with "First become admin…", it might not be a vulnerability. Likewise, if the exploit starts with "First, you steal the computer, boot a rogue operating system, and then, BWAHAHAHAHA...
  • David LeBlanc's Web Log

    Crashes Are Bad, OK?

    • 3 Comments
    It's interesting to see what happens when you get slashdotted… Let's go back and see what I said in the first place, and let me elaborate just a little – if the code crashes, we have roughly the following scenarios: It's exploitable, customers aren...
  • David LeBlanc's Web Log

    Word 2007 Blog Feature’s Password Handling

    • 3 Comments
    I knew about the blog feature – hard not to notice when every time you go to make a new document, it gives you the option of making a blog post. I'd known about it for quite a while, as I was part of the group reviewing the threat model. Last night was...
  • David LeBlanc's Web Log

    USB Virtual PC’s

    • 3 Comments
    I was browsing the news this morning, and ran across an article - Virtual PCs add new layer of security . They claim: MojoPac virtual PCs are not just designed for mobile use. They can protect users who share the same computer. A virus introduced by...
  • David LeBlanc's Web Log

    Terminating your app on heap corruption

    • 3 Comments
    Michael Howard has a FAQ on this here – there's also more information on this and related defenses in one of my chapters in Writing Secure Code for Windows Vista. One of the things I'd like to point out about enabling this, and several other defenses...
  • David LeBlanc's Web Log

    Templatized Min/Max is a bad idea!

    • 3 Comments
    Ah, back to nice geeky C++ programming topics, which is much more fun than angry customer topics… Some well-meaning soul wrote this: template<typename T, typename U> T TMax(T t, U u){ return t > u ? t : u; } Let me count the bugs – first...
  • David LeBlanc's Web Log

    Improvements in Office Security

    • 3 Comments
    We now have a pretty neat internal web site where I can easily search for CVE entries and bulletin counts by product. It shows some interesting trends that I hope will continue to hold. First, let me preface this by saying that CVE entry count is a better...
  • David LeBlanc's Web Log

    Yikes! Vista Security to be Obliterated!

    • 3 Comments
    Just picked up this link from Robert Hensing's blog - http://www.builderau.com.au/news/soa/Vista-security-to-be-obliterated-at-Black-Hat/0,339028227,339290040,00.htm . Seems Mark Dowd is going to be doing a presentation on how to bypass some of the defenses...
  • David LeBlanc's Web Log

    Lies, Damn Lies, Information Leaks, and Statistics

    • 3 Comments
    Robert Hensing posted some criticism of a study that purported to analyze how many users are at risk due to using out of date or unpatched browsers. Rob rightfully points out that you can actually be running a very old version of IE (depending on OS)...
  • David LeBlanc's Web Log

    Office 2010 Digital Signatures and XAdES

    • 3 Comments
    Shelley Gu, the program manager for Office signatures, has already posted the PM version of what we've done to improve digital signatures in the Office 2010 Engineering blog back in December. Her post is here . While Shelley did a nice job of an overview...
  • David LeBlanc's Web Log

    Another technique for Fixing DLL Preloading attacks

    • 3 Comments
    Back in February, 2008, I posted on DLL preloading attacks and how to avoid them here . It seems that the problem has recently gotten a lot of attention – currently called "Binary Planting". You can read more about that at the MSRC blog , the SWI...
  • David LeBlanc's Web Log

    Compilers, Integers and Optimizations

    • 2 Comments
    I've had a good bit of fun (for some value of fun) with hardening SafeInt against what I consider to be some nasty compiler tricks. The problem is that as soon as the compiler hits something that's technically undefined by the C++ standard, they're actually...
  • David LeBlanc's Web Log

    Legacy RC4 Example on Codeplex

    • 2 Comments
    Just a quick note on this – a customer had a question about the old RC4 40-bit encryption yesterday, and this prodded me into taking some memory dumps of intermediate steps and figuring out where my own example code wasn't working. Fortunately, it wasn...
  • David LeBlanc's Web Log

    Office 2007 SP2 Encryption Settings

    • 2 Comments
    Now that we've actually shipped SP2, some of you may be curious about how to use the shiny new encryption. Here's the registry settings: Registry keys Base keys (also corresponding Policy keys) HKCU\Software\Microsoft...
  • David LeBlanc's Web Log

    MS-Offcrypto Examples

    • 2 Comments
    In response to some questions I've gotten about details of MS-OFFCRYPTO, I've created a CodePlex project to contain sample code demonstrating the documentation. You can find it at http://www.codeplex.com/offcrypto . I had originally wanted to include...
  • David LeBlanc's Web Log

    You don’t have to be faster than the bear

    • 2 Comments
    Note – this post disappeared during the blog upgrade, recovered due to search cache. Just got done reading Michal Zalewski's really interesting post on the Zero Day blog, found here. His premise, which I don't debate, is that we've done a lousy job...
  • David LeBlanc's Web Log

    More on Checking Allocations

    • 2 Comments
    Seems my last post met with some objections – somewhat rightfully so, as I mischaracterized one of Tom's points – he never advocated just not checking for allocations, but instead to use an allocator that has a non-returning error handler – though it...
  • David LeBlanc's Web Log

    Don’t Feed or Tease the Bears…

    • 2 Comments
    I've learned over the years to avoid bragging about how much more secure something is than something else. We used to have lots of these debates back at ISS. It was inevitable – whoever was going on about how their OS was more secure than your OS had...
  • David LeBlanc's Web Log

    15 Most Influential Security People

    • 2 Comments
    This isn't exactly the list I would have drawn up, and I must be having a bad year, since I'm not on it <g>, but my friend Michael Howard is on the list. You can check it out here: http://www.eweek.com/c/a/Security/The-15-Most-Influential-People...
  • David LeBlanc's Web Log

    HD vs. Blu-Ray

    • 2 Comments
    OK, so this isn't security related at all, just felt like grumbling about the latest development. If you're not interested in my thoughts on this, skip it now. A few years ago, I remodeled my basement, and took an odd room with only one window and wired...
  • David LeBlanc's Web Log

    New, Improved Office Crypto

    • 2 Comments
    If you're enough of an Office crypto geek to stay on top of the most recent changes in MS-OFFCRYPTO, you already know about some of this, but my assumption is that most people aren't going to want to parse something that hard to read. What we're doing...
  • David LeBlanc's Web Log

    Chrome Getting a Bit Rusty

    • 2 Comments
    Put this one in the rant category – I'm honored that Google has been paying attention to my blog and decided to use my sandboxing approach to try and make their app more secure. Very cool stuff, and they did some interesting things that I want to better...
  • David LeBlanc's Web Log

    DLL Preloading Attacks

    • 2 Comments
    A DLL preloading attack is something that can get you on a lot of different platforms. One of the first variants I heard about was in an ancient telnet daemon on certain versions of UNIX where you could specify environment variables, and one of the things...
  • David LeBlanc's Web Log

    A good reason to install SP3

    • 2 Comments
    If you haven't already seen this , take a look. A brief quote: Microsoft Security Advisory (947563) Vulnerability in Microsoft Excel Could Allow Remote Code Execution Published: January 15, 2008 Microsoft is investigating new public reports of...
  • David LeBlanc's Web Log

    Office 2003 SP3

    • 2 Comments
    We've just released SP3 for Office 2003, and it's been a lot of work. We're releasing a bit more in this service release than we normally do, but this is part of our response to the current security environment. I joined Office at the very start of the...
Page 2 of 4 (94 items) 1234