Blog - About

About David LeBlanc's Web Log

This blog is about whatever security topics come to mind, and may occasionally wander off into other areas, like arcane C++ tricks. I'll primarily cover techniques to achieve more secure code, how to use some of the more interesting facets of the Windows operating system, and sometimes my thoughts about the general state of Internet security.

  • David LeBlanc's Web Log

    Checking Allocations & Potential for Int Mayhem

    • 1 Comments
    Must be synchronicity. I started out the day with a really interesting mail from Chris Wysopal talking about how allocations can go wrong, fun with signed int math, and the new[] operator. Once I got done responding to Chris, I then notice Robert Hensing...
  • David LeBlanc's Web Log

    New “Improved” Site

    • 1 Comments
    Hrmph. So they managed to disappear my last post, and now my blog looks really generic. I liked the way it used to look, thankyouverymuch. Then I discovered that while Word on my laptop somehow knew the right password, I didn't have it written down...
  • David LeBlanc's Web Log

    Before We Had MSRC

    • 1 Comments
    Just ran into a post by Gene Schultz - http://blog.emagined.com/2009/07/21/trouble-brewing-in-the-cloud/ - I first ran into Gene when I worked back at ISS – interesting guy. I think we share some of the same concerns about the security of moving things...
  • David LeBlanc's Web Log

    Don’t Use Office RC4 Encryption. Really. Just don’t do it.

    • 1 Comments
    Yesterday, a BlackHat Europe presentation on Office 2003 encryption was brought to my attention. Seems that Eric Filiol has done quite a bit of work to recover RC4 encrypted Office documents using an issue that was brought to our attention in 2004. Eric...
  • David LeBlanc's Web Log

    CVE Count and Statistics

    • 1 Comments
    Larry Seltzer had some interesting comments on my post about the rate of Office vulnerabilities at Vulnerabilities and Office Versions There may be a little flaw in the analysis in that LeBlanc studied reports during the period from 9/18/2007 to...
  • David LeBlanc's Web Log

    Acrobat is Getting a Sandbox

    • 1 Comments
    We've been helping Adobe to get a sandbox going which is similar to what we used in Office 2010 for Protected View. Their blog post about it is Introducing Adobe Reader Protected Mode . I'm excited that the sandboxing approaches that we've pioneered in...
  • David LeBlanc's Web Log

    MS10-048 – Getting the Math Right

    • 1 Comments
    The Security Research and Defense blog detailed an integer overflow here . The code looks like this: case DBT_DEVTYP_PORT: pPortW = (PDEV_BROADCAST_PORT_W)lParam; if ((1+wcslen( pPortW->dbcp_name ))*sizeof(WCHAR) + FIELD_OFFSET(DEV_BROADCAST_PORT_W...
  • David LeBlanc's Web Log

    DSig Q & A

    • 0 Comments
    I'm going to cover the answers to some of the questions that came in after Shelley answered the first round in her post . Q: What will happen if I try to verify a doc signed in 2010 in office 2007/Office 2007 ? A: I'm assuming that the person asking...
  • David LeBlanc's Web Log

    Bugs and Consequences

    • 0 Comments
    I've been meaning to write about overzealous compilers, and nice geeky things, but I'm going to use this forum to vent a bit. When I make a bug that messes up a customer, I generally have to fix it. I'm fairly often face to face with the customer, and...
  • David LeBlanc's Web Log

    MS-Offcrypto Example Update

    • 0 Comments
    Just a quick note that I've updated the examples. I added an example for the CAPI RC4 encryption that does work. Along the way, I got smarter about managed C++ and C# interop, which turned out to be a bit of an adventure. I didn't find the documentation...
  • David LeBlanc's Web Log

    Office Crypto KDF Details

    • 0 Comments
    I've gotten a couple of questions asking how our key derivation function works. The technique is very similar to that described in RFC 2898, also known as PKCS #5. There are two key derivation functions (KDF) documented in this RFC – PBKDF1 and PBKDF2...
  • David LeBlanc's Web Log

    Why can't you comment?

    • 0 Comments
    This is because $#@!!!! spammers can screw up anything. I have to disallow anonymous comments, or I get a bazillion blog spam comments, I check comments a week later, and there's 200 of these that I can only delete 10-20 at a time. Annoying to say the...
  • David LeBlanc's Web Log

    More Checking for Pointer Math

    • 0 Comments
    Someone pointed out that it isn't sufficient to check for whether the pointer math wrapped, but that we also need to check that the resulting pointer is in our buffer. They then came to the possibly erroneous conclusion that really all you had to do was...
  • David LeBlanc's Web Log

    Unsafe String Handling with strncpy

    • 0 Comments
    I recently ran into a piece of code that looked like this: int len = cchIn; strncpy(dest, src, len - 1); This is bad, because strncpy is defined as so: char *strncpy( char * strDest , const char * strSource , size_t count ); The original...
  • David LeBlanc's Web Log

    Couple of good posts

    • 0 Comments
    The SDL blog has some good comments - http://blogs.msdn.com/sdl/archive/2008/01/29/sexy-development-lifecycle.aspx For the last several years, there was the Software Security Summit conference where developers could come to learn about security. The...
  • David LeBlanc's Web Log

    Misc Ramblings

    • 0 Comments
    Sorry about not posting recently – been distracted by a bunch of stuff. One of the more fun distractions was riding my horse for 100 miles over 2 days on June 2 and 3. We completed looking good despite the fact it was over 100 degrees during the afternoon...
  • David LeBlanc's Web Log

    Some Failures Are Better Than Others

    • 0 Comments
    I was presenting at the Software Security Summit yesterday – good little conference. It's a shame that conferences that show off ways to be a problem draw huge crowds, and this one is all about being part of the solution, but it's still really small after...
  • David LeBlanc's Web Log

    Security Dependencies Follow-up

    • 0 Comments
    Someone asked how dependencies should be handled if you're depending on another team at the same company. As you may well imagine, this is a very common issue here – for example, a bunch of apps we ship use SharePoint as a platform, which in turn uses...
  • David LeBlanc's Web Log

    More on C++ code auditing

    • 0 Comments
    Just now had a chance to take a look at the presentation I referenced last post. It's fairly long and detailed, but worth a thorough reading. You can grab it here: http://taossa.com/ Someone commented on my last post that this stuff should be obvious...
Page 4 of 4 (94 items) 1234