random dross

Web security and beyond...

  • random dross

    MashupOS

    • 0 Comments
    The standard IFRAME-based isolation technique for web apps is starting to show its age. We need something better! Microsoft Research has posted a new paper scheduled to appear at SOSP '07 : Protection and Communication Abstractions for Web Browsers...
  • random dross

    Security Vulnerability Research & Defense blog

    • 0 Comments
    My team now has a blog! http://blogs.technet.com/swi/ I'll be contributing to the team blog in the future. But don't worry -- my personal blog (this one) isn't going away!
  • random dross

    The Kill-Bit FAQ - Part 1 of 3 posted to SVRD blog

    • 0 Comments
    Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog . There are three parts, the first of which is now live. Parts two and three should be up by the end of the week.
  • random dross

    IE8 Beta 2

    • 0 Comments
    If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it ! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality. This project wouldn’t have been possible without your hard work, support, leadership, guidance...
  • random dross

    Lead my team!

    • 0 Comments
    My team (SWI React) is hiring for a lead position . Details: Job Title: Lead Software Development Engineer Job Category: Software Development Product: Trustworthy Computing Date Posted: 02...
  • random dross

    Pinning / Rebinding / Quick-Swap DNS Links

    • 0 Comments
    A group at Stanford has been researching these issues and recently published Protecting Browsers from DNS Rebinding Attacks . Also, Dan Kaminski has published his slides from Blackhat 2007, Black Ops 2007: Design Reviewing The Web .
  • random dross

    Hello!

    • 0 Comments
    Hi! I'm David Ross and this is my work blog. As an engineer on the Microsoft Secure Windows Initiative at Microsoft I specialize in browser and web application security.
  • random dross

    Analyzing Browser Based Vulnerability Exploitation Incidents

    • 0 Comments
    I've written up a paper that describes some useful tools/techniques for deconstructing web based exploits: Analyzing Browser Based Vulnerability Exploitation Incidents The paper started as a blog entry and it remains a blog entry at its core. But...
  • random dross

    Recursive Obfuscation

    • 0 Comments
    Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts to thwart the eval() à alert() trick . Take a look at the following obfuscation script: 1 <script> 2 function N(F,D) 3 { 4 if (!D) D = ' "#%()-./012348...
  • random dross

    eval() and document.write(), meet Execute and ExecuteGlobal

    • 0 Comments
    Be on the lookout for these two VBScript statements that can be used to achieve the same effect as eval() and document.write(): Execute and ExecuteGlobal . Jonathan Ness pointed me to an exploit sample that was using Execute, presumably to trip up...
  • random dross

    De-obfuscation using a standalone Javascript interpreter

    • 0 Comments
    Mark Wodrich forwarded me this Websense blog post describing how to use a standalone Javascript interpreter to de-obfuscate some script. Thanks Mark!
  • random dross

    Inspect Your Gadget

    • 0 Comments
    Michael Howard and I have written up some guidance on how to develop secure Vista Sidebar Gadgets: Inspect Your Gadget
Page 2 of 2 (37 items) 12