Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three...

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination...

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( http://www.grc.com/securitynow.htm ) CNet Security Bites ( http://securitybites.cnet.com ) Blogs Schneier...

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must...

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches...

<script>alert()</script>

I had a very strange networking issue last weekend. After connecting to corpnet via VPN and direct hookup, I was able to ping all remote servers, but was not able to do anything, such as web browsing and remote desktop. It was not the first time that...

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject...

It is interesting to me that Office 2007 Metro formats can be broken down as a ZIP file. To see this in action, you can pick an Office 2007 Metro file, such as XLSX and DOCX, and rename its extension with ZIP. Then open the renamed file with WINZIP. You...

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious...

If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding.

"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs. This premise is built on the assumption that all reviewers have the best intentions...

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain...

I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http:/...

Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework. .Net Framework code has been reviewed heavily, and developers...

Working for Microsoft means that I become de facto technical support for my friends and family. That should be the experiences of many folks in the computer industry. When I introduce my job title as "senior security consultant" to friends and family...

HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP response into multiple ones by injecting malicious response HTTP headers. This attack can deface web sites, poison cache and trigger cross-site scripting. Rather...

This is a well hidden trick in Outlook. Not sure why this needs to be hidden. You can open Connection Status window by holding CTRL + right-clicking on the Outlook system tray icon on the Task Bar. I want to highlight a couple features: * Reset all connections...

I have submitted an article proposal to MSDN to write about Silverlight security with my buddy in Silverlight team. If this proposal gets accepted, you will see the article on MSDN magazine soon. Abstract: Silverlight is the latest cross-browser and cross...

I work for ACE team, and want to cross-post from http://blogs.msdn.com/esiu to http://blogs.msdn.com/ace_team . Community Server supports MetaWeblog API, but I am not able to figure out how to configure cross-posting. After a few tries, I am able to cross...

I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar , and decided to play with it. I was checking out different options, and it impressed me as a good web client developer tool, as it offers a breakdown of HTML elements...

Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including AppleTalk, SPX and Banyan Vines. This exemplifies the philosophy of reducing attack surface area in the design of Exchange 2007.

I have read many articles about the benefits of using passphrases in contrast to passwords. For more details, you can read http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx . I have always been convinced about the use of passphrases...

Distribution list is used for grouping users together, and emails can be sent to all members belonging to a DL. In Exchange 2003, the default setting is that a DL accepts emails from any email addresses. It can be configured to reject external email addresses...

Default Blackjack settings from Cingular have the following problems: Battery life is short because frequent sync drains too much battery Dropped calls happen often due to network transition from 3G to Edge In order to make your new Blackjack...