Eugene Siu's Thoughts on Security

Share my latest security research and techniques

Browse by Tags

Tagged Content List
  • Blog Post: (In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)

    Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three count parameters that warrant your attention in order...
  • Blog Post: (In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)

    There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination buffer is not large enough to hold incoming data...
  • Blog Post: My favorite security blogs and podcasts

    What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( http://www.grc.com/securitynow.htm ) CNet Security Bites ( http://securitybites.cnet.com ) Blogs Schneier on Security http://feeds.feedburner.com/schneier/fulltext...
  • Blog Post: “Out of Band” security patch MS08-067

    Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must be very urgent due to serious ramifications or...
  • Blog Post: What is unique about patch Tuesday of October 2008?

    Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches across their server farms and enterprise desktops...
  • Blog Post: ASP.NET ValidateRequest does not mitigate XSS completely

    As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException...
  • Blog Post: Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

    MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their...
  • Blog Post: True test of a security geek

    If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding.
  • Blog Post: System.URI.AbsolutePath Vs Phishing Attack

    Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks. Successful phishing attacks...
  • Blog Post: Web Service Security Guidance

    I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip...
  • Blog Post: Anti-Malware and Spyware help for home users

    Working for Microsoft means that I become de facto technical support for my friends and family. That should be the experiences of many folks in the computer industry. When I introduce my job title as "senior security consultant" to friends and family, I get promoted to become technical and security support...
  • Blog Post: HTTP Header Injection Vulnerabilities

    HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP response into multiple ones by injecting malicious response HTTP headers. This attack can deface web sites, poison cache and trigger cross-site scripting. Rather than splitting responses, I want to demo how...
  • Blog Post: IE Developer Toolbar helps me hack

    I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar , and decided to play with it. I was checking out different options, and it impressed me as a good web client developer tool, as it offers a breakdown of HTML elements, such as image dimension and structure validation...
  • Blog Post: Exchange 2007 RPC interfaces are locked down

    Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including AppleTalk, SPX and Banyan Vines. This exemplifies the philosophy of reducing attack surface area in the design of Exchange 2007.
  • Blog Post: My first passphrase

    I have read many articles about the benefits of using passphrases in contrast to passwords. For more details, you can read http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx . I have always been convinced about the use of passphrases. First of all, it is easier to remember even...
  • Blog Post: Distribution List is more locked down in Exchange 2007 to reduce spam

    Distribution list is used for grouping users together, and emails can be sent to all members belonging to a DL. In Exchange 2003, the default setting is that a DL accepts emails from any email addresses. It can be configured to reject external email addresses and even internal addresses. However, most...
  • Blog Post: Is anonymous read-only site immune to XSS?

    Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario is touted pretty often as a classic XSS exploit. How about an read-only site without requiring any logons, such as dictionary sites or some news sites? Since there are no logon tokens, cookies at...
  • Blog Post: I am excited about EV Cert

    I like the idea behind Extended Validation Cert a lot. It is designed to combat phishing problems. There are some well-known phishing victim sites, such as Paypal, Bank of America, EBay, etc, that would love this feature. Check out how IE7 green address bar looks like (Courtesy of Verisign) . Yes, it...
  • Blog Post: Why do browsers show cert warnings for Outlook Web Access 2007 by default?

    You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your mind, Microsoft has talked so much about trustworthy computing, and they must still do not get security. Exchange team has gone back and forth on this issue many times. It is related to giving more security...
  • Blog Post: Don't believe that anti-spam is disabled

    After setting up Exchange 2007 Edge and Hub, you can verify their configuration via get-TransportServer. On Edge and Hub, two anti-spam settings are important. You can use "get-TransportServer | fl name, anti*" to show the status of anti-spam related properties. Assuming that you have 1 Edge and...
  • Blog Post: About NTLM/Kerberos and Constrained Delegation in W2k3

    I find some well-written documentation on NTLM/Kerberos and Constrained Delegation in W2k3 to share with my colleagues. They are useful as introduction and reference materials. NTLM http://davenport.sourceforge.net/ntlm.html Kerberos http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx Constrained...
  • Blog Post: About LDAP injection

    The concept of LDAP injection is similar to SQL injection, except that the target is Active Directory or any LDAP server. The idea is to inject untrusted data into a LDAP query by malicious users. Here comes a paper to explain that. http://www.spidynamics.com/support/whitepapers/LDAPinjection.pdf
Page 1 of 1 (22 items)