Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three count parameters that warrant your attention in order...

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination buffer is not large enough to hold incoming data...

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( http://www.grc.com/securitynow.htm ) CNet Security Bites ( http://securitybites.cnet.com ) Blogs Schneier on Security http://feeds.feedburner.com/schneier/fulltext...

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must be very urgent due to serious ramifications or...

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches across their server farms and enterprise desktops...

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException...

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their...

If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding.

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks. Successful phishing attacks...

I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip...

Working for Microsoft means that I become de facto technical support for my friends and family. That should be the experiences of many folks in the computer industry. When I introduce my job title as "senior security consultant" to friends and family, I get promoted to become technical and security support...

HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP response into multiple ones by injecting malicious response HTTP headers. This attack can deface web sites, poison cache and trigger cross-site scripting. Rather than splitting responses, I want to demo how...

I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar , and decided to play with it. I was checking out different options, and it impressed me as a good web client developer tool, as it offers a breakdown of HTML elements, such as image dimension and structure validation...

Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including AppleTalk, SPX and Banyan Vines. This exemplifies the philosophy of reducing attack surface area in the design of Exchange 2007.

I have read many articles about the benefits of using passphrases in contrast to passwords. For more details, you can read http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx . I have always been convinced about the use of passphrases. First of all, it is easier to remember even...

Distribution list is used for grouping users together, and emails can be sent to all members belonging to a DL. In Exchange 2003, the default setting is that a DL accepts emails from any email addresses. It can be configured to reject external email addresses and even internal addresses. However, most...

Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario is touted pretty often as a classic XSS exploit. How about an read-only site without requiring any logons, such as dictionary sites or some news sites? Since there are no logon tokens, cookies at...

I like the idea behind Extended Validation Cert a lot. It is designed to combat phishing problems. There are some well-known phishing victim sites, such as Paypal, Bank of America, EBay, etc, that would love this feature. Check out how IE7 green address bar looks like (Courtesy of Verisign) . Yes, it...

You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your mind, Microsoft has talked so much about trustworthy computing, and they must still do not get security. Exchange team has gone back and forth on this issue many times. It is related to giving more security...

After setting up Exchange 2007 Edge and Hub, you can verify their configuration via get-TransportServer. On Edge and Hub, two anti-spam settings are important. You can use "get-TransportServer | fl name, anti*" to show the status of anti-spam related properties. Assuming that you have 1 Edge and...

I find some well-written documentation on NTLM/Kerberos and Constrained Delegation in W2k3 to share with my colleagues. They are useful as introduction and reference materials. NTLM http://davenport.sourceforge.net/ntlm.html Kerberos http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx Constrained...

The concept of LDAP injection is similar to SQL injection, except that the target is Active Directory or any LDAP server. The idea is to inject untrusted data into a LDAP query by malicious users. Here comes a paper to explain that. http://www.spidynamics.com/support/whitepapers/LDAPinjection.pdf