Browse by Tags

A high school classmate of mine recently posted on Facebook: Message just popped up up my screen from Microsoft, I guess. "This site has insecure content." Really? Is the content not feeling good about itself, or, perchance, did they mean "unsecured?" What the ever-lovin' ****? I...

Over the weekend, Engadget and CNet ran a story discussing what was described as a new and novel attack using Android smartphones to attack PCs.  Apparently someone took an Android smartphone and modified the phone to emulate a USB keyboard. When the Android phone was plugged into Windows, Windows...

Even though it’s posted on April 1st, this is actually *not* an April Fools prank. It turns out that the Office team runs a “botnet” internally that’s dedicated to file fuzzing.  Basically they have a tool that’s run on a bunch of machines that runs file fuzzing jobs in their spare time.  This...

Because I just got soda all over my current one… One of the funniest things I’ve seen in a while.    And yes, I know that I’m being cruel here and I shouldn’t make fun of the kids ignorance, but he is SO proud of his new discovery and is so wrong in his interpretation of what actually is going...

Five years ago, I attended one of the initial security training courses as a part of the XP SP2 effort.  I wrote this up in one of my very first posts entitled “ Remember the giblets ” and followed it up last year with “ The Trouble with Giblets ”.  I use the term “giblets” a lot but I’d never...

We were doing some code reviews on the new Win7 SDK samples the other day and one of the code reviewers noticed that the code used wcslen to compute the length of a string. He pointed out that the SDL Banned API page calls out strlen/wcslen as being banned APIs: For critical functions, such as those...

I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome . This is awesome, but there’s one aspect of the fix that concerns me. According to the changelog : This CL adds prompting for dangerous types of files (executable) when they are automatically downloaded...

In my last post, I mentioned that security bugs were different from other bugs.  Daniel Prochnow asked : What is the difference between bug and vulnerability? In my point of view, in a production enviroment, every bug that may lead to a loss event (CID, image, $) must be considered a security incident...

There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure. Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT security folks about his comments and about the...

Apparently two years ago, someone ran a static analysis tool named " Valgrind " against the source code to OpenSSL in the Debian Linux distribution. The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team decided that they needed to fix this " security bug...

I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence center. What really caught my eye was his opening paragraph: I heard a remark the other day that seemed stupid on the surface, but when I really thought about it I realized it was completely...

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Flash. For those that don’t speak hacker-speak...

I don't write about the SDL very much, because I figure that the SDL team does a good enough job of it on their blog , but I was reading the news a while ago and realized that one of the aspects of the SDL would have helped if our competitors were to adopt it. A long time ago, I wrote a short post about...

Michael Howard just announced that we've hired Crispin Cowan ! This is incredibly awesome, I have a huge amount of respect for Crispin , he's one of the most respected researchers out there. Among other things, Crispin's the author and designer of AppArmor , which adds sandboxing capabilities to Linux...

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email: From: ThinkGeek Customer Service [mailto:custserv@thinkgeek.com] Sent...

Every once in a while, I hear someone making comments about the strength of things like long passwords. For example, if you have a 255 character password that just uses the 26 roman upper and lower case letters, plus the numeric digits. That means that your password has 62^255 possible values, if you...

Yesterday, Chris Pirillo made a comment in one of his posts : And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Windows Vista Firewall. Again, this was far from the...

Adam Shostack has another threat modeling post up on the SDL blog entitled " Threat Modeling Self Checks and Rules of Thumb ". In it, he talks about threat models and diagrams (and he corrects a mistake in my " rules of thumb " post (thanks Adam)). There's one thing he mentions that is really important...

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah, I know I should have done this last week, but I got distracted :). First, a summary of the threat modeling posts: Part 1: Threat Modeling, Once again. In which our narrator introduces the idea...

I wrote this piece up for our group as we entered the most recent round of threat models. I've cleaned it up a bit (removing some Microsoft-specific stuff), and there's stuff that's been talked about before, but the rest of the document is pretty relevant. --------------------------------------- As you...

Yesterday I presented my version of the diagrams for Firefox's command line handler and the IE/URLMON's URL handler. To refresh, here they are again: Here's my version of Firefox's diagram: And my version of IE/URLMON's URL handler diagram: As I mentioned yesterday, even though there's a trust boundary...

I've been writing a LOT about threat modeling recently but one of the things I haven't talked about is the practical value of the threat modeling process. Here at Microsoft, we've totally drunk the threat modeling cool-aid. One of Adam Shostak's papers on threat modeling has the following quote from...

It's been a long path, but we're finally at the point where I can finally present the threat model for PlaySound. None of the information in this post is new, all the information is pulled from previous posts. ---------------- PlaySound Threat Model The PlaySound API is a high level multimedia API intended...

So I've been writing a LOT of posts about the threat modeling process and how one goes about doing the threat model analysis for a component. The one thing I've not talked about is what a threat model actually is . A threat model is a specification, just like your functional specification (a Program...

Finally it's time to think about threat modeling the PlaySound API. Let's go back to the DFD that I included in my earlier post, since everything flows from the DFD. This dataflow diagram contains a number of elements, they are: Application: External Interactor PlaySound: Process WAV file: Data Store...