Michael Howard's Web Log

A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn't want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking...

This just came in my inbox from Bugtraq, a buffer overrun processing Apache 1.3.x .htpasswd files. " local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? " at http://www.securityfocus.com/archive/1/379842/2004-10-26/2004-11-01/0 What...

Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased...

Interesting stuff, no?

My good friend, Jesper Johansson, just did something that's really hard to do - make the front page of www.microsoft.com , with his "Anatomy of a Hack" paper. Go take a look... In a few days this'll be replaced with something else, in which case, you...

David LeBlanc and I have written a good deal about Integer Overflow issues, including the following: WSC 2nd Ed: pp620-624. Reviewing Code for Integer Manipulation Vulnerabilities ( http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp...

Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1. By my count, 18 or so security updates have been issued in...

The annual Security issue of MSDN is out, and you should find a copy in your local book or magazine store. Or, if you like, you can read the issue online at http://msdn.microsoft.com/msdnmag . I wrote an article in this issue outlining a method to reduce...

My good friend J.C. Cannon has written the book on Privacy aimed squarely at developers, as well as IT folks. While I, and many others, focus on security, J.C. and his team address privacy issues. I think most people consider the two disciplines kinda...

Microsoft is working hard to improve security and Rich Kaplan, Corporate Vice President for the Security Business Unit, and his security team invites you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going...

A big thanks to Niels Dekker for providing me with the feedback. Here's the diff only. Chapter 5, Page 145 There’s a small error in the ArrayIndexError code: printf("Usage is %s [index] [value]\n"); Should read: printf("Usage is %s [index] [value]\n"...