Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!

Browse by Tags

Tagged Content List
  • Blog Post: Free Download: Writing Secure Code for Windows Vista

    "For 25 years, Microsoft Press books have focused on helping you take your skills and knowledge to the next level. Celebrate our 25th Anniversary with a "Free E-Book of the Month" offer! Simply sign up for the Microsoft Press Book Connection Newsletter for notification of offers, register, and download...
  • Blog Post: Volume 5 of the Microsoft Security Intelligence Report is out

    Volume 5 of the Microsoft Security Intelligence Report is now out , highlights include: Security vulnerability disclosures - Microsoft and third-party software Vulnerability Exploits – Microsoft software Browser-based exploits - Microsoft and third-party software Security and...
  • Blog Post: How Very True

    http://twitter.com/alexsotirov/statuses/882866444
  • Blog Post: FAQ about HeapSetInformation in Windows Vista and Heap Based Buffer Overruns

    2/19 - Added some Minor Tweaks Perhaps it's the phase of the moon or something, but over the last few weeks I have received more email about correctly using the HeapSetInformation function than any other topic. I really don't know why! This was added last year as an SDL requirement. So here's a...
  • Blog Post: New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008

    In the interests of helping secure the platform, we want more people to opt-in to using Data Execution Prevention (aka DEP aka NX), and we have lowered the barrier to entry for application developers in Windows Vista SP1, Windows XP SP3 and Windows Server 2008. We've added some new APIs that allow...
  • Blog Post: Windows Vista Crypto Modules now FIPS 140-2 Certified

    The standard crypto providers such as DSSENH and RSAENH are now certified FIPS 140-2 on Windows Vista. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm has all the info.
  • Blog Post: VBootkit vs. Bitlocker in TPM mode

    One of the guys in our group, Robert Hensing has an interesting post about VBootkit and whether BitLocker in TPM offers any defense. Short answer: yes, it does. Slightly longer answer: The BitLocker guys anticiated this attack and the really long answer is in his post . Chalk up another one for Vista...
  • Blog Post: Update on DropMyRights

    It's been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a user's privilege level on versions of WIndows prior to Windows Vista. Michael Horowitz has just posted a couple of blog posts about DMR stating that everyone on Windows XP should use the tool. The articles...
  • Blog Post: Inspect Your Gadget

    Dave Ross and I recently wrote an article on the in's & out's of writing secure gadgets for Windows Vista. Because gadgets are considered full-trust applications, you must understand some gadget security basics.
  • Blog Post: Windows Vista Integrity Paper

    Howdy from a little coffee shop (no, not Starbucks) at the entrance to our subdivison in Austin! I can't wait to get broadband up and running at the house! Peter Brundrett, the PM behind the integrity levels work in Windows Vista has written a very detailed whitepaper on the subject,
  • Blog Post: Lessons Learned from MS07-029: The DNS RPC Interface Buffer Overrun

    I just posted the root cause analysis for the DNS RPC buffer overrun over on the SDL blog.
  • Blog Post: The Most Complex SAL annotation

    While working on " Writing Secure Code for Windows Vista " I spent a good deal of time spelunking the new crypto stuff, CNG . One of the APIs is BCryptResolveProviders , and the last argument is pretty complex: If you pass NULL, it fails and tells you the amount of space required. If you...
  • Blog Post: Recent CRN Article comparing Windows XP SP2 and Windows Vista

    Jeff has a post about the recent CRN and Ars Technica articles comparing XPSP2 and Vista security. One thing I love about Jeff is he's blunt. Damned blunt.
  • Blog Post: At TechEd this Week

    Hi from Orlando I'm presenting at TechEd this week - I have two sessions, one is a "chalktalk" tomorrow (Monday 4th) from 10:30 - 11:45 entitled "Everything-Developer-Security." I have no agenda! I'll do what I did last year: open notepad, enter a few items that interest me and then take questions...
  • Blog Post: Half Of Windows Vista Adoption Driven By Security

    I think I earned my paycheck this week :) http://www.informationweek.com/news/showArticle.jhtml?articleID=199701141
  • Blog Post: Windows Vista ISV Security Paper Available

    Matt Thomlinson and I wrote a document explaining how to take advantage of some of the buffer overrun defenses in Windows Vista. The document is now available here . Enjoy :)
  • Blog Post: Writing Secure Code for Windows Vista is Shipping!

    I've recieved a number of emails from folks saying they have got their copies of our latest book, Writing Secure Code for Windows Vista . David and I got our copies yesterday. The first things that hit me about the book are (a) it's the smallest book we've written (which is good!) and (b) it's very...
  • Blog Post: CodeGear’s new Delphi 2007 supports ASLR and NX

    From the Helping to Secure the Ecosystem Dept. Here’s some good news for people using CodeGear’s Delphi . The new Delphi 2007 release, available now, supports NX and ASLR . The CodeGear Delphi 2007 compiler supports ASLR via any of these three techniques: Add the command-line switch...
  • Blog Post: How Microsoft Security Bulletin MS07-017 affected Windows Vista

    Feliciano Intini (a senior security guy in Microsoft Italy) has posted an excellent analysis of the MS07-017 bulletin released today. Essentially, it's a roll up of graphic-related fixes. Of the seven discrete fixes: All seven affected Windows 2000. Six affected Windows Server 2003 SP2. ...
  • Blog Post: A Real-world Windows Vista BitLocker Tip

    Like a good Microsoft security citizen I installed BitLocker on my Infineon TPM-enabled laptop ages ago, well before we shipped the OS in late 2006. The nice thing is that I don't even know BitLocker is ‘doing its thing’ as there is no performance degradation that I can see. But there is something you...
  • Blog Post: Symantec: Microsoft-authored code will become more difficult to exploit

    From Symantec: With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party applications that are authored by companies that...
  • Blog Post: My Take on Windows Vista Security “Vulnerabilities”

    I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them...
  • Blog Post: How I will judge Windows Vista Security

    Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint. Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain how I will judge Windows Vista security. ...
  • Blog Post: UAC Deep dive over on Channel9

    Chris Corio and Jonathan Schwartz did an hour-long deep dive into the UAC architecture, goals and issues over on Channel9. I've known Jon for more years than I care to remember, and he is one of the smartest guys I know, but don't tell him I said that! http://channel9.msdn.com/Showpost.aspx?postid...
  • Blog Post: New Book: Writing Secure Code for Windows Vista

    Even though we (kinda) promised our wives we wouldn’t do it, David LeBlanc and I have just wrapped up another book, Writing Secure Code for Windows Vista . (ISBN: 9780735623934, ISBN-10: 0-7356-2393-7.) It should be available around mid-April 2007. It’s a short book, around 230pp, and covers...
Page 1 of 2 (50 items) 12