Michael Howard's Web Log

I’m pleased to announce, actually I’m *thrilled* to announce, that James Whittaker has joined our group. James is a well-known author and speaker on software testing and security. He most recently worked as a professor of computer science at Florida Tech...

Ages ago, I wrote a little DHTML tool to help people determine the appropriate authentication settings to use with different browsers, servers and Web servers. It helped a good many people, but it was simple. Today, the IIS team has released a much more...

A couple of people asked what “on by default” means with regards to ASLR in Windows Vista. The ‘default’ for ASLR in Windows Vista is: • Stacks and Heap are randomized (stack-randomization is on post-Beta 2) • EXEs and DLLs shipping as part...

Every once in a while I come across an old piece of email, or a document I archived that contains a little nugget; well, I just stumbled on one on a backup DVD. Last year, Microsoft made available a tool named the File Checksum Integrity Verifier (FCIV...

I have long believed that if someone makes an argument and uses an analogy, then the argument is often weak. But that’s just me! This is why I usually roll my eyes when I hear statements like, “If [bridges|cars|airplanes] were built like software then...

Windows Server 2008 has shipped! And a fine product it is, too! Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista...

Finally, it has been posted - Frank Swiderski's Threat modeling tool is now available for free download on MSDN. From the blurb: The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data...

A small company named Wehnus run by Matt Miller has put together a comprehensive Windows Based host-based intrusion prevention system (HIPS) system called WehnTrust ( http://www.wehnus.com ) that uses Address Space Layout Randomization (ASLR) among other...

In June 2006, Microsoft released Dynamics AX 4.0, which was the first full version to be developed in Microsoft using the Security Development Lifecycle (SDL). A key deliverable by this team is a document on security considerations for Dynamics AX development...

David LeBlanc and I have written a good deal about Integer Overflow issues, including the following: WSC 2nd Ed: pp620-624. Reviewing Code for Integer Manipulation Vulnerabilities ( http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp...

http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx

A paper has just been made available that outlines some of the security improvements in Windows Vista Beta 2.

I've been meaning to write about this for a year or so, but for some reason I simply keep forgetting to do it! There's a hidden message in WSC 2nd ed. Since the book's release, only one person has found it. Here's a clue: it's in plain sight :)

So we've found a small bug in Hotmail when using the SAFER/IE stuff (big thanks to Kody Dickerson to alerting me.) Turns out Hotmail will hang when you start it up if you have Hotmail running under a SAFER context, and MSN messenger running as the "normal...

I've been meaning to write about this for ages. So here goes, better late than never! Many people, quite rightly, are concerned that sensitive or private data can reside in the metadata of documents created by productivity applications, such as Microsoft...

I suppose someone has to keep the home fires burning! Seriously, it's great to see the Windows Vista presentations were well received at Black Hat 2006: Microsoft gets good reception at Black Hat . That being said, one of the advantages of half the team...

I haven't had a chance to look at it yet, but the good folks at sysinternals have released a tool named RootkitRevealer. It looks like it works by comparing two scans, one very low-level and one high-level which will include the bogus results intercepted...

I was asked last week for a list of "drop-in-and-more-secure" replacements, created at Microsoft, for C/C++ functions and constructs. So here's a list: IntSafe (C safe integer arith library) SafeInt (C++ safe integer arith template class) ...

This is a true story. Last Thursday I flew from RSA in San Francisco back to Seattle. When I got back I helped my wife pack the bags for our trip to New Zealand. At about midnight, after we'd done all the packing, I got the passports out of the safe...

I like this class library because it looks for "good things" and not "bad things." T he most common method of mitigating XSS issues is to use functions like HtmlEncode that look for "bad things" and escape them. But this library does the right thing...

A couple of months ago, I presented at a Financial Services Chief Security Officer’s forum here in Redmond about threat modeling and secure design. One question, totally unrelated to secure design, but still a great question, was how an admin can...

Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005 SP1 requires admin privileges to run on Windows Vista, and pops up a dialog saying so when it starts up. So, here’s my take, and I don't work for...

A few months ago a neighbor (the mother of the family) asked me to take a look at their computer running Windows XP. It had slowed noticeably, and they had a nasty case of “pesky popups.” But to make matters worse, they had discovered a stash of really...

Very interesting counterpoint to the recent Symantec paper about the TCP/IP stack in Windows Vista.

Entire Book Please replace all references to Windows® .NET Server with Windows® Server 2003. Chapter 2, Page 44 There is a small typo: This effect is called the Hawthorn effect. Should read: This effect is called...