Michael Howard's Web Log

As y’all know, the Visual C++ /GS compiler flag adds prolog and epilog code to certain functions to help detect some classes of stack based buffer overruns at runtime. In VC++ 2005, the code looks like this: Function prolog sub esp, 8 mov eax...

Like a good Microsoft security citizen I installed BitLocker on my Infineon TPM-enabled laptop ages ago, well before we shipped the OS in late 2006. The nice thing is that I don't even know BitLocker is ‘doing its thing’ as there is no performance degradation...

From Symantec: With the advent of Vista and the continued use of the Security Development Lifecycle, it is likely that Microsoft-authored code will become more difficult to exploit. As a result, attackers may turn their focus to common third-party...

Wow, the folks from Symantec claim "Microsoft is doing better overall than its leading commercial competitors [in security]" http://www.internetnews.com/security/article.php/3667201

Jeff Jones just posted a blog looking at vulnerability counts in various operating systems after 90 days of product release. It's an interesting read.

David is one of the most insightful security guys I know. Wicked smart, and damned opinionated, but who isn't? http://blogs.msdn.com/david_leblanc/

A few weeks back I wrote how my 5 year old son, Blake, decided to hack into our computer. Well, it gets better. Blake is reading pretty well now, and can write too. But he still comes across words he needs to sound out phonetically. Yesterday, my...

I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought...

Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint. Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain...

Chris Corio and Jonathan Schwartz did an hour-long deep dive into the UAC architecture, goals and issues over on Channel9. I've known Jon for more years than I care to remember, and he is one of the smartest guys I know, but don't tell him I said that...

We have just published the list of SDL-banned APIs, and their replacements. http://msdn2.microsoft.com/en-us/library/bb288454.aspx

Even though we (kinda) promised our wives we wouldn’t do it, David LeBlanc and I have just wrapped up another book, Writing Secure Code for Windows Vista . (ISBN: 9780735623934, ISBN-10: 0-7356-2393-7.) It should be available around mid-April 2007...

This is a true story. Last Thursday I flew from RSA in San Francisco back to Seattle. When I got back I helped my wife pack the bags for our trip to New Zealand. At about midnight, after we'd done all the packing, I got the passports out of the safe...

Howdy once again from RSA. It's raining. So much for sunny California! Jeff and I just gave our talk about Windows Vista Security Engineering. It was a packed room. In fact, when we got to the room we saw a bunch of people milling around outside. We...

Howdy from RSA in San Francisco - I just got here, and I have a talk tomorrow morning @ 9AM about Windows Vista Security Engineering. Now to the topic of this post. One of my favorite features in Windows Vista is Parental Controls. I like the feature...

I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?”...

Jim Allchin has a great blog post about some of the design issues we went through and tradeoffs we made in Windows Vista around DEP, UAC, IE and so on. It's a long, but worthwhile read .

Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining Secunia Unpatched Warnings - Part 3 I have to concur with Kai: People like this just frost me: Security considered a burden for users

This blog post outlines a bug in the macworld.com web site that allowed the blogger to get a Platinum Pass into MacWorld to see the Jobs' keynote. I'm assuming the story is true! If it's not, it is still a fascinating read about insecure code.

MS07-004 does not affect Windows Vista, even though the coding bug is there. Why? The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically...

This is great news. OneCare is one of my all-time-fave products. I love it because it was built knowing that the target user is no security expert. It wasn't built by geeks for geeks. Everyone in my immediate family uses OneCare because (to quote my...

Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005 SP1 requires admin privileges to run on Windows Vista, and pops up a dialog saying so when it starts up. So, here’s my take, and I don't work for...

From the blurb: During the development of Windows Vista, several key investments were made to vastly improve overall quality, security, and reliability from previous versions of Windows. While we have made tremendous investments in Windows Vista...

First, a very Happy New Year to you all...! Second, due to incredibly popular demand, I managed to find the eXPired poster. I have added it as an attachment at the end of this blog post. Enjoy.

Knowing the Enemy - A lightning demonstration on how hackers attack networks http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=351 Marcus Murray, Senior Security Architect, Truesec Advanced Malware Cleaning http://www.microsoft.com/emea...