Michael Howard's Web Log

Finally, it has been posted - Frank Swiderski's Threat modeling tool is now available for free download on MSDN. From the blurb: The Threat Modeling Tool allows users to create threat model documents for applications. It organizes relevant data...

As Raymond Chen pointed out last year ( http://blogs.msdn.com/oldnewthing/archive/2004/01/29/64389.aspx ), there is a potential integer overflow when calling operator::new. The C++ compiler in Visual Studio 2005 automatically generates defensive code...

I'd totally forgotten about this, but Microsoft eLearning has made available, "Clinic 2806: Microsoft Security Guidance Training for Developers" It's a free on-line clinic that lasts about 6 hours aimed squarely at developers. It covers, among other things...

Peter Torr has joined our group, working with development teams to help them through the Security Development Lifecycle and Final Security Review processes. He just posted an interesting comment about downloading and running Firefox. http://blogs.msdn...

Good news! Matt Miller, author of plenty of cutting-edge security research, including my fave “ A Brief History of Exploitation Techniques and Mitigations on Windows ” has joined the Security Science team to work on improved ways to find security vulnerabilities...

Following close on the heels of security experts Matt Miller , Adam Shostack and Crispin Cowan joining Microsoft, I am pleased to announce that Ken Johnson, AKA Skywing, has joined our group. Ken brings an enormous amount of reverse engineering...

Every once in a while a security bug pops up that really piques my interest, and a new directory traversal bug that affects Apache Tomcat (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938) most certainly made me take notice because I haven...

These are pretty cool - I'm a big fan of highly focused, short education like this... http://msdn2.microsoft.com/en-us/security/bb896640.aspx

Today SAFECode , the Software Assurance Forum for Excellence in Code, introduced its first white paper, "Software Assurance: An Overview of Current Industry Best Practices." The organization was founded by Microsoft, Symantec, EMC, SAP and Juniper...

2/19 - Added some Minor Tweaks Perhaps it's the phase of the moon or something, but over the last few weeks I have received more email about correctly using the HeapSetInformation function than any other topic. I really don't know why! This was added...

MSDN Magazine has just published an article I wrote that collects many of the various C and C++ defenses in the current Visual C++ compiler suite, all of these defenses are SDL requirements or recommendations.

I'm not 100% sure why no-one seems to have picked up on this, Russinovich decided to do his own analysis of the WMF flaw to see if Gibson's belief that WMF/SetAbortProc() is an intentional backdoor. Of course, it's not! Here's Mark's analysis: http...

A small company named Wehnus run by Matt Miller has put together a comprehensive Windows Based host-based intrusion prevention system (HIPS) system called WehnTrust ( http://www.wehnus.com ) that uses Address Space Layout Randomization (ASLR) among other...

I just read this very interesting article in Information Week about the recent Cisco 'issue' at Blackhat. What caught my eye is a comment from John Pescatore, a senior security researcher at Gartner. Emphasis is mine... Microsoft , said Pescatore...

Finally got out of war, and saw this in my inbox... The Microsoft Solutions for Security (MSS) team has released The Antivirus Defense-in-Depth Guide on the Web ( http://go.microsoft.com/fwlink/?LinkId =28734 ) I just had a look at it, and it's...

From the “Well-waddya-know Dept.” I just found out this morning there's an RSS feed for Microsoft Security bulletins. You learn something every day! Point your reader at http://www.microsoft.com/technet/security/bulletin/secrss.aspx...

As you probably all know, David is a very good friend of mine and we have authored some popular security books together, and will probably write some more too (but that’s another story.) Some of you know that David left Microsoft to join Webroot in...

There's an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG's Trustworthy Computing memo. IMHO, here's why such an email is so important. If...

As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM partners – over 50 senior technical experts from the biggest names in the computer industry. Out of respect for our partners I won’t name names, but the “usual...

Day two of the SDL training session for OEMs went well. James Whittaker led the discussion for the first half of the morning, discussing security testing. His main point was that testing for security requires a diffferent mind set - you still have to...

You may have noticed that if your code calls functions in the sprintf family and the format template string uses the %n parameter, then it fails to run correctly after it is compiled with Visual Studio 2005. Why? Well, it's pretty simple, by default we...

A few weeks ago someone in my group suggested I blog about more than security. I asked, "Why?" He said, "So people will realize you're not a droid!" So here is my first post that has nothing to do with security, it's about parenting. More to the point...

While working on " Writing Secure Code for Windows Vista " I spent a good deal of time spelunking the new crypto stuff, CNG . One of the APIs is BCryptResolveProviders , and the last argument is pretty complex: If you pass NULL, it fails and...

Each week (ok, mostly every week!) I'll post news items that interested me... Security analysis of Checkpoint firewall Of interest is the way around RedHat's ExecShield buffer overflow defense. http://www.pentest.es/checkpoint_hack.pdf Abusing chroot...

This is great news. OneCare is one of my all-time-fave products. I love it because it was built knowing that the target user is no security expert. It wasn't built by geeks for geeks. Everyone in my immediate family uses OneCare because (to quote my...