Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!

  • Michael Howard's Web Log

    Windows XP SP2 and Nikon Software

    • 4 Comments
    Last night I bought a shiny new PC for home; it's based on an AMD Athlon 64 FX, with 2x160Gb SATA RAID-0 drives, 1Gig of RAM and an nVidia GeForce 6800 Ultra. It's pretty quick :) I got the AMD Athlon CPU primarily for the Data Execution Protection support...
  • Michael Howard's Web Log

    How I will judge Windows Vista Security

    • 13 Comments
    Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint. Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain...
  • Michael Howard's Web Log

    Twitter Feed

    • 3 Comments
    I've been doing this Twitter thing for a while now - I really like it, folks can get a feel for what you're up to each day. If you're interested, you can see what I'm up to by clicking 'Follow' at http://twitter.com/michael_howard
  • Michael Howard's Web Log

    Visio Connector for MBSA available

    • 2 Comments
    This is kinda cool - a Visio connector that hooks up to the output from the Microsoft Baseline Security Analyzer (MBSA.) From the blurb: At a glance, you'll be able to: Pinpoint vulnerabilities on the color-coded diagram. Identify solutions...
  • Michael Howard's Web Log

    Practical Defense in Depth

    • 1 Comments
    <sent from Cabo San Lucas Airport - heading back to Austin > Crosstalk has published an article for mine regarding how we use Defense in Depth within the SDL, and in Microsoft in general.
  • Michael Howard's Web Log

    A Nice Source of 'Vintage' Security Papers

    • 5 Comments
    A colleague (thanks, Chris!) sent me this URL, it's great resource for classic security papers, and a very worthy read. http://csrc.nist.gov/publications/history/
  • Michael Howard's Web Log

    ASLR and the new linker

    • 16 Comments
    Well, the VS team shipped VS2005 SP1 . You'll need the updated linker to support ASLR on Windows Vista. All it does is add a new setting to your PE header. So grab the update, and link your EXE with the new /dynamicbase option. Voila!
  • Michael Howard's Web Log

    Why 'Sasser' does not affect Win2003

    • 16 Comments
    As you may be aware, a new worm has emerged named, 'Sasser', and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a...
  • Michael Howard's Web Log

    Microsoft under attack - and it's not what you think

    • 11 Comments
    I really never thought I would see this day! But this is a very interesting read. "..open source developers and security professionals accusing them [Microsoft] of being obsessed by security." http://www.artima.com/weblogs/viewpost.jsp?thread=162577...
  • Michael Howard's Web Log

    Comments from Gartner about Microsoft's Security Work

    • 6 Comments
    I just read this very interesting article in Information Week about the recent Cisco 'issue' at Blackhat. What caught my eye is a comment from John Pescatore, a senior security researcher at Gartner. Emphasis is mine... Microsoft , said Pescatore...
  • Michael Howard's Web Log

    More people warming up to Threat Modeling

    • 2 Comments
    A nice article on the subject, focused firmly on infrastructure, written by Pete Lindstrom at Information Security Magazine: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art927,00.html The two opening para's sum it up nicely: The time...
  • Michael Howard's Web Log

    strlen_s, where for art thou?

    • 2 Comments
    I just received an email from a product group wanting to replace a small number of calls to strlen with strlen_s to help them be SDL compliant. Problem is, there is no strlen_s ! :( So I had a chat with Martyn Lovell, who headed the SafeCRT work to...
  • Michael Howard's Web Log

    Agile SDL

    • 2 Comments
    Over the last year or so, a bunch of us in the SDL team have been working with agile groups across Microsoft to help streamline the SDL for agile methods. Bryan Sullivan wrote a paper for MSDN Magazine explaining where our current throughts lie. Clearly...
  • Michael Howard's Web Log

    External Security Testing and Windows Vista

    • 1 Comments
    On many occasions I have mentioned that we enlisted the help of a number of third-party security professionals to perform code reviews, design reviews and security testing on Windows Vista. These folks worked alongside our own team members for months...
  • Michael Howard's Web Log

    The Bluehat Sessions

    • 5 Comments
    C|Net is carrying a story this morning about the Bluehat summit we held at the Microsoft campus a few months back. Bluehat is a bit like Blackhat: we can't fly everyone to Blackhat, so why not have some of the speakers come to Redmond and speak instead...
  • Michael Howard's Web Log

    “Hunting Security Bugs” now available from Microsoft Press

    • 4 Comments
    This is a new security book from MSPress that focuses on security testing. I read some of the chapters a few weeks ago, and it's wonderful to add a testing perspective to the world of security. A great deal has been written about security and code quality...
  • Michael Howard's Web Log

    Writing Secure Web Browsers is Hard

    • 3 Comments
    I'm not making excuses, just stating facts. In fact, I just read this from SANS... emphasis is mine. http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=19 Fixes Not Yet Available for Firefox Vulnerabilities (9 May 2005) Two...
  • Michael Howard's Web Log

    "How can I Trust Firefox" blog by Torr

    • 7 Comments
    Peter Torr has joined our group, working with development teams to help them through the Security Development Lifecycle and Final Security Review processes. He just posted an interesting comment about downloading and running Firefox. http://blogs.msdn...
  • Michael Howard's Web Log

    A list of Code Secure columns

    • 2 Comments
    I'm in New Zealand right now, talking at TechEd. A customer asked me where he could find list of all my old “Code Secure” columns on MSDN. I wasn't aware but things have moved around a little on msdn.microsoft.com, making it a little hard...
  • Michael Howard's Web Log

    Why Windows Vista is unaffected by the VML Bug

    • 12 Comments
    MS07-004 does not affect Windows Vista, even though the coding bug is there. Why? The bug is an integer overflow calling C++ operator::new, but the affected component vgx.dll is compiled with the C++ compiler available in Visual Studio 2005 that automatically...
  • Michael Howard's Web Log

    New Security Resources Available

    • 4 Comments
    These papers are aimed at IT type folks and non-technical users. Skip this blog post if you're a developer! Protecting Clients from Network Attacks Securing Remote Clients and Portable Computers How to Configure Windows Firewall in a Small Business...
  • Michael Howard's Web Log

    More Attack Surface Reduction in IIS7

    • 4 Comments
    As y'all know, the attack surface of IIS6 is low because: It's not installed by default When you do install it, it serves up static files only All user interaction is handled by a low-privilege process But there is still quite a bit of...
  • Michael Howard's Web Log

    UAC BS

    • 20 Comments
    Howdy once again from RSA. It's raining. So much for sunny California! Jeff and I just gave our talk about Windows Vista Security Engineering. It was a packed room. In fact, when we got to the room we saw a bunch of people milling around outside. We...
  • Michael Howard's Web Log

    Security-Related MSDN Magazine Articles

    • 1 Comments
    Bryan Sullivan and I wrote a couple of articles for this month's MSDN Magazine. If you're not aware, November focuses on Security. The two articles are: Test Your Security IQ Threat Models Improve Your Security Process And there's the Agile...
  • Michael Howard's Web Log

    Privacy Tip o' the Day

    • 18 Comments
    I'm stunned at how much private data the average citizen will divulge. I was buying some stuff yesterday, and the clerk at the checkout asked the customer in front of me for her phone #, which she was quite happy to give. Next, I was signing up for gym...
Page 5 of 14 (341 items) «34567»