Security

A while ago (yes, I'm very slow) Ivan had a couple of blogs about removing the ability to turn off CAS in the runtime ( here and here ). Whilst I am sure the CLR team has some good reasons for doing so, many of the comments on the entries exhibit a common...

As if you weren't already paranoid enough about ZIP files... The recent MyDoom virus required you to open a ZIP and then execute one of the files inside the attachment. But a new vulnerability announced by iDEFENSE allows arbitrary code execution...

Dana has another great blog about auditing code in open and closed environments. Along with the "many eyes" fallacy used for open source development, I'd also like to see someone with more time on their hands than me tackle the equally fallacious...

A few weeks ago I posted a blog entry about a security problem we found with JScript .NET's GetObject method before the initial release of the CLR. Talking about the problem in full would take a while, and I want to get through a few blogs today, so some...

Reading Bugtraq today I saw this message about a "vulnerability" in Windows. Apparently -- get this -- if someone has the ability to install arbitrary system software on your computer, they can replace the SLL library used by IE and log all your internet...

It's time to go to Windows Update to get the latest IE updates, including the %01 bug address bar bug. In other news, Dana has a blog entry about the WSH security settings . Jeroen has an interesting blog about building a JVM on .NET . The X5...

I've blogged a lot about the VSTO security model , and many customers have been frustrated / confused by the tight security policy we use. Why on earth would we not trust code just because it's on the local machine? Well, one of our main scenarios...

Warning : This entry contains information about editing the registry. Editing the registry could mess up your machine. Also , the changes described here will cause some web sites (and possibly even some local applications) to stop working correctly. That...

OK, a quick one to finish up. When you add a reference to a "private" (non-GACed) assembly to a VSTO project, you'll need to grant it trust if it needs more than basic Execution permission. But where to grant trust? Some background information for...

Earlier today, JArnold wrote a blog entry that looked at an instance-based constructor hack that is similar (in an opposite kind of way) to my earlier post on class constructors . Whilst JArnold's blog is 100% correct, there's an important distinction...

Yesterday I blogged about a bug that you could exploit in JScript .NET, and the other day I made a comment on Eric's blog about compiler-enforced rules versus runtime-enforced rules. Here's a quick story about one such rule that we fixed before the CLR...

Eric has recently done a series on script security, and one of the things he very briefly mentions is how you can use GetObject with a moniker to get an instance of an object. This reminds me of one of the "cool" bugs we found before the first version...

The new Bagel Virus takes the cake. ( Update : Also known as Beagle, Bagle, etc.) It comes as an EXE attachment (which would be blocked by all current versions of Outlook and Outlook Express) with the subject "Test" and the message body "Test, yep...

There's an article about VSTO at SD Times . One of the things they point out is that VSTO is the first Microsoft developer product that really enforces a strong security policy , and that this is the way of the future (think Longhorn). The author also...

I received an e-mail from a customer referencing this newsgroup post and asking two questions about virtual methods and inheritance: 1. Why does it work like this? 2. What's the 'security' implication? Funnily enough, I just read...

This will hopefully start a mini-series on some thoughts around security. I don't know if they'll be daily, weekly, or neverly, but we'll see. These days, everyone seems focused on preventing attacks on software -- predominantly through the use...

If you've tried out VSTO (and you should :-) ) then you may have noticed that Word has both Document and Template projects whilst Excel has only a Workbook project. If you were thinking that the reason was because Excel was naughty but Word was nice,...

Over at IBM, there's a series on secure programming . It's mainly focused on Linux, but you can apply most things to Windows as well. Thanks to Slashdot for that one. I just discovered (yeah, I'm slow) they also have an RSS feed . Yahoo!

A quick post this time (I promise!) Pop Quiz, hotshot. What's more secure: (i) a wet paper bag holding a couple of stale tic-tacs (site requires Flash); or (ii) an industrial-strength safe holding $1M in diamonds? Is security a property...

Browser-based encryption...

All software has bugs, but some are better than others....

Black text on a black background considered harmful...

How we 'remove' My Computer Zone...

Michael Howard let loose on the net!...

A cure for insomnia?...