Spot the Bug!

Do you think you have the skills to find security vulnerabilities before they find you? See if you can Spot the Bug!

  • Spot the Bug!

    Nice weather!

    • 0 Comments
    Well, we are finally starting to see some nice weather in Seattle! I don't know if there is a better place to be on a sunny day!
  • Spot the Bug!

    Microsoft Threat Analysis & Modeling v2.0

    • 0 Comments
    BETA2 of Microsoft Threat Analysis & Modeling v2.0 (formerly codenamed “ACE Torpedo”) is now available for download here . Check out this blog for more info: http://blogs.msdn.com/threatmodeling/ For those of you that haven't downloaded...
  • Spot the Bug!

    Spot the Bug - March 13, 2006

    • 25 Comments
    It seems like more and more developers are making security mistakes when dealing with sockets. See if you can Spot the Bug. void Socket_Setup(void) { WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD( 2, 2 ); ::WSAStartup(wVersionRequested...
  • Spot the Bug!

    Spot the Bug - Feb 2, 2006

    • 6 Comments
    Great discussion on the last bug. For those of you that took a look at it, it dealt with insecure use of cryptography resulting in exposure to dictionary attacks. Here's a new one: class CDatabase { private: HANDLE m_hwndMutex; public: void InitDBConnection...
  • Spot the Bug!

    Spot the Bug - Jan 5, 2006

    • 23 Comments
    Wow, we had great feedback on the last bug. Someone emailed me and said that the biggest bug was the blue font on the black background. :) Here is another fun bug - Courtesy of Neelay Shah, Consultant, Foundstone class CUserManager { public: void CreateLogin...
  • Spot the Bug!

    1 inch of snow equals 100% panic!

    • 18 Comments
    For those of you that don't know, Seattle doesn't typically get snow. Sure, it snows in the mountains and keeps us snowboarders and skiers happy, but the city is fairly mild. It actually snowed today in Seattle, Redmond, and surrounding cities, and people...
  • Spot the Bug!

    Spot the Bug - November 28, 2005

    • 17 Comments
    Some people commented that the last bug was too easy, and it was, but buffer overruns are still common enough that I wanted to send the point home. This one is a bit more challenging. Courtesy of Neelay Shah, Consultant, Foundstone void Socket_Setup(...
  • Spot the Bug!

    Spot the Bug - October 24, 2005

    • 14 Comments
    It has been a while since the last bug was up. We certainly had some great discussion around it. I will try to get more bugs up on the site on a regular basis to keep everyone on their toes at all times :-) Courtesy of Neelay Shah, Consultant (Foundstone...
  • Spot the Bug!

    Spot the Bug - August 31, 2005

    • 15 Comments
    It's been a little while since we've had a new bug up. We had some good feedback on the last one. Here is a shorter one: Courtesy of Shanit Gupta, Consultant (Foundstone) try { ElevatePrivilege(); ReadSecretFile(); LowerPrivilege(); } catch(FileException...
  • Spot the Bug!

    Spot the Bug - August 16, 2005

    • 9 Comments
    If you haven't taken a look at the solution to the last bug, please do so. There were 4 bugs in that short chink of code -- all of which are found in Visual Studio 2005! One is issued as a compiler warning and the other 3 are found by PREfast. Here...
  • Spot the Bug!

    Spot the Bug - August 14, 2005

    • 9 Comments
    I created this bug a couple of weeks ago for a conference I spoke at to illustrate how so few lines of code could be so buggy. Where's the bug here? char dest[50], src[100]; int x, y; if (x=1) { strcpy(dest,src); dest[50] = '\0'; } return y;...
  • Spot the Bug!

    Spot the Bug - August 4, 2005

    • 5 Comments
    I think the last bug stumped a few people. Can you find the security vulnerability in this one? Courtesy of Neelay Shah, Consultant, Foundstone #define STD_HASH_LEN 11 #define MAX_HASH_LEN 31 char * strPassHash = (char*)malloc(sizeof(char)*STD_HASH_LEN...
  • Spot the Bug!

    Spot the Bug - July 27, 2005

    • 2 Comments
    Alright all, here is the next bug. This one is courtesy of Mike Howard. __ declspec ( noinline ) void * AllocBlocks(size_t cBlocks) { // allocating no blocks is an error if (cBlocks == 0) return NULL; // Allocate enough memory // Upcast the...
  • Spot the Bug!

    Escape Yesterworld - funny!

    • 1 Comments
    If you have a few minutes, check this out. It is hilarious!!! www.escapeYESTERWORLD.com
  • Spot the Bug!

    Spot the Bug - July 23, 2005

    • 11 Comments
    The first bug was just a warm-up and people were asking for a more difficult bug. What's wrong with this chunk of code, and better yet, how do you fix it? Courtesy of Shanit Gupta, Consultant, Foundstone private HttpCookie SessionIdentifier () { HttpCookie...
  • Spot the Bug!

    Spot the Bug - July 18, 2005

    • 18 Comments
    Alright all - here is the bug for July 18. This should be an easy one to find. Any takers? :-) #define MAX (50) char szDest[MAX]; strncpy(szDest,pszSrc,MAX); pszDest[MAX] = '\0'; Solution: Nice job on this one, everyone! As most of you found...
  • Spot the Bug!

    Spot the Bug - July 5, 2005

    • 1 Comments
    We are launching a new section to the MSDN Developer Security Center called spot the bug. This allows you the see if you have what it takes to find a security vulnerability. This will be up on the MSDN Security Developer Center shortly, but in the meantime...
  • Spot the Bug!

    Security Development Lifecycle (SDL) document is now live!!!

    • 0 Comments
    This document outlines the security-related process improvements we have put in place at Microsoft. http://msdn.microsoft.com/security/sdl
  • Spot the Bug!

    if (Technology=1 && Outdoors=1) {is_person_cool_in_my_books=1;}

    • 3 Comments
    I spoke with Don Kiely today, who will be my partner in crime at TechEd in discussing Whidbey Security Enhancements. One of the first things that I found out is that we went to college a couple of hours away. Shortly after insulting each other and saying...
  • Spot the Bug!

    Want to make sure your application runs great on the .NET Framework 2.0? Let us test it!

    • 2 Comments
    Check out Jay's latest blog entry . I think this is a great opportunity for companies who want to make sure their application runs well on the .NET Framework 2.0. This way we can ensure we have logged any bugs that might crop up when you migrate your...
  • Spot the Bug!

    Welcome to Sunny Seattle! Huh?

    • 6 Comments
    I moved to Seattle not too long ago. I heard stories of the constant rain and dreary days. Needless to say, this has been all but a typical winter. In fact, this is one of the worst winters in history in Seattle (worst in the sense of almost no snow)...
  • Spot the Bug!

    eWeek - Getting a Head Start on App Security

    • 0 Comments
    Getting a Head Start on App Security December 7, 2004 3 comments posted Add your opinion With security on the minds of IT managers more than ever, some companies are addressing the issue even before applications...
  • Spot the Bug!

    Writing Secure Applications using Least Privileges

    • 1 Comments
    Microsoft Recommended Best Practice Microsoft encourages that as a best practice developers write their applications to execute with the least privileges to get the job done. The reason for doing this is quite simple – if an attacker creates a security...
Page 1 of 1 (23 items)