Browse by Tags

Before We Had MSRC
Just ran into a post by Gene Schultz - http://blog.emagined.com/2009/07/21/trouble-brewing-in-the-cloud/ - I first ran into Gene when I worked back at ISS – interesting guy. I think we share some of the same concerns about the security of moving things Read More...
Posted 27 July 09 09:35 by david_leblanc | 0 Comments   
Office 2007 SP2 Encryption Settings
Now that we've actually shipped SP2, some of you may be curious about how to use the shiny new encryption. Here's the registry settings: Registry keys Base keys (also corresponding Policy keys) HKCU\Software\Microsoft\Office\12.0\<appname>\Security\Crypto Read More...
Posted 20 May 09 08:41 by david_leblanc | 1 Comments   
Filed under
Legacy RC4 Example on Codeplex
Just a quick note on this – a customer had a question about the old RC4 40-bit encryption yesterday, and this prodded me into taking some memory dumps of intermediate steps and figuring out where my own example code wasn't working. Fortunately, it wasn't Read More...
Posted 06 February 09 01:52 by david_leblanc | 2 Comments   
Filed under
MS-Offcrypto Example Update
Just a quick note that I've updated the examples. I added an example for the CAPI RC4 encryption that does work. Along the way, I got smarter about managed C++ and C# interop, which turned out to be a bit of an adventure. I didn't find the documentation Read More...
Posted 13 January 09 12:41 by david_leblanc | 0 Comments   
Filed under
MS-Offcrypto Examples
In response to some questions I've gotten about details of MS-OFFCRYPTO, I've created a CodePlex project to contain sample code demonstrating the documentation. You can find it at http://www.codeplex.com/offcrypto . I had originally wanted to include Read More...
Posted 06 January 09 01:30 by david_leblanc | 1 Comments   
Filed under
CVE Count and Statistics
Larry Seltzer had some interesting comments on my post about the rate of Office vulnerabilities at Vulnerabilities and Office Versions There may be a little flaw in the analysis in that LeBlanc studied reports during the period from 9/18/2007 to 11/17/2008. Read More...
Posted 08 December 08 02:04 by david_leblanc | 1 Comments   
Filed under ,
Office Crypto KDF Details
I've gotten a couple of questions asking how our key derivation function works. The technique is very similar to that described in RFC 2898, also known as PKCS #5. There are two key derivation functions (KDF) documented in this RFC – PBKDF1 and PBKDF2. Read More...
Posted 05 December 08 03:08 by david_leblanc | 0 Comments   
Filed under
New, Improved Office Crypto
If you're enough of an Office crypto geek to stay on top of the most recent changes in MS-OFFCRYPTO, you already know about some of this, but my assumption is that most people aren't going to want to parse something that hard to read. What we're doing Read More...
Posted 04 December 08 05:39 by david_leblanc | 2 Comments   
Filed under
SafeInt Compiles on gcc!
[update 12-1-08] I now have it completely compiling on gcc, with a test harness that exercises every method of the class for every combination of types (all 15 of them). Version 3.0.12p is now moved to release status. Once I got SafeInt posted on CodePlex, Read More...
Posted 25 November 08 07:59 by david_leblanc | 4 Comments   
Filed under
Improvements in Office Security
We now have a pretty neat internal web site where I can easily search for CVE entries and bulletin counts by product. It shows some interesting trends that I hope will continue to hold. First, let me preface this by saying that CVE entry count is a better Read More...
Posted 17 November 08 08:17 by david_leblanc | 3 Comments   
Filed under ,
MS-OFFCRYPTO, W7 Engineering blog, etc
We have a new version of MS-OFFCRYPTO out. The big change is that how CryptDeriveKey was documented on MSDN was incorrect, we copied it, which made our document also incorrect. As it turns out, CryptDeriveKey always uses the same code path for AES as Read More...
Posted 16 October 08 03:10 by david_leblanc | 1 Comments   
Filed under ,
SafeInt 3 on CodePlex!
I have finally found a stable place to keep SafeInt. It can now be found at http://www.codeplex.com/SafeInt . In terms of the code, this is exactly the same stuff as we're using internally. This version is documented a little better than the master copy Read More...
Posted 30 September 08 02:58 by david_leblanc | 1 Comments   
Chrome Getting a Bit Rusty
Put this one in the rant category – I'm honored that Google has been paying attention to my blog and decided to use my sandboxing approach to try and make their app more secure. Very cool stuff, and they did some interesting things that I want to better Read More...
Posted 12 September 08 03:34 by david_leblanc | 2 Comments   
Filed under
Why can't you comment?
This is because $#@!!!! spammers can screw up anything. I have to disallow anonymous comments, or I get a bazillion blog spam comments, I check comments a week later, and there's 200 of these that I can only delete 10-20 at a time. Annoying to say the Read More...
Posted 08 September 08 06:08 by david_leblanc | 0 Comments   
Filed under
Ptrdiff_t is evil
Well, not really, but here's a code problem that confounded some really smart devs – and it looks so simple! void IncPtr( unsigned int cElements ) { if( m_pMax - m_pCurrent > cElements ) m_pCurrent += cElements; else throw; } OK, so here's the question Read More...
Posted 02 September 08 04:15 by david_leblanc | 3 Comments   
Filed under
More Posts Next page »

Search

This Blog

Syndication

Page view tracker