random dross

Web security and beyond...

My blog has moved to randomdross.blogspot.com. Please update your RSS readers, etc.

Date: 08/04/2014

Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a...

Date: 04/26/2012

I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the...

Date: 04/25/2012

Arcane design decisions can have subtle but important effects on the characteristics of a security...

Date: 12/20/2011

Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface...

Date: 06/30/2011

Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite...

Date: 09/03/2010

On the 16th of January, 2000, the following names were suggested and bounced around among a small...

Date: 12/15/2009

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding. As you may...

Date: 11/17/2009

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character...

Date: 11/03/2009

Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag...

Date: 05/28/2009

I've posted a two-part FAQ addressing security considerations for apps that host MSHTML. Check it...

Date: 04/06/2009

Chris Weber's Watcher:...

Date: 03/25/2009

www.microsoft.com/ie What are you waiting for? Go get it!

Date: 03/19/2009

I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter...

Date: 01/30/2009

Recently I got Martin Johns connected with Helen Wang's group in Microsoft Research. Check out...

Date: 01/14/2009

Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary...

Date: 12/20/2008

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent...

Date: 09/30/2008

If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it! Now is a good time to...

Date: 08/29/2008

I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation...

Date: 08/19/2008

It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to...

Date: 07/04/2008

IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in...

Date: 07/02/2008

My team (SWI React) is hiring for a lead position. Details: Job Title: Lead Software Development...

Date: 05/17/2008

All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that...

Date: 03/10/2008

Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog. There are three parts,...

Date: 02/06/2008

My team now has a blog! blogs.technet.com/swi/ I'll be contributing to the team blog in the...

Date: 12/27/2007

The standard IFRAME-based isolation technique for web apps is starting to show its age. We need...

Date: 09/12/2007

Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web...

Date: 08/22/2007

A group at Stanford has been researching these issues and recently published Protecting Browsers...

Date: 08/03/2007

Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web...

Date: 07/09/2007

Michael Howard and I have written up some guidance on how to develop secure Vista Sidebar Gadgets:...

Date: 06/26/2007

Mark Wodrich forwarded me this Websense blog post describing how to use a standalone Javascript...

Date: 12/08/2006

Be on the lookout for these two VBScript statements that can be used to achieve the same effect as...

Date: 11/16/2006

Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts...

Date: 10/05/2006

Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out...

Date: 10/01/2006

Wow, it’s been a long time! Hopefully I can find more time to blog over the next couple of months.In...

Date: 09/28/2006

I've written up a paper that describes some useful tools/techniques for deconstructing web based...

Date: 06/13/2005

Hi! I'm David Ross and this is my work blog. As an engineer on the Microsoft Secure Windows...

Date: 06/11/2005