Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Web security and beyond...
My blog has moved to randomdross.blogspot.com. Please update your RSS readers, etc.
Date: 08/04/2014
Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a...
Date: 04/26/2012
I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the...
Date: 04/25/2012
Arcane design decisions can have subtle but important effects on the characteristics of a security...
Date: 12/20/2011
Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface...
Date: 06/30/2011
Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite...
Date: 09/03/2010
On the 16th of January, 2000, the following names were suggested and bounced around among a small...
Date: 12/15/2009
RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding. As you may...
Date: 11/17/2009
One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character...
Date: 11/03/2009
Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag...
Date: 05/28/2009
I've posted a two-part FAQ addressing security considerations for apps that host MSHTML. Check it...
Date: 04/06/2009
Chris Weber's Watcher:...
Date: 03/25/2009
www.microsoft.com/ie What are you waiting for? Go get it!
Date: 03/19/2009
I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter...
Date: 01/30/2009
Recently I got Martin Johns connected with Helen Wang's group in Microsoft Research. Check out...
Date: 01/14/2009
Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary...
Date: 12/20/2008
Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent...
Date: 09/30/2008
If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it! Now is a good time to...
Date: 08/29/2008
I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation...
Date: 08/19/2008
It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to...
Date: 07/04/2008
IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in...
Date: 07/02/2008
My team (SWI React) is hiring for a lead position. Details: Job Title: Lead Software Development...
Date: 05/17/2008
All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that...
Date: 03/10/2008
Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog. There are three parts,...
Date: 02/06/2008
My team now has a blog! blogs.technet.com/swi/ I'll be contributing to the team blog in the...
Date: 12/27/2007
The standard IFRAME-based isolation technique for web apps is starting to show its age. We need...
Date: 09/12/2007
Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web...
Date: 08/22/2007
A group at Stanford has been researching these issues and recently published Protecting Browsers...
Date: 08/03/2007
Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web...
Date: 07/09/2007
Michael Howard and I have written up some guidance on how to develop secure Vista Sidebar Gadgets:...
Date: 06/26/2007
Mark Wodrich forwarded me this Websense blog post describing how to use a standalone Javascript...
Date: 12/08/2006
Be on the lookout for these two VBScript statements that can be used to achieve the same effect as...
Date: 11/16/2006
Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts...
Date: 10/05/2006
Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out...
Date: 10/01/2006
Wow, it’s been a long time! Hopefully I can find more time to blog over the next couple of months.In...
Date: 09/28/2006
I've written up a paper that describes some useful tools/techniques for deconstructing web based...
Date: 06/13/2005
Hi! I'm David Ross and this is my work blog. As an engineer on the Microsoft Secure Windows...
Date: 06/11/2005