Eugene Siu's Thoughts on Security

Share my latest security research and techniques

Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and...

Date: 11/15/2008

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy. ...

Date: 11/06/2008

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in...

Date: 10/23/2008

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly...

Date: 10/23/2008

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft...

Date: 10/15/2008

<script>alert()</script>

Date: 03/25/2008

I had a very strange networking issue last weekend. After connecting to corpnet via VPN and direct...

Date: 11/05/2007

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems...

Date: 10/19/2007

If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle,...

Date: 10/11/2007

"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece...

Date: 10/11/2007

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web...

Date: 10/10/2007

I have just published a Technet article. This is geared for administrators and developers as an...

Date: 10/10/2007

Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review...

Date: 10/04/2007

Working for Microsoft means that I become de facto technical support for my friends and family. That...

Date: 09/26/2007

HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP...

Date: 09/23/2007

This is a well hidden trick in Outlook. Not sure why this needs to be hidden. You can open...

Date: 09/23/2007

I have submitted an article proposal to MSDN to write about Silverlight security with my buddy in...

Date: 09/21/2007

I work for ACE team, and want to cross-post from https://blogs.msdn.com/esiu to...

Date: 09/20/2007

I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar, and...

Date: 09/19/2007

Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including...

Date: 05/08/2007

I have read many articles about the benefits of using passphrases in contrast to passwords. For more...

Date: 05/08/2007

Distribution list is used for grouping users together, and emails can be sent to all members...

Date: 04/30/2007

Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this...

Date: 02/22/2007

I like the idea behind Extended Validation Cert a lot. It is designed to combat phishing problems....

Date: 02/09/2007

You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your...

Date: 02/03/2007

Set-IPBlockListProvider -Name "Spamhaus Example" -Identity sbl-xbl.spamhaus.org -AnyMatch:$true If...

Date: 01/29/2007

Running a service as Local System is bad because it has powerful access to local resources, and...

Date: 07/19/2005

I find some well-written documentation on NTLM/Kerberos and Constrained Delegation in W2k3 to share...

Date: 03/09/2005

The concept of LDAP injection is similar to SQL injection, except that the target is Active...

Date: 03/09/2005

It is inconvenient that I cannot open Date and Time Properties as non-admin. Non-admins should not...

Date: 02/10/2005

After hearing from many that Power Users are still admin, I have converted myself to a regular user....

Date: 01/26/2005

As a security tester, we need to ensure that our product works under minimal privilege. Yes, test...

Date: 01/19/2005

When I right clicked on IE 6 to save a JPG file, Save Picture dialog box only shows BMP as the only...

Date: 12/29/2004

ASP applications are protected, but what happens to non-ASP requests? Currently, there is no...

Date: 11/18/2004

You should check out err.exe available from...

Date: 11/10/2004

Remembering today's date is not my forte. In order to set up an appointment/meeting for tomorrow, I...

Date: 11/10/2004