October 2007 - Posts

ASP.NET ValidateRequest does not mitigate XSS completely

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject Read More...

Posted 19 October 07 02:26 by esiu | 5 Comments   
Filed under IIS, Security

Read Office Files as ZIP

It is interesting to me that Office 2007 Metro formats can be broken down as a ZIP file. To see this in action, you can pick an Office 2007 Metro file, such as XLSX and DOCX, and rename its extension with ZIP. Then open the renamed file with WINZIP. You Read More...

Posted 19 October 07 12:33 by esiu | 1 Comments   
Filed under Infoworker Productivity

Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious Read More...

Posted 19 October 07 11:49 by esiu | 2 Comments   
Filed under Security

True test of a security geek

If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding. Read More...

Posted 11 October 07 01:18 by esiu | 2 Comments   
Filed under Security

Given enough eyeballs all bugs are shallow: True or False?

"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs. This premise is built on the assumption that all reviewers have the best intentions Read More...

Posted 11 October 07 12:18 by esiu | 2 Comments   

System.URI.AbsolutePath Vs Phishing Attack

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain Read More...

Posted 10 October 07 08:09 by esiu | 2 Comments   
Filed under Security

Web Service Security Guidance

I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx Read More...

Posted 10 October 07 04:56 by esiu | 3 Comments   
Filed under Security

More eyeballs for .Net Framework code

Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework. .Net Framework code has been reviewed heavily, and developers Read More...

Posted 04 October 07 07:49 by esiu | 2 Comments   
Filed under Developer Productivity

Search

This Blog

• Home
• About
• Email

Tags

• <script>alert()</script>
• Developer Productivity
• Exchange server
• IIS
• Infoworker Productivity
• Mobile Phone
• Security

Archives

• November 2008 (2)
• October 2008 (3)
• March 2008 (1)
• November 2007 (1)
• October 2007 (8)
• September 2007 (6)
• May 2007 (2)
• April 2007 (1)
• March 2007 (1)
• February 2007 (3)
• January 2007 (2)
• July 2005 (1)
• March 2005 (2)
• February 2005 (1)
• January 2005 (2)
• December 2004 (1)
• November 2004 (3)

ACE Team

• ACE Team

Syndication

• RSS 2.0
• Atom 1.0