Browse by Tags

All Tags » Security   (RSS)
(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)
Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three Read More...
Posted 14 November 08 09:59 by esiu | 1 Comments   
Filed under
(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)
There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination Read More...
Posted 06 November 08 10:22 by esiu | 1 Comments   
Filed under
My favorite security blogs and podcasts
What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( http://www.grc.com/securitynow.htm ) CNet Security Bites ( http://securitybites.cnet.com ) Blogs Schneier Read More...
Posted 23 October 08 06:18 by esiu | 1 Comments   
Filed under
“Out of Band” security patch MS08-067
Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must Read More...
Posted 23 October 08 05:52 by esiu | 1 Comments   
Filed under
What is unique about patch Tuesday of October 2008?
Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches Read More...
Posted 15 October 08 04:48 by esiu | 0 Comments   
Filed under
ASP.NET ValidateRequest does not mitigate XSS completely
As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject Read More...
Posted 19 October 07 02:26 by esiu | 5 Comments   
Filed under ,
Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?
MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious Read More...
Posted 19 October 07 11:49 by esiu | 2 Comments   
Filed under
True test of a security geek
If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding. Read More...
Posted 11 October 07 01:18 by esiu | 2 Comments   
Filed under
System.URI.AbsolutePath Vs Phishing Attack
Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain Read More...
Posted 10 October 07 08:09 by esiu | 2 Comments   
Filed under
Web Service Security Guidance
I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx Read More...
Posted 10 October 07 04:56 by esiu | 3 Comments   
Filed under
Anti-Malware and Spyware help for home users
Working for Microsoft means that I become de facto technical support for my friends and family. That should be the experiences of many folks in the computer industry. When I introduce my job title as "senior security consultant" to friends and family, Read More...
Posted 26 September 07 12:37 by esiu | 1 Comments   
Filed under
HTTP Header Injection Vulnerabilities
HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP response into multiple ones by injecting malicious response HTTP headers. This attack can deface web sites, poison cache and trigger cross-site scripting. Rather Read More...
Posted 22 September 07 11:36 by esiu | 1 Comments   
Filed under
IE Developer Toolbar helps me hack
I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar , and decided to play with it. I was checking out different options, and it impressed me as a good web client developer tool, as it offers a breakdown of HTML elements, Read More...
Posted 19 September 07 02:46 by esiu | 1 Comments   
Filed under ,
Exchange 2007 RPC interfaces are locked down
Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including AppleTalk, SPX and Banyan Vines. This exemplifies the philosophy of reducing attack surface area in the design of Exchange 2007. Read More...
Posted 08 May 07 06:40 by esiu | 1 Comments   
Filed under ,
My first passphrase
I have read many articles about the benefits of using passphrases in contrast to passwords. For more details, you can read http://blogs.technet.com/robert_hensing/archive/2004/07/28/199610.aspx . I have always been convinced about the use of passphrases. Read More...
Posted 07 May 07 09:02 by esiu | 1 Comments   
Filed under
More Posts Next page »

Search

This Blog

ACE Team

Syndication

Page view tracker