Browse by Tags

(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)
Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three Read More...
Posted 14 November 08 09:59 by esiu | 1 Comments   
Filed under
(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)
There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination Read More...
Posted 06 November 08 10:22 by esiu | 1 Comments   
Filed under
My favorite security blogs and podcasts
What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( http://www.grc.com/securitynow.htm ) CNet Security Bites ( http://securitybites.cnet.com ) Blogs Schneier Read More...
Posted 23 October 08 06:18 by esiu | 1 Comments   
Filed under
“Out of Band” security patch MS08-067
Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must Read More...
Posted 23 October 08 05:52 by esiu | 1 Comments   
Filed under
What is unique about patch Tuesday of October 2008?
Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches Read More...
Posted 15 October 08 04:48 by esiu | 0 Comments   
Filed under
<script>alert()</script>
<script>alert()</script> Read More...
Posted 25 March 08 05:14 by esiu | 1 Comments   
Filed under
Troubleshooting Networking and IPSec Issues
I had a very strange networking issue last weekend. After connecting to corpnet via VPN and direct hookup, I was able to ping all remote servers, but was not able to do anything, such as web browsing and remote desktop. It was not the first time that Read More...
Posted 05 November 07 12:30 by esiu | 1 Comments   
Filed under ,
ASP.NET ValidateRequest does not mitigate XSS completely
As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions. Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject Read More...
Posted 19 October 07 02:26 by esiu | 5 Comments   
Filed under ,
Read Office Files as ZIP
It is interesting to me that Office 2007 Metro formats can be broken down as a ZIP file. To see this in action, you can pick an Office 2007 Metro file, such as XLSX and DOCX, and rename its extension with ZIP. Then open the renamed file with WINZIP. You Read More...
Posted 19 October 07 12:33 by esiu | 1 Comments   
Filed under
Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?
MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security. Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious Read More...
Posted 19 October 07 11:49 by esiu | 2 Comments   
Filed under
True test of a security geek
If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle, it is never too late to become one. Read my blog more, and you will become one. Thanks TechJunkie for forwarding. Read More...
Posted 11 October 07 01:18 by esiu | 2 Comments   
Filed under
Given enough eyeballs all bugs are shallow: True or False?
"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs. This premise is built on the assumption that all reviewers have the best intentions Read More...
Posted 11 October 07 12:18 by esiu | 2 Comments   
System.URI.AbsolutePath Vs Phishing Attack
Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites. A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain Read More...
Posted 10 October 07 08:09 by esiu | 2 Comments   
Filed under
Web Service Security Guidance
I have just published a Technet article. This is geared for administrators and developers as an introduction to web service security. It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx Read More...
Posted 10 October 07 04:56 by esiu | 3 Comments   
Filed under
More eyeballs for .Net Framework code
Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework. .Net Framework code has been reviewed heavily, and developers Read More...
Posted 04 October 07 07:49 by esiu | 2 Comments   
Filed under
More Posts Next page »

Search

This Blog

ACE Team

Syndication

Page view tracker