Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Security   (RSS)
Tuesday, November 03, 2009 12:19 AM

Security Intelligence Report Volume 7 Released

Security researchers at Microsoft release a biannual "Intelligence Report" containing statistics about the software-related security incidents over the past 6 months. This report is called the SIR , and the latest version can be found here . There are
Posted by EricLaw | 0 Comments
Filed under: ,
Saturday, October 10, 2009 4:51 PM

Understanding DEP/NX

Despite being one of the crucial security features of modern browsers, Data Execution Prevention / No Execute (DEP/NX) is not well understood by most users, even technical experts without a security background. In this post, I’ll try to provide some insight
Posted by EricLaw | 4 Comments
Friday, October 09, 2009 3:17 AM

DotNet UserControls Restricted in IE8

In the past, Internet Explorer supported a really easy way to host .NET UserControls in HTML. These controls worked much like ActiveX controls, but because they ran with limited permissions, sandboxed by the .NET Framework, they would download and run
Posted by EricLaw | 2 Comments
Filed under:
Tuesday, October 06, 2009 4:08 PM

Good News: Microsoft Security Essentials Released

Microsoft’s free new anti-virus / anti-malware realtime scanner is now available as a free download . Installing MSE, a traditional signature-based scanner, alongside IE8’s URL Reputation-based SmartScreen Filter yields comprehensive protection to help
Posted by EricLaw | 0 Comments
Filed under: ,
Friday, October 02, 2009 1:11 AM

New Tool: Compare IE Security Settings

“IE Zone Comparer” was designed to provide additional visibility into URLMon's security zone settings. Pick any two collections of security zone settings, and IE Zone Comparer displays the values of those settings, highlighting any differences between
Posted by EricLaw | 0 Comments
Filed under: , ,
Saturday, September 19, 2009 1:01 AM

Understanding Domain Names in Internet Explorer

Web browsers use domain names for a variety of purposes, but how they’re used is much more complicated than most developers realize. In this post, I’ll attempt to cover the most important aspects of this topic. Definitions When talking about “domains”
Posted by EricLaw | 4 Comments
Friday, September 18, 2009 2:18 AM

Two New Tools Available from the SDL Team

Yesterday, IE Team alumnus Jeremy Dallman posted over on the Security Development Lifecycle team’s blog, announcing the release of BinScope and MiniFuzz . These two tools are part of the toolset that the Internet Explorer team uses to help verify the
Posted by EricLaw | 0 Comments
Filed under: , ,
Wednesday, September 16, 2009 5:15 PM

The Mystery of the Forgetful Browser Settings

A friend recently wrote to me, alarmed that the SmartScreen Filter feature was constantly turning off on his laptop with IE8. Despite manually re-enabling the feature using the Safety menu multiple times per hour, it was mysteriously and repeatedly turned
Posted by EricLaw | 0 Comments
Tuesday, September 15, 2009 5:27 PM

Welcome to Security Theater...

From the things that make you go hmm.... department: http://personal.fidelity.com/misc/buffers/coming-soon-identity.shtml.cvsr Choose a question like “In what city was your high school?” then enter the answer. This kind of information gives us a way to
Posted by EricLaw | 1 Comments
Filed under: , ,
Friday, August 28, 2009 6:53 PM

Same Origin Policy Part 1: No Peeking

Despite its role as the cornerstone of web application security, it’s clear that many (most?) web professionals do not understand Same Origin Policy (SOP), or hold one or more misconceptions about what SOP requires. It’s a big topic, and I don’t plan
Posted by EricLaw | 3 Comments
Filed under: , , ,
Monday, August 24, 2009 11:29 PM

It was only a matter of time...

It looks like the days of "security by obscurity" protection for Mac users may be coming to a close. As described over on Brian Krebs' blog , socially-engineered malware authors are now going after Mac OS X users with targeted exploits that attack both
Posted by EricLaw | 1 Comments
Filed under:
Thursday, July 23, 2009 2:32 AM

IE8's Native XMLHttpRequest Object Restrictions, Bugs, and Notes

Protocol Restriction Internet Explorer's native XMLHTTPRequest object permits requests to HTTP and HTTPS only; requests to FILE, FTP, or other URI schemes are blocked. Method Restriction The object permits only the following HTTP methods: "GET", "POST",
Posted by EricLaw | 5 Comments
Filed under: , ,
Thursday, July 16, 2009 6:03 PM

Protecting ActiveX Controls

When evaluating the security of Internet Explorer’s ActiveX support, there are two threats to consider: · Malicious controls · Malicious websites To mitigate the threat of malicious ActiveX controls (malware), features like the IE8 SmartScreen Filter
Posted by EricLaw | 0 Comments
Filed under: ,
Tuesday, June 30, 2009 9:35 PM

Internet Explorer and Custom HTTP Headers

Someone recently asked me for a list of custom HTTP request and response headers introduced by the IE team over the years. Here's the list I've come up with so far (including a few that were introduced before I joined the team): Request Headers UA-CPU
Posted by EricLaw | 0 Comments
Filed under: ,
Thursday, June 25, 2009 8:10 PM

Thoughts on Declaring Security Policies

My thoughts about Mozilla's Content Security Policy proposal were just published over on the IEBlog. I actually have quite a bit more to say (at even greater length :-) about declarative security mechanisms, and some more technical feedback specific to
Posted by EricLaw | 2 Comments
Filed under: ,
More Posts Next page »
 
Page view tracker