Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
October 2004 - Posts
Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!
29 October 04 12:14 PM
This just came in my inbox from Bugtraq, a buffer overrun processing Apache 1.3.x .htpasswd files. " local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? " at http://www.securityfocus.com/archive/1/379842/2004-10-26/2004-11-01/0 What
Read More...
Anatomy of a Hack
28 October 04 10:06 AM
My good friend, Jesper Johansson, just did something that's really hard to do - make the front page of www.microsoft.com , with his "Anatomy of a Hack" paper. Go take a look... In a few days this'll be replaced with something else, in which case, you
Read More...
A New Way to Detect Integer Overflows?
27 October 04 09:53 PM
David LeBlanc and I have written a good deal about Integer Overflow issues, including the following: WSC 2nd Ed: pp620-624. Reviewing Code for Integer Manipulation Vulnerabilities ( http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp
Read More...
What about .NET vs Java Security?
25 October 04 04:11 PM
Interesting stuff, no?
Read More...
Updated Writing Secure Code Errata
25 October 04 02:01 PM
A big thanks to Niels Dekker for providing me with the feedback. Here's the diff only. Chapter 5, Page 145 There’s a small error in the ArrayIndexError code: printf("Usage is %s [index] [value]\n"); Should read: printf("Usage is %s [index] [value]\n",
Read More...
Security issue of MSDN is out today
19 October 04 10:54 AM
The annual Security issue of MSDN is out, and you should find a copy in your local book or magazine store. Or, if you like, you can read the issue online at http://msdn.microsoft.com/msdnmag . I wrote an article in this issue outlining a method to reduce
Read More...
Follow-up on IIS6 and Apache Security
18 October 04 03:36 PM
Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased?
Read More...
IIS6 vs Apache2 Security Defects
15 October 04 11:34 AM
A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn't want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking
Read More...
Online Chat with Members of the Security Business Unit
14 October 04 09:45 AM
Microsoft is working hard to improve security and Rich Kaplan, Corporate Vice President for the Security Business Unit, and his security team invites you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going
Read More...
YAASN.1B (Yet-Another-ASN.1-Bug)
13 October 04 01:31 PM
Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1. By my count, 18 or so security updates have been issued in
Read More...
Finally, a book on Privacy for Developers
13 October 04 11:55 AM
My good friend J.C. Cannon has written the book on Privacy aimed squarely at developers, as well as IT folks. While I, and many others, focus on security, J.C. and his team address privacy issues. I think most people consider the two disciplines kinda
Read More...
Go
This Blog
Home
Links
Email
Tags
General
Personal
Privacy
Rant
Security
Vista
Archives
April 2008 (5)
March 2008 (5)
February 2008 (4)
January 2008 (9)
December 2007 (4)
November 2007 (4)
October 2007 (6)
September 2007 (1)
August 2007 (2)
July 2007 (4)
June 2007 (13)
May 2007 (6)
April 2007 (8)
March 2007 (11)
February 2007 (4)
January 2007 (8)
December 2006 (4)
November 2006 (14)
October 2006 (5)
September 2006 (6)
August 2006 (6)
July 2006 (2)
June 2006 (7)
May 2006 (8)
April 2006 (2)
March 2006 (5)
February 2006 (6)
January 2006 (10)
December 2005 (2)
November 2005 (2)
October 2005 (1)
September 2005 (4)
August 2005 (5)
July 2005 (5)
June 2005 (3)
May 2005 (9)
April 2005 (8)
March 2005 (5)
February 2005 (9)
January 2005 (7)
December 2004 (7)
November 2004 (9)
October 2004 (11)
August 2004 (13)
July 2004 (4)
June 2004 (12)
May 2004 (17)
April 2004 (2)
March 2004 (2)
February 2004 (3)
January 2004 (2)
Syndication
RSS 2.0
Atom 1.0