Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
January 2006 - Posts
New Internet Explorer 7 Beta 2 Preview available
31 January 06 10:38 AM
I've been using the current builds for ages now, here's my top reasons for using IE7 (beyond pure security and engineering): Printing is better (there was this really nasty habit of truncating on the right margin) Support for RSS and OPML in the browser.
Read More...
Protecting against Pointer Subterfuge (Kinda!)
30 January 06 10:10 PM
When exploiting a buffer overrun vulnerability, the goal of an attacker is usually to change the flow of execution from the normal execution flow to a flow dictated by the attacker. Sure, he may want to whack a DWORD in memory or change a variable, but
Read More...
How long will that crypto key be useful?
27 January 06 10:13 AM
One of the crypto guys here pointed this out to me last night, it's kinda cool. A small web-app to determine how long a key should be to provide adequate protection up to a specified year. There are a few other options in there too... http://www.keylength.com
Read More...
Blue Hat 2005 - Security Researchers come to Microsoft
26 January 06 01:22 PM
From http://channel9.msdn.com/Showpost.aspx?postid=157668 "This Fall, Microsoft hosted the second annual Blue Hat conference on Campus. The audience was primarily Microsoft employees who write code, as well as executives from around the company. Security
Read More...
Code Scanning Tools Do Not Make Software Secure
26 January 06 11:14 AM
There has been a lot of press recently about using ‘code scanning’ tools to find security bugs in source code. So I thought I’d share my view on code scanning tools. Such tools, often called static analysis tools, such as the tools we have included in
Read More...
CERTs Virtual Training Environment
25 January 06 01:33 PM
CERT has released a Web-based library for information assurance, forensics and incident response. I've poked around, it looks pretty good. http://vte.cert.org/
Read More...
Russinovich and the WMF Flaw (MS06-001)
20 January 06 11:50 PM
I'm not 100% sure why no-one seems to have picked up on this, Russinovich decided to do his own analysis of the WMF flaw to see if Gibson's belief that WMF/SetAbortProc() is an intentional backdoor. Of course, it's not! Here's Mark's analysis: http://www.sysinternals.com/blog/
Read More...
strlen_s, where for art thou?
17 January 06 01:50 PM
I just received an email from a product group wanting to replace a small number of calls to strlen with strlen_s to help them be SDL compliant. Problem is, there is no strlen_s ! :( So I had a chat with Martyn Lovell, who headed the SafeCRT work to find
Read More...
You heard it here first!
13 January 06 07:58 AM
You heard it here first, if you use MmSecureVirtualMemory, you should be aware that there are some potential reliability issues. By the way, 'secure' is a verb in this case, not a noun. If you run PRE f ast on code using this function and it's not in
Read More...
Windows QuickTime users - APPLY THE PATCH!!
12 January 06 11:32 AM
Apple has released a patch for Quicktime that fixes a bucket-load of image parsing bugs. If you're a Windows user, you should apply th patch ASAP. The clock is ticking. http://www.us-cert.gov/cas/techalerts/TA06-011A.html
Read More...
Go
This Blog
Home
Links
Email
Tags
General
Personal
Privacy
Rant
Security
Vista
Archives
April 2008 (5)
March 2008 (5)
February 2008 (4)
January 2008 (9)
December 2007 (4)
November 2007 (4)
October 2007 (6)
September 2007 (1)
August 2007 (2)
July 2007 (4)
June 2007 (13)
May 2007 (6)
April 2007 (8)
March 2007 (11)
February 2007 (4)
January 2007 (8)
December 2006 (4)
November 2006 (14)
October 2006 (5)
September 2006 (6)
August 2006 (6)
July 2006 (2)
June 2006 (7)
May 2006 (8)
April 2006 (2)
March 2006 (5)
February 2006 (6)
January 2006 (10)
December 2005 (2)
November 2005 (2)
October 2005 (1)
September 2005 (4)
August 2005 (5)
July 2005 (5)
June 2005 (3)
May 2005 (9)
April 2005 (8)
March 2005 (5)
February 2005 (9)
January 2005 (7)
December 2004 (7)
November 2004 (9)
October 2004 (11)
August 2004 (13)
July 2004 (4)
June 2004 (12)
May 2004 (17)
April 2004 (2)
March 2004 (2)
February 2004 (3)
January 2004 (2)
Syndication
RSS 2.0
Atom 1.0