Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
Writing Secure Code for Windows Vista is Shipping!
I've recieved a number of emails from folks saying they have got their copies of our latest book,...
Author: Michael Howard Date: 04/19/2007
I'm moving to Austin!
At the end of June my family and I are moving to Austin, Texas. I’ll still be doing a lot of the...
Author: Michael Howard Date: 04/17/2007
CodeGear’s new Delphi 2007 supports ASLR and NX
From the Helping to Secure the Ecosystem Dept. Here’s some good news for people using CodeGear’s...
Author: Michael Howard Date: 04/04/2007
How Microsoft Security Bulletin MS07-017 affected Windows Vista
Feliciano Intini (a senior security guy in Microsoft Italy) has posted an excellent analysis of the...
Author: Michael Howard Date: 04/03/2007
Hardening Stack-based Buffer Overrun Detection in VC++ 2005 SP1
As y’all know, the Visual C++ /GS compiler flag adds prolog and epilog code to certain functions to...
Author: Michael Howard Date: 04/03/2007
Symantec: Microsoft-authored code will become more difficult to exploit
From Symantec: With the advent of Vista and the continued use of the Security Development Lifecycle,...
Author: Michael Howard Date: 03/22/2007
Surprise, Microsoft Listed as Most Secure OS
Wow, the folks from Symantec claim "Microsoft is doing better overall than its leading commercial...
Author: Michael Howard Date: 03/22/2007
Windows Vista - 90 Day Vulnerability Report
Jeff Jones just posted a blog looking at vulnerability counts in various operating systems after 90...
Author: Michael Howard Date: 03/21/2007
I think I have a blackhat in my midst
A few weeks back I wrote how my 5 year old son, Blake, decided to hack into our computer. Well, it...
Author: Michael Howard Date: 03/19/2007
My Take on Windows Vista Security “Vulnerabilities”
I love looking at and analyzing security bugs, but I also enjoy observing how people react to...
Author: Michael Howard Date: 03/16/2007
How I will judge Windows Vista Security
Before I get started, I want to point out this is my opinion, not necessarily anyone else’s...
Author: Michael Howard Date: 03/08/2007
UAC Deep dive over on Channel9
Chris Corio and Jonathan Schwartz did an hour-long deep dive into the UAC architecture, goals and...
Author: Michael Howard Date: 03/08/2007
List of Banned APIs now available
We have just published the list of SDL-banned APIs, and their replacements....
Author: Michael Howard Date: 03/08/2007
New Book: Writing Secure Code for Windows Vista
Even though we (kinda) promised our wives we wouldn’t do it, David LeBlanc and I have just wrapped...
Author: Michael Howard Date: 03/03/2007
How to get a US Passport in 1.5h Hours
This is a true story. Last Thursday I flew from RSA in San Francisco back to Seattle. When I got...
Author: Michael Howard Date: 02/21/2007
UAC BS
Howdy once again from RSA. It's raining. So much for sunny California! Jeff and I just gave our talk...
Author: Michael Howard Date: 02/08/2007
Something Windows Vista Parental Controls cannot protect against
Howdy from RSA in San Francisco - I just got here, and I have a talk tomorrow morning @ 9AM about...
Author: Michael Howard Date: 02/07/2007
What is it that makes security hard?
I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you...
Author: Michael Howard Date: 02/02/2007
Security Features vs. Convenience
Jim Allchin has a great blog post about some of the design issues we went through and tradeoffs we...
Author: Michael Howard Date: 01/24/2007
A couple of interesting security blog posts
Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining...
Author: Michael Howard Date: 01/19/2007
How not to write secure Web apps - and get to see Steve Jobs for Free!
This blog post outlines a bug in the macworld.com web site that allowed the blogger to get a...
Author: Michael Howard Date: 01/13/2007
Why Windows Vista is unaffected by the VML Bug
MS07-004 does not affect Windows Vista, even though the coding bug is there. Why? The bug is an...
Author: Michael Howard Date: 01/10/2007
Windows Live OneCare v1.5 is released to manufacturing
This is great news. OneCare is one of my all-time-fave products. I love it because it was built...
Author: Michael Howard Date: 01/05/2007
My Take on Visual Studio 2005 SP1 and Windows Vista
Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005...
Author: Michael Howard Date: 01/04/2007
Visual Studio 2005 Service Pack 1 Update for Windows Vista Beta Available
From the blurb: During the development of Windows Vista, several key investments were made to vastly...
Author: Michael Howard Date: 01/01/2007
eXPired Poster Available!
First, a very Happy New Year to you all...! Second, due to incredibly popular demand, I managed to...
Author: Michael Howard Date: 01/01/2007
Online Security Sessions from TechEd IT Forum Available
Knowing the Enemy - A lightning demonstration on how hackers attack...
Author: Michael Howard Date: 12/21/2006
ASLR and the new linker
Well, the VS team shipped VS2005 SP1. You'll need the updated linker to support ASLR on Windows...
Author: Michael Howard Date: 12/17/2006
Update on Internet Explorer 7, DEP and Adobe Software
Because browsers can host plug-in extensibility, security settings within the browser can make...
Author: Michael Howard Date: 12/12/2006
Windows Vista, ASLR, DEP and OEMs
As I mentioned in a previous series of posts, we recently had all the major OEMs on campus to...
Author: Michael Howard Date: 12/06/2006
Wresting free from a software straitjacket
There's an interesting article over at C|Net about security in general, and Microsoft and the SDL in...
Author: Michael Howard Date: 11/30/2006
Microsoft beats Oracle in security showdown
https://www.vnunet.com/vnunet/news/2169225/microsoft-beats-oracle-security
Author: Michael Howard Date: 11/22/2006
Which Database is More Secure? Oracle vs Microsoft
I was quite surprised when a number of folks criticized the data used in the report titled...
Author: Michael Howard Date: 11/21/2006
Anti-Cross Site Scripting Library v1.5 Now Available
Earlier this year I wrote a blog post about Anti-XSS Library v1.0. Well, it's been updated with new...
Author: Michael Howard Date: 11/20/2006
eXPired!
I received a number of emails about the 'eXPired' poster on my office door, heck it even made "Quote...
Author: Michael Howard Date: 11/16/2006
Microsoft SQL Server Runs the Security Table
In my opinion, SQL Server 2000 SP3, SQL Server 2005 and IIS6 have been the poster-children for SDL....
Author: Michael Howard Date: 11/16/2006
Symantec's "The Mac OS X Threat Landscape: An Overview"
This is probably the most in-depth analysis of Mac OS X security I've ever read. It's a worthwhile...
Author: Michael Howard Date: 11/15/2006
Jim's Comments about Windows Vista and Antivirus software
When I read the interview "Allchin Suggests Vista Won't Need Antivirus" with Jim Allchin I...
Author: Michael Howard Date: 11/11/2006
Microsoft hosts OEM partners for a crash-course in SDL (Day Three)
So, the final day of the SDL sessions for our OEM partners is complete... My biggest observation was...
Author: Michael Howard Date: 11/09/2006
Microsoft hosts OEM partners for a crash-course in SDL (Day Two)
Day two of the SDL training session for OEMs went well. James Whittaker led the discussion for the...
Author: Michael Howard Date: 11/09/2006
Windows Vista Security Guide Now Available
https://www.microsoft.com/technet/windowsvista/security/guide.mspx
Author: Michael Howard Date: 11/08/2006
Microsoft hosts OEM partners for a crash-course in SDL (Day One)
As part of our ongoing SDL efforts, we are hosting a 2.5 day event here in Redmond for our OEM...
Author: Michael Howard Date: 11/08/2006
The Security Development Lifecycle (SDL). Advantage, Microsoft
Enterprise Strategy Group analyst Jon Oltsik has published a non-commissioned research note lauding...
Author: Michael Howard Date: 11/06/2006
The Security Development Lifecycle (SDL). Advantage, Microsoft
Enterprise Strategy Group analyst Jon Oltsik has published a non-commissioned research note lauding...
Author: Michael Howard Date: 11/06/2006
Something else to look out for when reviewing code
From: The Learning from Mistakes Dept. A few months back eEye found an exploitable buffer overrun in...
Author: Michael Howard Date: 10/30/2006
MSDN Yearly Security Edition
It's that time of the year again, when MSDN magazine issues their yearly Security Issue. This year a...
Author: Michael Howard Date: 10/18/2006
Alleged Bugs in Windows Vista’s ASLR Implementation
I've had some people ask me about a paper that was recently published detailing alleged bugs in...
Author: Michael Howard Date: 10/04/2006