Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
Russinovich and the WMF Flaw (MS06-001)
I'm not 100% sure why no-one seems to have picked up on this, Russinovich decided to do his own...
Author: Michael Howard Date: 01/21/2006
strlen_s, where for art thou?
I just received an email from a product group wanting to replace a small number of calls to strlen...
Author: Michael Howard Date: 01/17/2006
You heard it here first!
You heard it here first, if you use MmSecureVirtualMemory, you should be aware that there are some...
Author: Michael Howard Date: 01/13/2006
Windows QuickTime users - APPLY THE PATCH!!
Apple has released a patch for Quicktime that fixes a bucket-load of image parsing bugs. If you're a...
Author: Michael Howard Date: 01/12/2006
Integer Overflow and operator::new
As Raymond Chen pointed out last year...
Author: Michael Howard Date: 12/06/2005
You'll get a kick out of this...
From Microsoft Japan...
Author: Michael Howard Date: 11/16/2005
More Attack Surface Reduction in IIS7
As y'all know, the attack surface of IIS6 is low because: It's not installed by default When you do...
Author: Michael Howard Date: 11/01/2005
ACLs on Sockets
A friend from Foundstone sent me an email asking how to set ACLs on sockets in Windows. He'd heard...
Author: Michael Howard Date: 10/23/2005
New Security Features in Visual Studio 2005
It's all very well having security tools and technologies within Microsoft, but VS.NET 2005 includes...
Author: Michael Howard Date: 09/29/2005
Security Symposium @ the PDC
I've been meaning to write about this, but I've been a little busy of late. On day 4 of the PDC...
Author: Michael Howard Date: 09/14/2005
Understanding Security in Microsoft Internet Explorer 6 in Windows XP SP2
Nice doc......
Author: Michael Howard Date: 08/30/2005
Even more for the Patterns & Practices folks
Security Guidance Index:...
Author: Michael Howard Date: 08/16/2005
MBSA v2 Visio Connector
Cool stuff. The Microsoft Office Visio 2003 Connector for the Microsoft Baseline Security Analyzer...
Author: Michael Howard Date: 08/15/2005
Security "How To" Index
The patterns and practices folks have just updated their list of Security-related "How-Tos"...
Author: Michael Howard Date: 08/12/2005
Comments from Gartner about Microsoft's Security Work
I just read this very interesting article in Information Week about the recent Cisco 'issue' at...
Author: Michael Howard Date: 08/02/2005
"19 Deadly Sins" Update
I was told a couple of days ago that the first copies of the "19 Deadly Sins of Software Security"...
Author: Michael Howard Date: 07/28/2005
SDL Document now in Ten Languages
English https://msdn.microsoft.com/security/sdl French...
Author: Michael Howard Date: 07/25/2005
Busy couple of days for security updates
Wow, it's been a pretty busy couple o' days on the security update front... Here're some examples....
Author: Michael Howard Date: 07/13/2005
The 19 Deadly Sins of Software Security
After much blood, sweat and tears, a new software security book, written by me, David LeBlanc and...
Author: Michael Howard Date: 07/12/2005
A safe browser? No longer in the lexicon...
Read this article. It's quite appropriate and well written. A safe browser? No longer in the lexicon...
Author: Michael Howard Date: 07/07/2005
The Bluehat Sessions
C|Net is carrying a story this morning about the Bluehat summit we held at the Microsoft campus a...
Author: Michael Howard Date: 06/16/2005
A Nice Source of 'Vintage' Security Papers
A colleague (thanks, Chris!) sent me this URL, it's great resource for classic security papers, and...
Author: Michael Howard Date: 06/07/2005
The joy of netsh
Ever notice there are REALLY useful tools that you totally overlook? Well I do. All the time! One...
Author: Michael Howard Date: 06/02/2005
Hidden Message in Writing Secure Code 2nd Ed
I've been meaning to write about this for a year or so, but for some reason I simply keep forgetting...
Author: Michael Howard Date: 05/19/2005
File Checksum Integrity Verifier utility
Every once in a while I come across an old piece of email, or a document I archived that contains a...
Author: Michael Howard Date: 05/12/2005
Writing Secure Web Browsers is Hard
I'm not making excuses, just stating facts. In fact, I just read this from SANS... emphasis is mine....
Author: Michael Howard Date: 05/11/2005
Microsoft unveils details of software security process
My colleague, Window Snyder presented last week at CanSecWest about some of the 'fun' we had getting...
Author: Michael Howard Date: 05/10/2005
Comments on recent Firefox security bugs
As you are no doubt aware, a couple of pretty nasty security defects have been found in the latest...
Author: Michael Howard Date: 05/09/2005
Visio Connector for MBSA available
This is kinda cool - a Visio connector that hooks up to the output from the Microsoft Baseline...
Author: Michael Howard Date: 05/05/2005
Microsoft Windows Security Resource Kit, Second Edition Released
Just spotted this while catching up on (lots of) email. So what's new in the Second Edition? In...
Author: Michael Howard Date: 05/03/2005
More Integer Overflow stuff
I think I've said this a billion times, but I'll say it again. No-one has done more research into...
Author: Michael Howard Date: 05/03/2005
Is Microsoft IIS 6.0 more secure than Apache HTTP Server 2.0?
A couple of months ago I presented at an event called the "Microsoft Technology Summit" to some very...
Author: Michael Howard Date: 05/02/2005
Security Management - Windows, Linux Security Notifications
A colleague of mine at Microsoft, Jeff Jones, has written a thought provoking couple of articles on...
Author: Michael Howard Date: 04/27/2005
A couple of good/upbeat news items - all this work is paying off!
Worm Lull, Windows XP SP2 Keeping Outbreaks At Bay https://www.techweb.com/wire/security/161501182...
Author: Michael Howard Date: 04/25/2005
Office Smart Tags for CVE and Microsoft Security Bulletins
While diddling around with Office Smart Tags, I decided to build a couple to handle MS bulletins and...
Author: Michael Howard Date: 04/13/2005
Hell Hath No Fury...
I'm not sure if it's because my 20month old daughter kept me awake last night, or the lack of coffee...
Author: Michael Howard Date: 04/12/2005
Protect Your Windows Network: From Perimeter to Data
A couple of good buddies of mine, Jesper M. Johansson & Steve Riley, have written an excellent...
Author: Michael Howard Date: 04/12/2005
Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries
Martyn Lovell has written a paper about the Safe C and C++ libraries coming in Whidbey....
Author: Michael Howard Date: 04/12/2005
In Praise of Windows Server 2003 SP1
Nice article :) https://www.securityfocus.com/columnists/312
Author: Michael Howard Date: 04/06/2005
Windows Server 2003 SP1 is now available
https://www.microsoft.com/downloads/details.aspx?FamilyId=22CFC239-337C-4D81-8354-72593B1C1F43 'nuff...
Author: Michael Howard Date: 03/30/2005
Clinic 2806: Microsoft Security Guidance Training for Developers
I'd totally forgotten about this, but Microsoft eLearning has made available, "Clinic 2806:...
Author: Michael Howard Date: 03/28/2005
Security Development Lifecycle (SDL) document is now live
This document outlines the security-related process improvements we have put in place at...
Author: Michael Howard Date: 03/18/2005
Steve Friedl's Unixwiz.net Tech Tips: An Illustrated Guide to Cryptographic Hashes
This is a great resource if you want to get your head around how hashes work......
Author: Michael Howard Date: 03/15/2005
Follow-up on NNNNnnnooooo....!
I just stepped out to Building 40 to grab some lunch, (it's better than the cafeteria in Building...
Author: Michael Howard Date: 02/25/2005
NNNNNOOOOooooo......!
From "Making Windows XP Start Faster" at https://www.pcmag.com/article2/0,1759,1768883,00.asp Two of...
Author: Michael Howard Date: 02/23/2005