Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
RootkitRevealer from SysInternals
I haven't had a chance to look at it yet, but the good folks at sysinternals have released a tool...
Author: Michael Howard Date: 02/23/2005
Security Education - Yay, again!
Interesting read based on my last little rant about the lack of security (as-in-threats) education...
Author: Michael Howard Date: 02/17/2005
Update to Microsoft AntiSpyware beta now available
https://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&di...
Author: Michael Howard Date: 02/17/2005
MSRC @ RSA
A good chunk of the the Microsoft Security Response Center (MSRC) staff are at the RSA Conference...
Author: Michael Howard Date: 02/15/2005
Security Stuff in Whidbey - More Secure Buffer Function Calls: AUTOMATICALLY!
In my previous blog I very briefly touched on the new C runtime library added to Whidbey. Take a...
Author: Michael Howard Date: 02/03/2005
Security Stuff in Whidbey - The Safer CRT
There has always been a very strong relationship with our team and the developer division (aka...
Author: Michael Howard Date: 02/01/2005
SAFER and Internet Explorer
I've received some great feedback from my "Browsing the Web and Reading E-mail Safely as an...
Author: Michael Howard Date: 01/31/2005
Interesting set of "Protect yourself online" articles
I just bumped into this while doing my morning, "what's going on on the 'net today"...
Author: Michael Howard Date: 01/25/2005
Digital Blackbelt Series: Defend your code from attacks
I just got notified of a series of Webcasts coming up, aimed at software developers; this is good,...
Author: Michael Howard Date: 01/21/2005
Trustworthy Computing @ 3
It seems like only yesterday we kicked off TwC! Oh, how time flies when you're having fun! There's a...
Author: Michael Howard Date: 01/20/2005
Browsing the Web and Reading E-mail Safely as an Administrator, Part 2
In November 2004 I posted an article to MSDN entitled, "Browsing the Web and Reading E-mail Safely...
Author: Michael Howard Date: 01/17/2005
Cryptographically Secure Random number on Windows without using CryptoAPI
Historically, we always told developers not to use functions such as rand to generate keys, nonces...
Author: Michael Howard Date: 01/14/2005
Microsoft Windows AntiSpyware Beta One Available for download..
Just in case you missed the news:...
Author: Michael Howard Date: 01/06/2005
Windows XP Service Pack 2: The Inside Story
An excellent article on how Windows XP SP2 was designed and built. A great many of us spent over a...
Author: Michael Howard Date: 12/27/2004
Shell Extension for DropMyRights
A reader (hofi) was kind enough to create a shell extension for the DropMyRights tool I wrote about...
Author: Michael Howard Date: 12/23/2004
"How can I Trust Firefox" blog by Torr
Peter Torr has joined our group, working with development teams to help them through the Security...
Author: Michael Howard Date: 12/20/2004
MSN Phishing and Scams site
Just gone live, you should point friends and family to this: https://safety.msn.com/phishing/
Author: Michael Howard Date: 12/20/2004
Microsoft Acquires Anti-Spyware Leader GIANT Company
Hot from the newsroom: https://www.microsoft.com/presspass/press/2004/dec04/12-16GIANTPR.asp
Author: Michael Howard Date: 12/16/2004
Evils of strncat and strncpy - Answers
Ok, so I took a little longer than expected to post the answers, but here they are. BTW, many people...
Author: Michael Howard Date: 12/10/2004
Windows Server 2003 SP1 Release Candidate Available
In case you hadn't heard, RC1 is avail for download from...
Author: Michael Howard Date: 12/07/2004
Microsoft Security Education
I probably get asked this question every other day, "is there any security education available from...
Author: Michael Howard Date: 11/23/2004
New Code Secure Column - "Browsing the Web and Reading E-mail Safely as an Administrator"
I just posted a new Code Secure article on MSDN about running as an admin, but executing browsers...
Author: Michael Howard Date: 11/18/2004
SAMBA Users should apply this patch ASAP
If you use SAMBA 3.0.7 or prior (appears, 2.x is not vulnerable) you should read this...
Author: Michael Howard Date: 11/18/2004
The Election and Signed Integers
A colleague sent me a link to an interesting article that looks just like an integer overflow issue:...
Author: Michael Howard Date: 11/08/2004
Ya Gotta Larf
A nasty set of security bug fixes by Mandrake in xorg-x11 had the funniest text I've seen in a...
Author: Michael Howard Date: 11/05/2004
Spam senders convicted in first felony case
Wow, 9 years recommended for spamming! https://www.msnbc.msn.com/id/6401091/
Author: Michael Howard Date: 11/04/2004
A Phishing Attempt in my Inbox
Normally, most phishing attacks don't get past the spam filters, but this one did, not sure why......
Author: Michael Howard Date: 11/04/2004
NSA Posts Mac OS X 10.3.x security guide
Weighing in at a hefty 3Mb and 109pp, the NSA has posted the "Apple Mac OS Security Configuration...
Author: Michael Howard Date: 11/02/2004
The Evils of strncat and strncpy redux
Following my previous post about the Apache 'fix', I was asked what code examples I had showing...
Author: Michael Howard Date: 11/02/2004
Buffer Overflow in Apache 1.3.xx fixed on Bugtraq - the evils of strncpy and strncat!
This just came in my inbox from Bugtraq, a buffer overrun processing Apache 1.3.x .htpasswd files....
Author: Michael Howard Date: 10/29/2004
A New Way to Detect Integer Overflows?
David LeBlanc and I have written a good deal about Integer Overflow issues, including the following:...
Author: Michael Howard Date: 10/27/2004
What about .NET vs Java Security?
Interesting stuff, no?
Author: Michael Howard Date: 10/25/2004
Updated Writing Secure Code Errata
A big thanks to Niels Dekker for providing me with the feedback. Here's the diff only. Chapter 5,...
Author: Michael Howard Date: 10/25/2004
Security issue of MSDN is out today
The annual Security issue of MSDN is out, and you should find a copy in your local book or magazine...
Author: Michael Howard Date: 10/19/2004
Follow-up on IIS6 and Apache Security
Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall...
Author: Michael Howard Date: 10/18/2004
IIS6 vs Apache2 Security Defects
A few days ago I decided to look into how IIS6 has faired security-wise since its release well over...
Author: Michael Howard Date: 10/15/2004
Online Chat with Members of the Security Business Unit
Microsoft is working hard to improve security and Rich Kaplan, Corporate Vice President for the...
Author: Michael Howard Date: 10/14/2004
YAASN.1B (Yet-Another-ASN.1-Bug)
Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it...
Author: Michael Howard Date: 10/13/2004
Finally, a book on Privacy for Developers
My good friend J.C. Cannon has written the book on Privacy aimed squarely at developers, as well as...
Author: Michael Howard Date: 10/13/2004
More people warming up to Threat Modeling
A nice article on the subject, focused firmly on infrastructure, written by Pete Lindstrom at...
Author: Michael Howard Date: 08/31/2004
Random Threat Modeling Thoughts
I talk to many people about threat modeling. All the time! Invariably, an idea pops into my head...
Author: Michael Howard Date: 08/31/2004
IIS Auth Diagnostic tool now available
Ages ago, I wrote a little DHTML tool to help people determine the appropriate authentication...
Author: Michael Howard Date: 08/31/2004
Ya Gotta Larf
https://www.jinx.com/scripts/details.asp?affid=-1&s=1&productID=143 :-)
Author: Michael Howard Date: 08/30/2004
Windows XP SP2 Application Compat Guide Available
"Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2" is now...
Author: Michael Howard Date: 08/25/2004
Windows XP SP2 and Nikon Software
Last night I bought a shiny new PC for home; it's based on an AMD Athlon 64 FX, with 2x160Gb SATA...
Author: Michael Howard Date: 08/20/2004
Updated MBSA now available
Blurb from https://www.microsoft.com/mbsa: New version, MBSA 1.2.1, needed for Windows XP SP2...
Author: Michael Howard Date: 08/17/2004
Windows XP SP2 Privacy Statements Released
The Windows Privacy Statement highlights 27 components that have historically been of interest to...
Author: Michael Howard Date: 08/16/2004
Writing Secure Code 2nd Ed Errata
I'm just gonna give a diff this time Chapter 16, Page 515The URL for SiteLock is now incorrect – the...
Author: Michael Howard Date: 08/16/2004