Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
SafeInt moved to github
Has it really been 7 years since I last posted? Yikes - wonder if anyone will see this. The main...
Date: 03/22/2018
Compilers, Integers and Optimizations
I've had a good bit of fun (for some value of fun) with hardening SafeInt against what I consider to...
Date: 12/23/2011
Bugs and Consequences
I've been meaning to write about overzealous compilers, and nice geeky things, but I'm going to use...
Date: 12/22/2011
Another technique for Fixing DLL Preloading attacks
Back in February, 2008, I posted on DLL preloading attacks and how to avoid them here. It seems that...
Date: 08/23/2010
MS10-048 – Getting the Math Right
The Security Research and Defense blog detailed an integer overflow here. The code looks like this:...
Date: 08/10/2010
Acrobat is Getting a Sandbox
We've been helping Adobe to get a sandbox going which is similar to what we used in Office 2010 for...
Date: 07/20/2010
DSig Q & A
I'm going to cover the answers to some of the questions that came in after Shelley answered the...
Date: 05/30/2010
Office 2010 Digital Signatures and XAdES
Shelley Gu, the program manager for Office signatures, has already posted the PM version of what...
Date: 05/30/2010
New “Improved” Site
Hrmph. So they managed to disappear my last post, and now my blog looks really generic. I liked the...
Date: 05/30/2010
You don’t have to be faster than the bear
Note – this post disappeared during the blog upgrade, recovered due to search cache. Just got done...
Date: 05/28/2010
Don’t Use Office RC4 Encryption. Really. Just don’t do it.
Yesterday, a BlackHat Europe presentation on Office 2003 encryption was brought to my attention....
Date: 04/16/2010
Office 2007 SP2 Encryption Settings
Now that we've actually shipped SP2, some of you may be curious about how to use the shiny new...
Date: 05/20/2009
Legacy RC4 Example on Codeplex
Just a quick note on this – a customer had a question about the old RC4 40-bit encryption yesterday,...
Date: 02/06/2009
MS-Offcrypto Example Update
Just a quick note that I've updated the examples. I added an example for the CAPI RC4 encryption...
Date: 01/13/2009
MS-Offcrypto Examples
In response to some questions I've gotten about details of MS-OFFCRYPTO, I've created a CodePlex...
Date: 01/06/2009
Office Crypto KDF Details
I've gotten a couple of questions asking how our key derivation function works. The technique is...
Date: 12/05/2008
New, Improved Office Crypto
If you're enough of an Office crypto geek to stay on top of the most recent changes in MS-OFFCRYPTO,...
Date: 12/04/2008
SafeInt Compiles on gcc!
[update 12-1-08] I now have it completely compiling on gcc, with a test harness that exercises every...
Date: 11/25/2008
Improvements in Office Security
We now have a pretty neat internal web site where I can easily search for CVE entries and bulletin...
Date: 11/17/2008
SafeInt 3 on CodePlex!
I have finally found a stable place to keep SafeInt. It can now be found at...
Date: 09/30/2008
Chrome Getting a Bit Rusty
Put this one in the rant category – I'm honored that Google has been paying attention to my blog and...
Date: 09/12/2008
Why can't you comment?
This is because $#@!!!! spammers can screw up anything. I have to disallow anonymous comments, or I...
Date: 09/08/2008
Ptrdiff_t is evil
Well, not really, but here's a code problem that confounded some really smart devs – and it looks so...
Date: 09/02/2008
Yikes! Vista Security to be Obliterated!
Just picked up this link from Robert Hensing's blog -...
Date: 06/24/2008
Don’t Feed or Tease the Bears…
I've learned over the years to avoid bragging about how much more secure something is than something...
Date: 06/19/2008
More on Checking Allocations
Seems my last post met with some objections – somewhat rightfully so, as I mischaracterized one of...
Date: 04/21/2008
Checking Allocations & Potential for Int Mayhem
Must be synchronicity. I started out the day with a really interesting mail from Chris Wysopal...
Date: 04/16/2008
More Checking for Pointer Math
Someone pointed out that it isn't sufficient to check for whether the pointer math wrapped, but that...
Date: 04/08/2008
Evil Compiler Tricks, and Checking for Pointer Math
My favorite programming geek hobby being integer overflows, this caught my eye – "gcc silently...
Date: 04/04/2008
Visual C++ Defenses and 64-bit
Michael Howard just published a good article here on how Visual C++ features can help protect your...
Date: 03/17/2008
Use of ASLR, NX, etc
Found a really great post by David Maynor here. He points out that various counter-measures aren't...
Date: 03/14/2008
DLL Preloading Attacks
A DLL preloading attack is something that can get you on a lot of different platforms. One of the...
Date: 02/20/2008
Terminating your app on heap corruption
Michael Howard has a FAQ on this here – there's also more information on this and related defenses...
Date: 02/19/2008
HD vs. Blu-ray (2)
I promise I'll get back to security stuff shortly, but over the weekend I ran into a couple of...
Date: 02/18/2008
HD vs. Blu-Ray
OK, so this isn't security related at all, just felt like grumbling about the latest development. If...
Date: 02/15/2008
15 Most Influential Security People
This isn't exactly the list I would have drawn up, and I must be having a bad year, since I'm not on...
Date: 02/14/2008
MulDiv Mayhem
Here's another episode in my ongoing quest to stamp out integer overflows. MulDiv is a Windows API...
Date: 02/07/2008
Unsafe String Handling with strncpy
I recently ran into a piece of code that looked like this: int len = cchIn; strncpy(dest, src, len -...
Date: 02/05/2008
Templatized Min/Max Solved!
I had some time to think about the overall problem, and had originally thought of a functional...
Date: 01/30/2008
Templatized Min/Max is a bad idea!
Ah, back to nice geeky C++ programming topics, which is much more fun than angry customer topics…...
Date: 01/25/2008
A good reason to install SP3
If you haven't already seen this, take a look. A brief quote: Microsoft Security Advisory (947563)...
Date: 01/16/2008
How we know which file formats are used
A reader wrote to ask me how it is that we know what file formats are being opened by users. I can...
Date: 01/14/2008
Office SP3 and File formats
In Office 2007, we changed the default to disable a number of older file formats where we saw very...
Date: 01/04/2008
USB Virtual PC’s
I was browsing the news this morning, and ran across an article - Virtual PCs add new layer of...
Date: 01/03/2008