Michael Howard's Web Log
A Simple Software Security Guy at Microsoft!
Windows Vista Crypto Modules now FIPS 140-2 Certified
The standard crypto providers such as DSSENH and RSAENH are now certified FIPS 140-2 on Windows...
Author: Michael Howard Date: 01/18/2008
Crispin Cowan joins the Windows Security Team!
I am delighted to announce that Crispin Cowan has joined the core Windows Security Team! For those...
Author: Michael Howard Date: 01/17/2008
Timely Microsoft Office 2003 SP3 Advice from David LeBlanc
https://blogs.msdn.com/david_leblanc/archive/2008/01/16/a-good-reason-to-install-sp3.aspx
Author: Michael Howard Date: 01/16/2008
Cry or Smile? You Decide...
On Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has...
Author: Michael Howard Date: 01/11/2008
"Open-source projects certified as secure" – huh?
I really got a chuckle out of this news item, especially this line: “Coverity, which creates...
Author: Michael Howard Date: 01/10/2008
VBootkit vs. Bitlocker in TPM mode
One of the guys in our group, Robert Hensing has an interesting post about VBootkit and whether...
Author: Michael Howard Date: 01/08/2008
Recent Symantec and IBM vulnerabilities, giblets, banned APIs and the SDL
I just posted some commentary on the SDL blog about some recent Symantec and IBM vulnerabilities,...
Author: Michael Howard Date: 01/04/2008
Common Criteria: Is it Safe?
My colleague, Eric Bidstrup, has posted a thought provoking commentary about the Common Criteria. I...
Author: Michael Howard Date: 12/20/2007
It's Official: Jeff Jones has WWAYYY Too Much Time on His Hands
I think I'm a girl-elf in this, however!
Author: Michael Howard Date: 12/17/2007
Counterpoint to my SDL post
David has an interesting counterpoint post to my SDL post this morning. As expected he makes some...
Author: Michael Howard Date: 12/17/2007
Security is not all about Security Updates
I just posted an article about the SDL goals over on the SDL blog....
Author: Michael Howard Date: 12/17/2007
Today's Dilbert :)
Perhaps I should change my name to "Mordac" From...
Author: Michael Howard Date: 11/16/2007
Reminder: Microsoft Security Intelligence Report - Webcast on Wed 7 Nov
Wednesday, November 07, 2007 10:00 AM Pacific TimeSupport WebCast: Microsoft Security Intelligence...
Author: Michael Howard Date: 11/06/2007
Oracle’s Original Unbreakable Paper
I know a lot of you have heard of, or know of, Oracle’s Unbreakable claims. I’m not going to get...
Author: Michael Howard Date: 11/06/2007
I'm at TechEd in Barcelona this week
I'll be there all week, I have a bunch of talks: SEC201 - The Security Development Lifecycle (5...
Author: Michael Howard Date: 11/04/2007
New Microsoft Security Intelligence Report Available
The latest Security Intelligence Report is now available. To quote the Web page: The Microsoft...
Author: Michael Howard Date: 10/23/2007
Dev Tip: Opening Commonly-Accessed Files
When I'm writing code, there's one file I need to access constantly - WinError.h, the file that...
Author: Michael Howard Date: 10/19/2007
News Items that Interested me this Week
Each week (ok, mostly every week!) I'll post news items that interested me... Security analysis of...
Author: Michael Howard Date: 10/19/2007
Lessons Learned from Five Years of Building More Secure Software
The annual Security issue of MSDN Magazine is now available. This year I wrote a piece about some of...
Author: Michael Howard Date: 10/12/2007
Update on the Threat Modeling Process
At Microsoft, we have been using various forms of threat modeling for years now, and we're always...
Author: Michael Howard Date: 10/12/2007
Bluehat Audio Available
https://download.microsoft.com/download/3/2/0/3205AD8C-A0AA-40F0-8998-256B7583D400/DanKaminsky.wma...
Author: Michael Howard Date: 10/04/2007
New Version of Application Verifier (appverif) available
AppVerif is one of my favorite run-time analysis tools for unmanaged Windows apps, it's also an...
Author: Michael Howard Date: 09/04/2007
Update on DropMyRights
It's been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a...
Author: Michael Howard Date: 08/13/2007
Privacy Tip o' the Day
I'm stunned at how much private data the average citizen will divulge. I was buying some stuff...
Author: Michael Howard Date: 08/08/2007
Some of us won't be at Blackhat
I am sitting at Austin airport about to catch a plane to Redmond to help a cadre of us deliver...
Author: Michael Howard Date: 07/31/2007
Iron Chef at BlackHat
Eric Bidstrup has just posted some commentary about Iron Chef at Blackhat event over on the SDL...
Author: Michael Howard Date: 07/26/2007
Inspect Your Gadget
Dave Ross and I recently wrote an article on the in's & out's of writing secure gadgets for...
Author: Michael Howard Date: 07/23/2007
Windows Vista Integrity Paper
Howdy from a little coffee shop (no, not Starbucks) at the entrance to our subdivison in Austin! I...
Author: Michael Howard Date: 07/11/2007
My Last Day in Redmond
Well, today is my last day in Redmond. It's pretty sad, but I'm really looking forward to being in...
Author: Michael Howard Date: 06/29/2007
Lessons Learned from MS07-029: The DNS RPC Interface Buffer Overrun
I just posted the root cause analysis for the DNS RPC buffer overrun over on the SDL blog.
Author: Michael Howard Date: 06/28/2007
"How Software is Built" Interview
Some months back I was interviewed by howsoftwareisbuilt.com, we talked about everything you could...
Author: Michael Howard Date: 06/25/2007
SDL Crypto Code Review Macro
Over the last few weeks I've been experimenting with the Visual Studio 2005 macro and extensibility...
Author: Michael Howard Date: 06/14/2007
SDL Training at the Microsoft Security Response and Safety Summit
Dave Ladd has just made a post over on the SDL blog about some SDL training we gave for partners at...
Author: Michael Howard Date: 06/14/2007
The Bluetooth Keyboard Mystery: Solved.
My wife's got a pretty spec'd out box at home with a 30inch widescreen LCD flat panel and a...
Author: Michael Howard Date: 06/05/2007
Well, I never expected this. Take 2
Yesterday, based on some negative feedback, I made a post stating I would keep my blog a tech blog...
Author: Michael Howard Date: 06/05/2007
Well, I wasn't expecting that!
Yesterday, I decided to add a more personal angle to my blog by posting about my kids. Well, I got a...
Author: Michael Howard Date: 06/04/2007
The Most Complex SAL annotation
While working on "Writing Secure Code for Windows Vista" I spent a good deal of time spelunking the...
Author: Michael Howard Date: 06/03/2007
From the Mouths of Babes
A few weeks ago someone in my group suggested I blog about more than security. I asked, "Why?" He...
Author: Michael Howard Date: 06/03/2007
At TechEd this Week
Hi from Orlando I'm presenting at TechEd this week - I have two sessions, one is a "chalktalk"...
Author: Michael Howard Date: 06/03/2007
Oil Change or Culture Change
Dave Ladd has just posted a very interesting and thought provoking post over on the SDL blog:...
Author: Michael Howard Date: 06/01/2007
Half Of Windows Vista Adoption Driven By Security
I think I earned my paycheck this week :)...
Author: Michael Howard Date: 05/23/2007
Secure coding lessons from Microsoft
Last week we had some tech journalists visit Redmond to discuss security products and, in my case,...
Author: Michael Howard Date: 05/22/2007
Windows Vista ISV Security Paper Available
Matt Thomlinson and I wrote a document explaining how to take advantage of some of the buffer...
Author: Michael Howard Date: 05/04/2007
More on security education, or lack of...
Following on from my blog post yesterday about Dave Ladd's education vs training comments over on...
Author: Michael Howard Date: 05/04/2007
Security Education v. Security Training
David Ladd, a partner in crime, has just made a post on the SDL blog about Security Education. He...
Author: Michael Howard Date: 05/03/2007
The Strangest Vista "bug" you've ever heard of - EVER!
A good friend of mine bought a new Sony Vaio with Windows Vista preinstalled. But there was a...
Author: Michael Howard Date: 04/27/2007
Lessons Learned from the Animated Cursor bug
I just posted an analysis over on the SDL blog of the lessons we learned from the recent animated...
Author: Michael Howard Date: 04/26/2007
SDL blog is live
We have started a new blog, the SDL blog - we have an interesting array of folks working on the...
Author: Michael Howard Date: 04/26/2007