Subscribe: Eugene Siu's Thoughts on Security : Developer Productivity
Preview: Eugene Siu's Thoughts on Security : Developer Productivity

Eugene Siu's Thoughts on Security

Share my latest security research and techniques

Last Build Date: Sat, 15 Nov 2008 00:59:34 +0000


(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)

Sat, 15 Nov 2008 00:59:34 +0000

Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three count parameters that warrant your attention in order to use these two functions properly. Since these two functions deal with conversion,...

(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)

Thu, 06 Nov 2008 13:22:38 +0000

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination buffer is not large enough to hold incoming data.  Safe version of APIs checks that destination...

My favorite security blogs and podcasts

Thu, 23 Oct 2008 21:18:04 +0000

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now ( CNet Security Bites ( Blogs Schneier on Security Security Vulnerability Research & Defense The Microsoft Security Response Center (MSRC) Dark Reading The Security Development Lifecycle Microsoft Hackers blog...

“Out of Band” security patch MS08-067

Thu, 23 Oct 2008 20:52:18 +0000

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must be very urgent due to serious ramifications or presence of known exploits in the wild.  You...

What is unique about patch Tuesday of October 2008?

Wed, 15 Oct 2008 19:48:00 +0000

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches across their server farms and enterprise desktops.  It will be a long road ahead before Microsoft can get...

Tue, 25 Mar 2008 20:14:00 +0000

Troubleshooting Networking and IPSec Issues

Mon, 05 Nov 2007 03:30:00 +0000

  I had a very strange networking issue last weekend.  After connecting to corpnet via VPN and direct hookup, I was able to ping all remote servers, but was not able to do anything, such as web browsing and remote desktop.  It was not the first time that I faced this issue, and helpdesk told...

ASP.NET ValidateRequest does not mitigate XSS completely

Fri, 19 Oct 2007 17:26:17 +0000

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even processed by your code.  For...

Read Office Files as ZIP

Fri, 19 Oct 2007 15:33:38 +0000

It is interesting to me that Office 2007 Metro formats can be broken down as a ZIP file.  To see this in action, you can pick an Office 2007 Metro file, such as XLSX and DOCX, and rename its extension with ZIP.  Then open the renamed file with WINZIP.  You will see that Office 2007...

Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

Fri, 19 Oct 2007 14:49:38 +0000

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security.  Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security, and MOICE is another evidence that...