My Security Planet » Michael Howard's Web Log » March 2008

Feeds

13616 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Michael Howard's Web Log

• 

  "How Do I?" Videos for Security

  Posted: March 30th, 2008, 11:38am CDT by michael_HOWARD

  Tags:  Security   [edit]

  These are pretty cool - I'm a big fan of highly focused, short education like this... [msdn2.microsoft.com]

  
• 

  IE8 Activity to lookup CVEs and Microsoft bulletins

  Posted: March 18th, 2008, 10:06pm CDT by michael_HOWARD

  Tags:  Security   [edit]

  Update: Added Microsoft bulletin stuff.

  I'm always looking up CVEs so I want to get to the data as quickly as possible, especially if I'm digging through a load of them. 

  Three years ago I posted some code to perform CVE lookup using Smart Tags in Microsoft Office.

  IE8 offers similar functionality to Smart Tags, but way more flexible, named Activities. So I did a bit of digging around, and found this article by Jane Kim in the IE8 team that explains how to use and create Activities (and provides links to all the appropriate documentation.)

  So I decided to write my own activity to look up CVEs from within IE8. Here's the XML:

  <?xml version="1.0" encoding="utf-8"?>
    <openServiceDescription xmlns="http://www.microsoft.com/schemas/openservicedescription/1.0">
    <homepageUrl>http://nvd.nist.gov</homepageUrl>
      <display>
      <name>Lookup CVE with NIST</name>
      <icon>http://nvd.nist.gov/favicon.ico</icon>
    </display>
    <activity category="define">
      <activityAction context="selection" >
        <preview action="http://nvd.nist.gov/nvd.cfm">
          <parameter name="cvename" value="{selection}" />
        </preview>
        <execute action="http://nvd.nist.gov/nvd.cfm">
          <parameter name="cvename" value="{selection}" type="text" />
        </execute>
      </activityAction>
    </activity>
  </openServiceDescription>

   Here's the same code, but tweaked for Microsoft Security bulletins:

  <?xml version="1.0" encoding="utf-8"?>
    <openServiceDescription
      xmlns="http://www.microsoft.com/schemas/openservicedescription/1.0">
    <homepageUrl>http://www.microsoft.com</homepageUrl>
    <display>
      <name>Lookup Microsoft Bulletin</name>
      <icon>http://www.microsoft.com/favicon.ico</icon>
    </display>
    <activity category="define">
      <activityAction context="selection" >
        <preview action="http://www.microsoft.com/technet/security/bulletin/{selection}.mspx">
        </preview>
        <execute action="http://www.microsoft.com/technet/security/bulletin/{selection}.mspx">
        </execute>
      </activityAction>
    </activity>
  </openServiceDescription>

  To install, copy the file(s) to a Web server, and then run the following from within IE8:

  <button
    onclick="window.external.addService('http://localhost/<name>.xml')">
    CVE Lookup Activity
  </button>

  Now when you click a CVE, you'll have the option to do a CVE lookup: 

  

  Voila!

   

  
• 

  Protecting Your Code with Visual C++ Defenses

  Posted: March 17th, 2008, 6:28pm CDT by michael_HOWARD

  Tags:  Security   [edit]

  MSDN Magazine has just published an article I wrote that collects many of the various C and C++ defenses in the current Visual C++ compiler suite, all of these defenses are SDL requirements or recommendations.
• 

  The impact of the SDL on Microsoft SQL Server

  Posted: March 6th, 2008, 9:25pm CST by michael_HOWARD

  Tags:  Security   [edit]

  Following on from my recent post about Windows Vista security and the SDL, a number of people have indicated to me that obvioulsy it's a fluke. It's important to point out that the reason I talk about Windows Vista so much is because I work in the Windows Division. The SDL was born in Windows.

  But the SDL extends across Microsoft, not just Windows. So if the SDL works, wouldn't we see vulnerability reduction in other Microsoft products too? Er, yes!

  Take a look at a blog post Jeff just made and you'll see what I mean.

  
• 

  Some thoughts about Windows Server 2008

  Posted: March 4th, 2008, 9:31pm CST by michael_HOWARD

  Tags:  Security   [edit]

  Windows Server 2008 has shipped! And a fine product it is, too!

  Windows Server 2008 is the first Windows Server to go through the full SDL process, making it the most secure version of Windows Server to date. We raised the security bar in Windows Vista, and we REALLY raised the bar in Windows Server 2008.

  Windows Server 2008 is a prime product example of our ongoing commitment to Trustworthy Computing, and how the company is making good on its commitment to continue to build the most secure computing environment possible. After the Trustworthy Computing commitment was made a few years ago, we've has made great strides in the right direction, and last week's product launch (Windows Server 2008, SQL Server 2008, and Visual Studio 2008) clearly shows that security remains a top priority.

  While I tend to focus on "Secure Features" Windows Server 2008 is full of "Security Features." Someone asked me for my favorite security features. In no particular order, they are:

  • The various defenses we see in Windows Vista: stack defenses, heap defenses, ASLR, NX etc etc
  • Server Core (ok, technically not a security feature, but a critical way to dramatically reduce a server's attack surface)
  • Network Access Protection (NAP)
  • Server and Domain Isolation
  • Read-Only Domain Controllers
  • Suite-B crypto support

  Oh, the Windows Server 2008 Security Guide is now available!