Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Things you shou... » Security   (RSS)

How to lose customers without really trying...

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email: From: ThinkGeek Customer Read More...
Posted Thursday, November 15, 2007 3:21 PM by LarryOsterman | 25 Comments

What's wrong with this code, part 20(!): Yet another reason that named synchronization objects are dangerous...

When you're doing inter-process communication, it's often necessary to use named synchronization objects to communicate state between the processes. For instance, if you have a memory section that's shared between two processes, it's often convenient Read More...
Posted Friday, May 11, 2007 8:31 AM by LarryOsterman | 38 Comments

Why does KB 118626 use AccessCheck to check if you're a member of the administrators group?

Eagle Eyed reader Jens Geyer sent me an email yesterday asking: There's a KB article, where there is an example code how to determine if the current process/thread is running from admin account. The sample code changed in the newest revision of that KB Read More...
Posted Wednesday, March 14, 2007 8:38 AM by LarryOsterman | 8 Comments

What's wrong with this code sample, the answer

Yesterday, I posted a question about a security sample I ran into the other day. I mentioned that the function made me cringe the instant I saw it. Mike Dunn and Sys64378 danced around the root of what made the function cringeworthy, but Alan nailed it Read More...
Posted Friday, March 09, 2007 9:26 AM by LarryOsterman | 13 Comments

What's wrong with this code sample...

Today, Michael Howard posted a link to updated documentation that contains the new list of banned APIs that is in place for Windows Vista. This is GREAT, and I'm really glad to see it - we've excised all of these functions from our code, others should Read More...
Posted Thursday, March 08, 2007 11:15 PM by LarryOsterman | 22 Comments

What's wrong with this code, part 17 - the answer

Yesterday's post discussed a hypothetical API to retrieve data from the registry. The security hole in the original code is that if the value in the registry is exactly 512 bytes long, the buffer isn't null terminated. That means that the caller, who Read More...
Posted Monday, January 30, 2006 10:22 AM by LarryOsterman | 8 Comments

What's wrong with this code, part 17

Time for another "What's wrong with this code". This time, it's an exercise in how a fix for a potential security problem has the potential to go horribly wrong. This is a multi-part bug, so we'll start with the original code. We start the exercise with Read More...
Posted Friday, January 27, 2006 9:44 AM by LarryOsterman | 29 Comments

Waste, Fraud, and Abuse

Thanks For Letting Us Know Vernon Blake, an engineer at the Alabama Department of Transportation, was upset that it was an office joke that his boss spent most of his workday playing computer games. Since he was the department's network administrator, Read More...
Posted Monday, August 02, 2004 5:12 PM by LarryOsterman | 17 Comments
 
Page view tracker