"LUA Bug" demo app

I do a lot of presentations on how to identify and fix “LUA bugs” in applications (*), both for Windows XP and Windows Vista.  I frequently use a little VB6 application to demonstrate writing to various portions of the file system and registry, write to .ini files in protected locations, restart services, explicitly check for…


LUA Buglight 2.0, second preview

LUA Buglight is a utility that helps identify “LUA bugs” in applications — application features that that fail as standard user but that work as administrator.  I work on it in my spare time, so progress has been slow.  Attached to this blog post is the second preview version of LUA Buglight 2.0. Main changes…


I’ll be at Tech*Ed in Barcelona, Nov 3-7

I’m on the schedule to speak at Tech*Ed EMEA in Barcelona the week of November 3-7.  I’ve got three sessions listed below (sharing CLI08-IS with Chris Jackson):  Code Title Date/Time CLI403 Tools for Identifying “LUA Bugs” (Admin-Permissions-Required Bugs) November 6 18:00 – 19:15 Lots of programs were designed by developers running as admin for users…


The Return of PrivBar (x86 and x64)

I recently switched internet service providers, not realizing when I did that PrivBar and MakeMeAdmin would suddenly disappear from the internet when they un-provisioned my space on their servers.  Oops. To try to compensate you for the inconvenience, PrivBar is now available once again, now in x86 and x64 versions.  So if you are running an…


LUA Buglight 2.0 – preview

Attached to this blog post is a PREVIEW VERSION of LUA Buglight 2.0.  LUA Buglight is a utility that helps identify “LUA bugs” in desktop applications — the bugs that appear when the application is run as a standard user instead of as an administrator. Some of the improvements in LUA Buglight 2.0 over its…


Published – Security by Obscurity, and FDCC

In case I actually have any fans that are interested in things I’ve written outside of this blog (must be sick people)… I recently contributed a sidebar to the cover story of this month’s TechNet Magazine:  Hiding in Plain Sight – Security By Obscurity.  Jesper Johansson and Roger Grimes wrote the main point/counterpoint, to which…


Info about LUA Buglight 2.0

I recently did a TechNet webcast about the upcoming LUA Buglight 2.0. You can view the webcast here, and download the slides here.


I’ll be speaking at Tech*Ed in June

I’m speaking at Tech*Ed North America 2008, during the “IT Professionals” week, June 10-13.  I’ll be presenting SIX (6) sessions, all on non-admin / least-privilege and the resulting application compatibility issues that arise.  (When I started my “non-admin” blog back in 2004, it was all about security.  Now that least-privilege has increasingly become the default,…


Why apps have security bugs ([attempted] humor)

One reason why apps have security bugs — because we developers were trained to focus on and typically only ever focused on how legitimate users will use the product — we never used to have to think about misuse!   A couple of years ago I wrote up a little skit.  It’s a software developer and a…