Eval is Evil, Part Two

As I promised, more information on why eval is evil.  (We once considered having T-shirts printed up that said “Eval is evil!” on one side and “Script happens!” on the other, but the PM’s never managed to tear themselves away from their web browsing long enough to order them.)     Incidentally, a buddy of mine who…


Michael’s Security Blog is online

Michael Howard has started blogging.  If you’re interested in writing secure code (and these days, who isn’t?) you could do worse than to read anything he writes. 


The Malware of Ultimate Destruction

The other day Peter was talking about the ActiveX Control of Ultimate Destruction — a hostile control which, the moment it is loaded immediately formats your hard disk.  The aim of the ACoUD is to do “as much damage as possible in a short amount of time”.   Well, Peter’s not the only one who’s kept…


Digging A Security Hole All The Way To China

I mentioned earlier that I wrote one of the last books published by the now-bankrupt Wrox Press. A sharp-eyed coworker who happened to be in China the other day sent me a copy of this: Holy cow, I had no idea that Wrox translated my book into Chinese! No one ever told me that such…


How Do I Script A Non-Default Dispatch?

  As I’ve discussed previously, the script engines always talk to objects on the late-bound IDispatch interface.  The point of this interface is to allow a script language to call a method or reference a property of an object by giving the name of the field and the arguments.  When the dispatch object is invoked,…


More on Certificates and Trust Decisions

I said earlier that certificates could be used to establish identity and hence the right to run trustworthy software on your machine.  I want to emphasize in the strongest possible terms that this is not all that certificates are used for.  A lot of people are confused by this, including a lot of very smart,…


Evil Security Twin Powers… Activate!

One day Peter Torr and I walked into Herman Venter’s office (Herman was the architect and primary implementer of JScript .NET).  We were grinning.  Herman knew what that meant.  He took one look at us and said “Uh oh, here come the Evil Security Twins.”  And indeed, we had found another potential vulnerability in JScript…


Error Messages Considered Harmful

    My office nameplate was entirely apropos; LoadPicture continued to plague me throughout my career. During the Windows Security Push last year we finally turned it off. When VBScript is running in IE, the LoadPicture method causes an illegal function call exception.    Why’s that? There’s a big security hole in LoadPicture. Not because…