Troubleshooting Networking and IPSec Issues

  I had a very strange networking issue last weekend.  After connecting to corpnet via VPN and direct hookup, I was able to ping all remote servers, but was not able to do anything, such as web browsing and remote desktop.  It was not the first time that I faced this issue, and helpdesk told…


ASP.NET ValidateRequest does not mitigate XSS completely

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even processed by your code.  For…


Read Office Files as ZIP

It is interesting to me that Office 2007 Metro formats can be broken down as a ZIP file.  To see this in action, you can pick an Office 2007 Metro file, such as XLSX and DOCX, and rename its extension with ZIP.  Then open the renamed file with WINZIP.  You will see that Office 2007…


Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security.  Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security, and MOICE is another evidence that…


True test of a security geek

If you chuckle at this comic strip, congratulations!  You are a security geek.  If you don’t chuckle, it is never too late to become one.  Read my blog more, and you will become one. Thanks TechJunkie for forwarding.


Given enough eyeballs all bugs are shallow: True or False?

“Given enough eyeballs all bugs are shallow.”  I do agree if more right-minded folks look at a piece of code, it would help identify both security and non-security bugs.  This premise is built on the assumption that all reviewers have the best intentions in mind.  However, do all people have the best intentions in mind? …


System.URI.AbsolutePath Vs Phishing Attack

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites.  A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks.  Successful phishing attacks allow attackers to steal online user identities, install malwares on the users’ computers, etc. A…


Web Service Security Guidance

I have just published a Technet article.  This is geared for administrators and developers as an introduction to web service security.  It contains lots of references that allow you to deepend your knowledge of web service security. Please visit Your feedback is welcome.


More eyeballs for .Net Framework code

Microsoft will open up source code of .Net Framework to the public.  It allows outsiders to review what is under the hood, and enables easier debugging of development projects around .Net Framework.  .Net Framework code has been reviewed heavily, and developers can pick up coding best practices by reviewing source code of .Net Framework. The…


Anti-Malware and Spyware help for home users

Working for Microsoft means that I become de facto technical support for my friends and family.  That should be the experiences of many folks in the computer industry.  When I introduce my job title as “senior security consultant” to friends and family, I get promoted to become technical and security support, and instantly I am…