(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)

Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and WideCharToMultiByte.  They do not guarantee terminating strings properly.  In this installment, I want to focus on the count parameters.  There are three count parameters that warrant your attention in order to use these two functions properly. Since these two functions deal with conversion,…


(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy.  These routines are unsafe as buffer and destination buffer size are not taken into consideration.  Buffer overflows may take place because destination buffer is not large enough to hold incoming data.  Safe version of APIs checks that destination…


My favorite security blogs and podcasts

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in the comment section. Podcasts Security Now (http://www.grc.com/securitynow.htm) CNet Security Bites (http://securitybites.cnet.com) Blogs Schneier on Security http://feeds.feedburner.com/schneier/fulltext Security Vulnerability Research & Defense http://blogs.technet.com/swi/rss.xml The Microsoft Security Response Center (MSRC) http://blogs.technet.com/msrc/rss.xml Dark Reading http://www.darkreading.com/ The Security Development Lifecycle http://blogs.msdn.com/sdl/rss.xml Microsoft Hackers blog…


“Out of Band” security patch MS08-067

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly patch Tuesday release cycle so that enterprise administrators can plan ahead for their testing and deployment.  When out of band is released, it must be very urgent due to serious ramifications or presence of known exploits in the wild.  You…


What is unique about patch Tuesday of October 2008?

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft products that have fixed vulnerabilities.  The best is to have no patches for patch Tuesdays, and many administrators can take a break from installing patches across their server farms and enterprise desktops.  It will be a long road ahead before Microsoft can get…


ASP.NET ValidateRequest does not mitigate XSS completely

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even processed by your code.  For…


Is Microsoft Office Isolated Conversion Environment(MOICE) mocha on ice?

MOICE may sound like mocha on ice, but it is really a strong dark espresso shot offered by Office TWC team to jolt up security.  Microsoft Office Isolated Conversion Environment (MOICE) is a new security tool that helps protect Office users from malicious documents. Office team strives to enhance their security, and MOICE is another evidence that…


True test of a security geek

If you chuckle at this comic strip, congratulations!  You are a security geek.  If you don’t chuckle, it is never too late to become one.  Read my blog more, and you will become one. Thanks TechJunkie for forwarding.


System.URI.AbsolutePath Vs Phishing Attack

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web pages, which then forward requests to malicious websites.  A common phishing technique is to fake emails sent by well-known banks or merchants,, which contain malicious hyperlinks.  Successful phishing attacks allow attackers to steal online user identities, install malwares on the users’ computers, etc. A…


Web Service Security Guidance

I have just published a Technet article.  This is geared for administrators and developers as an introduction to web service security.  It contains lots of references that allow you to deepend your knowledge of web service security. Please visit http://www.microsoft.com/technet/community/columns/sectip/st1007.mspx. Your feedback is welcome.