Updated Errata for Writing Secure Code 2nd Edition


Entire Book


Please replace all references to Windows® .NET Server with Windows® Server 2003.


 


Chapter 2, Page 44


There is a small typo:


 


This effect is called the Hawthorn effect.


 


          Should read:


 


This effect is called the Hawthorne effect.


 


Chapter 8, Page 284


The sentence that starts “DES encrypts the first eight bytes and then pads the remaining five bytes with three bytes, usually null” requires more explanation. Usually, the extra n-bytes are padded with value n. So if there are five extra bytes that require padding, they are padded with five bytes of value 0x05.


 


Chapter 9, Page 302


In the code sample, the lines:


 


BYTE *pbSaltedHash = new BYTE[cbSaltedHash];


if (NULL == *pbSaltedHash) throw;


 


Should read


 


BYTE *pbSaltedHash = new BYTE[cbSaltedHash];


if (NULL == pbSaltedHash) throw;


 


Also, this code is labeled as C/C++ code, it is in fact C++ code.


 


Chapter 9, Page 322


There is a small typo in the #define at the top of the page.


 


#define RtlZeroMemory(Destination,Length) –


     memset((Destination),0,(Length))


 


Should read:


 


#define RtlZeroMemory(Destination,Length) \


     memset((Destination),0,(Length))


 


Chapter 9, Page 322


The assembly language listing has lost whitespace, for example pusheax should read push eax, the corrected listing is:


 


; 30   : void DatabaseConnect(char *szDB) {


 


     sub  esp, 68                      ; 00000044H


     mov  eax, DWORD PTR ___security_cookie


     xor  eax, DWORD PTR __$ReturnAddr$[esp+64]


 


; 31   :     char szPwd[64];


; 32   :     if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {


 


     push 64                      ; 00000040H


     mov  DWORD PTR __$ArrayPad$[esp+72], eax


     lea  eax, DWORD PTR _szPwd$[esp+72]


     push eax


     call GetPasswordFromUser


     add  esp, 8


     test al, al


     je   SHORT $L1344


 


; 33   :         if (ConnectToDatabase(szDB, szPwd)) {


 


     mov  edx, DWORD PTR _szDB$[esp+64]


     lea  ecx, DWORD PTR _szPwd$[esp+68]


     push ecx


     push edx


     call ConnectToDatabase


     add  esp, 8


$L1344:


 


; 34   :             // Cool, we’re connected


; 35   :             // Now do database stuff


; 36   :         }


; 37   :     }


; 38   :


; 39   :     ZeroMemory(szPwd,sizeof(szPwd));


; 40   : }


 


     mov  ecx, DWORD PTR __$ArrayPad$[esp+68]


     xor  ecx, DWORD PTR __$ReturnAddr$[esp+64]


     add  esp, 68                      ; 00000044H


     jmp  @__security_check_cookie@4


DatabaseConnect ENDP


 


Chapter 10, Page 350


There is an error in the C# and Perl regular expressions used to determine if a file extension is valid.


 


In both cases the expression:


 


txt|rtf|gif|jpg|bmp$


 


Should read:


 


(?:txt|rtf|gif|jpg|bmp)$


 


Chapter 16, Page 492


If a privacy level protection is set on an RPC binding handle or a protocol sequence that always provides private communication is used (like ncalrpc), context handles are no longer subject to hijacking starting with Windows Server 2003 and Windows 2000 SP4.


 


Chapter 16, Page 495


Starting with Windows XP and Windows Server 2003, RpcServerInqCallAttributes is recommended over RpcBindingInqAuthClient as it is faster, more versatile and lends itself to future extensions because of built-in versioning.


 


Chapter 16, Page 496


You can also set a flag, RPC_IF_ALLOW_SECURE_ONLY, on the call to RpcServerRegisterIfEx and RpcServerRegisterIf2 to allow only secured connections.


 


Should read:


 


If all you want to do is reject unauthenticated connections, you can set a flag, RPC_IF_ALLOW_SECURE_ONLY, on the call to RpcServerRegisterIfEx and RpcServerRegisterIf2 to allow only secured connections instead of using a security callback.


 


Chapter 16, Page 497


Add the following text prior to the paragraph that starts, “It is preferable”


 


However, using this flag has one important limitation – it tells you nothing about who the user is. To pass the check imposed by this flag, the client simply has to have valid authentication information. If you have low privileged accounts on your server (like guest), using this flag will not reject requests by these users. If there is any account enabled on the machine that you don’t want to accept requests from, you should use a security callback function and check for user identity.


 


Chapter 18, Page 535


A friend told me I would soon by out of a job


 


Should read:


 


A friend told me I would soon be out of a job


 


Chapter 18, Page 544


PermMaximum È (PermMinimum Ç PermOptional)) – PermRefused


 


Should read:


 


PermMaximum Ç (PermMinimum È PermOptional)) – PermRefused


 


Chapter 19, Page 549


There is an error in the C# sample code at the top of the page, the line reading:


 


new PermissionSet(PermissionState.Unrestricted);


 


Should read:


 


new PermissionSet(PermissionState.None);


 


Chapter 19, Page 587


is the Cenzic product named Hailstorm This tool allows a tester to construct


 


Is missing a period character, and should read:


 


is the Cenzic product named Hailstorm. This tool allows a tester to construct


 


Chapter 19, Page 596


There is a small, but important, typo in the first code sample:


 


# Note the use of back ticks – like calling system()


‘$exe $FILE’;


 


          Should read:


 


# Note the use of back ticks – like calling system()


`$exe $FILE`;


 


Chapter 19, Page 610


This leads to more complete test code, but even with broad test plans the test must code must be good quality,


 


Should read:


 


This leads to more complete test code, but even with broad test plans the test code must be good quality,


 


Chapter 23, Page 665


In the second bullet, SetThreatDesktop should read SetThreadDesktop.


 


 

Comments (11)

  1. Nick Parker says:

    Thanks Michael,

    I’ve had this book since last March, it is absolutely a great reference and an enjoyable read.

    -Nick Parker

  2. John says:

    Should I really read this thick book? I try to keep an eye to security through simple but powerful measures. I maintain a web presence and try to stay aware of hacking methods. But this book, man, sheesh. Do you know its status within Microsoft? Because I occasionally interview there for Programmer/Writer work. I read Writing Solid Code long before it was popular, and it was great. But this book is ponderous!

  3. Michael Howard says:

    >>eye to security through simple but powerful methods.

    Care to share these methods?

  4. Updated Errata for Writing Secure Code 2nd Edition

  5. BTW, Michael, I’m reading russian version of book (http://www.rusedit.ru/view_book_sheet.asp?FROM=SINGLE&BOOKID=1129) now and found that translation is very good in technical/security terms (many typos and still Windows® .NET Server, but who cares ;).

  6. kuki says:

    Believe you, support you, I believe that you are right! ! ! I will make great efforts to look like your study! ! !