Buffer Overflow in Apache 1.3.xx fixed on Bugtraq – the evils of strncpy and strncat!

This just came in my inbox from Bugtraq, a buffer overrun processing Apache 1.3.x .htpasswd files. “local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?” at http://www.securityfocus.com/archive/1/379842/2004-10-26/2004-11-01/0 What was interesting is the fix has a buffer overrun, can you spot it? Note, this is a proposed fix for a publicly known defect,…


Anatomy of a Hack

My good friend, Jesper Johansson, just did something that’s really hard to do – make the front page of www.microsoft.com, with his “Anatomy of a Hack” paper. Go take a look… In a few days this’ll be replaced with something else, in which case, you should go direct to the paper http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/default.aspx


A New Way to Detect Integer Overflows?

David LeBlanc and I have written a good deal about Integer Overflow issues, including the following: WSC 2nd Ed: pp620-624. Reviewing Code for Integer Manipulation Vulnerabilities (http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp) Integer Handling with the C++ SafeInt Class (http://msdn.microsoft.com/library/en-us/dncode/html/secure01142004.asp) An Overlooked Construct and an Integer Overflow Redux (http://msdn.microsoft.com/library/en-us/dncode/html/secure09112003.asp) A couple of days ago I saw some code from someone…


Updated Writing Secure Code Errata

A big thanks to Niels Dekker for providing me with the feedback. Here’s the diff only. Chapter 5, Page 145 There’s a small error in the ArrayIndexError code:   printf(“Usage is %s [index] [value]\n”);   Should read:   printf(“Usage is %s [index] [value]\n”, argv[0]);   Chapter 10, Page 344 There’s an error in the CopyData…


Security issue of MSDN is out today

The annual Security issue of MSDN is out, and you should find a copy in your local book or magazine store. Or, if you like, you can read the issue online at http://msdn.microsoft.com/msdnmag.   I wrote an article in this issue outlining a method to reduce attack surface, you can read it here http://msdn.microsoft.com/msdnmag/issues/04/11/AttackSurface/default.aspx. I…


Follow-up on IIS6 and Apache Security

Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased? What about Apache…


IIS6 vs Apache2 Security Defects

A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn’t want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking vulnerability counts in different products….


Online Chat with Members of the Security Business Unit

Microsoft is working hard to improve security and Rich Kaplan, Corporate Vice President for the Security Business Unit, and his security team invites you to join them in a candid Q&A session. Ask us your tough questions; share with us what is going well and what needs improvement. This is your chance to talk up…


YAASN.1B (Yet-Another-ASN.1-Bug)

Yes, this time in Squid. I’ve been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1. By my count, 18 or so security updates have been issued in the last two years relating to ASN.1 parsing: Squid…