Online Security Sessions from TechEd IT Forum Available

Knowing the Enemy – A lightning demonstration on how hackers attack networks Murray, Senior Security Architect, Truesec Advanced Malware Cleaning Russinovich, Technical Fellow, Platform and Services Division, Microsoft Windows Vista User Account Control Internals Russinovich, Technical Fellow, Platform and Services Division, Microsoft Defending Layer 8: How to recognize and combat social engineering Riley, Senior Program…


ASLR and the new linker

Well, the VS team shipped VS2005 SP1. You’ll need the updated linker to support ASLR on Windows Vista. All it does is add a new setting to your PE header. So grab the update, and link your EXE with the new /dynamicbase option. Voila!  


Update on Internet Explorer 7, DEP and Adobe Software

Because browsers can host plug-in extensibility, security settings within the browser can make plug-ins fail. This is why in Internet Explorer 7 Data Execution Prevention (DEP) is off by default. When it is enabled many plug-in components fail to run, often crashing the browser.   You can enable DEP by navigating to the following dialog…


Windows Vista, ASLR, DEP and OEMs

As I mentioned in a previous series of posts, we recently had all the major OEMs on campus to discuss SDL and how we can work together. My big ask of the OEMs (actually, I grovelled, it was pathetic) was to enable DEP/NX in the BIOS by default on all their shipping PCs in time for…


Wresting free from a software straitjacket

There’s an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG’s Trustworthy Computing memo. IMHO, here’s why such an email is so important. If you don’t get the senior management team to buy off on this security engineering…


Which Database is More Secure? Oracle vs Microsoft

I was quite surprised when a number of folks criticized the data used in the report titled “Microsoft SQL Server Runs the Security Table” from ESG – it was just CVE data! Well, David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle. David is no slouch, he…



I received a number of emails about the ‘eXPired’ poster on my office door, heck it even made “Quote of the Week” in the Seattle Post-Intelligencer (scroll to the bottom.) So here it is (click for a bigger image) As for Tigger – he’s my mood indicator!


Microsoft SQL Server Runs the Security Table

In my opinion, SQL Server 2000 SP3, SQL Server 2005 and IIS6 have been the poster-children for SDL. Enterprise Strategy Group just released a research paper comparing the security of SQL Server with Oracle and MySQL. And no, this was not commissioned by Microsoft!