Address Space Layout Randomization in Windows Vista

Windows Vista Beta 2 includes a new defense against buffer overrun exploits called address space layout randomization. Not only is it in Beta 2, it’s on by default too. Now before I continue, I want to level set ASLR. It is not a panacea, it is not a replacement for insecure code, but when used…


IIS6 vs Apache2 Security Defects

A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn’t want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking vulnerability counts in different products….

46

NNNNNOOOOooooo……!

From “Making Windows XP Start Faster” at http://www.pcmag.com/article2/0,1759,1768883,00.asp Two of the services listed under “Stopping Unneeded Startup Services” Automatic Updates: This service enables Windows XP to check the Web automatically for updates. If you don’t want to use Automatic Updates, you can disable the service. You can always check for updates manually at the Windows…

41

Follow-up on IIS6 and Apache Security

Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased? What about Apache…

39

Update on Internet Explorer 7, DEP and Adobe Software

Because browsers can host plug-in extensibility, security settings within the browser can make plug-ins fail. This is why in Internet Explorer 7 Data Execution Prevention (DEP) is off by default. When it is enabled many plug-in components fail to run, often crashing the browser.   You can enable DEP by navigating to the following dialog…

34

Security Progress at Microsoft

If you have not already done so, I would urge you to take a look at Bill Gates’ “Microsoft Progress Report: Security” at http://www.microsoft.com/mscorp/execmail. One thing that will hit you is the shear breadth of effort being undertaken at Microsoft in the security arena. And by security, I don’t just mean crypto, I mean quality…

31

SAFER and Internet Explorer

I’ve received some great feedback from my “Browsing the Web and Reading E-mail Safely as an Administrator, Part 2” article, but a number of people asked how they can get started without using the tool. Here’s some text I want to add to the article: A Quick StartIf you want to get started right away,…

30

Security Analogies are usually Wrong

I have long believed that if someone makes an argument and uses an analogy, then the argument is often weak. But that’s just me! This is why I usually roll my eyes when I hear statements like, “If [bridges|cars|airplanes] were built like software then…” because comparing physical items and software is just wrong. They are not…

30