Here are a few quick security links to check out over the barbecue this Labor Day Weekend. Nothing says party like a good discussion about impersonation leaks in managed code and how SIDs work, that's what I always say 🙂
Eric Lippert grabbed another entry out of my blog todo list, and posted about a hole in the pattern of impersonating, and reverting the impersonation in a finally block. Basically, malicious users can cause some of their code to be run before the impersonation is rolled back, which can lead to very bad situations. Read more about this in Eric's post "Finally" does not mean "Immediately".
Everyone who reads this blog should be able to identify his question at the end of the post about Assert as being Assert Myth #4.
Larry Osterman's been posting a nice series on the SID (NT's Security Identifier). You can check those out here:
- What is this thing called, SID?
- Fun things to do with SIDs
- How Exchange's role SIDs work (aka NT's security on Psychotropic Drugs)