Eugene Siu's Thoughts on Security

Share my latest security research and techniques

(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 2)

Part 1 of this installment discussed the unsafe nature of MultiByteToWideChar and...

Author: Eugene Security Date: 11/15/2008

(In)Security of MultiByteToWideChar and WideCharToMultiByte (Part 1)

There are a few well-known unsafe APIs in the standard C library, such as strcpy and memcpy. ...

Author: Eugene Security Date: 11/06/2008

My favorite security blogs and podcasts

What are your favorite security blogs or podcasts?  Here are mine.  Please leave yours in...

Author: Eugene Security Date: 10/23/2008

“Out of Band” security patch MS08-067

Out of Band security patch MS08-067 is released today.  Microsoft strives to keep our monthly...

Author: Eugene Security Date: 10/23/2008

What is unique about patch Tuesday of October 2008?

Technorati Tags: Security Every second Tuesday, MSRC releases security patches for Microsoft...

Author: Eugene Security Date: 10/15/2008

alert()

<script>alert()</script>

Author: Eugene Security Date: 03/25/2008

Troubleshooting Networking and IPSec Issues

I had a very strange networking issue last weekend. After connecting to corpnet via VPN and direct...

Author: Eugene Security Date: 11/05/2007

ASP.NET ValidateRequest does not mitigate XSS completely

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems...

Author: Eugene Security Date: 10/19/2007

True test of a security geek

If you chuckle at this comic strip, congratulations! You are a security geek. If you don't chuckle,...

Author: Eugene Security Date: 10/11/2007

Given enough eyeballs all bugs are shallow: True or False?

"Given enough eyeballs all bugs are shallow." I do agree if more right-minded folks look at a piece...

Author: Eugene Security Date: 10/11/2007

System.URI.AbsolutePath Vs Phishing Attack

Phishing attack can be caused by users inadvertently clicking on malicious links in emails or web...

Author: Eugene Security Date: 10/10/2007

Web Service Security Guidance

I have just published a Technet article. This is geared for administrators and developers as an...

Author: Eugene Security Date: 10/10/2007

More eyeballs for .Net Framework code

Microsoft will open up source code of .Net Framework to the public. It allows outsiders to review...

Author: Eugene Security Date: 10/04/2007

Anti-Malware and Spyware help for home users

Working for Microsoft means that I become de facto technical support for my friends and family. That...

Author: Eugene Security Date: 09/26/2007

HTTP Header Injection Vulnerabilities

HTTP Response Splitting was discovered several years ago. It allows attackers to split a HTTP...

Author: Eugene Security Date: 09/23/2007

Reset Outlook connections without restart

This is a well hidden trick in Outlook. Not sure why this needs to be hidden. You can open...

Author: Eugene Security Date: 09/23/2007

Silverlight security MSDN magazine article

I have submitted an article proposal to MSDN to write about Silverlight security with my buddy in...

Author: Eugene Security Date: 09/21/2007

Just learned how to cross-post via MetaWeblog API

I work for ACE team, and want to cross-post from http://blogs.msdn.com/esiu to...

Author: Eugene Security Date: 09/20/2007

IE Developer Toolbar helps me hack

I was browsing IE blog articles to get research ideas. I came across IE Developer Toolbar, and...

Author: Eugene Security Date: 09/19/2007

Exchange 2007 RPC interfaces are locked down

Exchange 2007 RPC interfaces have retired support of various legacy RPC bindings, including...

Author: Eugene Security Date: 05/08/2007

My first passphrase

I have read many articles about the benefits of using passphrases in contrast to passwords. For more...

Author: Eugene Security Date: 05/08/2007

Distribution List is more locked down in Exchange 2007 to reduce spam

Distribution list is used for grouping users together, and emails can be sent to all members...

Author: Eugene Security Date: 04/30/2007

Is anonymous read-only site immune to XSS?

Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this...

Author: Eugene Security Date: 02/22/2007

I am excited about EV Cert

I like the idea behind Extended Validation Cert a lot. It is designed to combat phishing problems....

Author: Eugene Security Date: 02/09/2007

Why do browsers show cert warnings for Outlook Web Access 2007 by default?

You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your...

Author: Eugene Security Date: 02/03/2007

To configure and test IP block list from Spamhaus.org for Exchange 2007

Set-IPBlockListProvider -Name "Spamhaus Example" -Identity sbl-xbl.spamhaus.org -AnyMatch:$true If...

Author: Eugene Security Date: 01/29/2007

Network Service Vs Local System

Running a service as Local System is bad because it has powerful access to local resources, and...

Author: Eugene Security Date: 07/19/2005

About NTLM/Kerberos and Constrained Delegation in W2k3

I find some well-written documentation on NTLM/Kerberos and Constrained Delegation in W2k3 to share...

Author: Eugene Security Date: 03/09/2005

About LDAP injection

The concept of LDAP injection is similar to SQL injection, except that the target is Active...

Author: Eugene Security Date: 03/09/2005

View calendar via Date and Time Properties as non-admin

It is inconvenient that I cannot open Date and Time Properties as non-admin. Non-admins should not...

Author: Eugene Security Date: 02/10/2005

How to enable Remote Desktop for non-admin?

After hearing from many that Power Users are still admin, I have converted myself to a regular user....

Author: Eugene Security Date: 01/26/2005

Running as non-admin is not as hard as I imagine

As a security tester, we need to ensure that our product works under minimal privilege. Yes, test...

Author: Eugene Security Date: 01/19/2005

Why is a JPG file forced to be saved as BMP in IE?

When I right clicked on IE 6 to save a JPG file, Save Picture dialog box only shows BMP as the only...

Author: Eugene Security Date: 12/29/2004

What is the maximum size of post requests to IIS?

ASP applications are protected, but what happens to non-ASP requests? Currently, there is no...

Author: Eugene Security Date: 11/18/2004

Do you have an easy way to find out what error codes mean?

You should check out err.exe available from...

Author: Eugene Security Date: 11/10/2004

Nifty feature of Outlook Appointment/Meeting

Remembering today's date is not my forte. In order to set up an appointment/meeting for tomorrow, I...

Author: Eugene Security Date: 11/10/2004