Why Symantec Cannot Always be Trusted

Ok, this issue started with an article by Symantec titled “An Example of Why UAC Prompts in Vista Can’t Always Be Trusted.”
After that, Thor (Hammer of God) posted his opinion on Bugtraq, which prompted a few other responses.
So I decided to look at the issue closer and add my own opinion. The result is that […]

More on Program.exe

I thought I would add a bit more to my original post to clarify the problem. Half of the problem is the way Windows searches paths, and the other half is software developers who don’t quote their paths in the Registry or when calling CreateProcess. There are no built-in Windows services that have this problem […]

The Program.exe Problem

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the […]

Be Smarter with Account Names

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security […]

Patterns & Practices Security Wiki

If you do any kind of .NET web development, it would be well worth your time to dig through Microsoft’s Patterns & Practices Security Wiki
The Wiki is a good index of old articles and a launching point for new articles on secure web development.  Even if you have a small web application, it doesn’t hurt […]

Creating Free 3rd Party Certificates

There are many ways you can use digital certificates in Windows. The only problem is that it often involves either having your own CA, paying for certificates from a trusted CA or, the worst option, using self-signed certificates. Fortunately, there is another solution. CAcert.org provides free digital certificates for anyone who wants to set up […]