Robert Hensing's Blog

Software Security . . . and stuff.

Robert Hensing's Blog

  • Bluehat V8: Mitigations Unplugged

    I first got to see Matt Miller speak in person a few Bluehat's ago when he was talking about 'Temporal return addresses' . . . ah yes - the talk was entitled "Temporal Chronomancy" according to Mr. Shostack's blog and it was all the way back in 2005....
  • Interesting stuff and the end is near (for my blog)

    First off - OneCare is dead - long live . . . OneCare . . . err Morro? http://news.cnet.com/8301-1009_3-10101582-83.html?tag=newsLeadStoriesArea.1 Next up - Zune 3.1 is out - download it - love it. http://www.engadget.com/2008/11/18/zune-3-1-update...
  • This week's Fail Open Goat Award goes to - Credit Card Processing

    http://www.veracode.com/blog/2008/10/credit-cards-failing-open/
  • Microsoft SideSight?

    Looks cool: http://www.gearlog.com/2008/10/microsofts_sidesight_something.php
  • SmoothHD

    Akamai / IIS7 / SilverLight 2.0 / VC-1 == HD over broadband happiness. It's sort of cool - the video started off a tad blurry and then got sharper after a few seconds and I didn't have a single glitch. Pretty impressive stuff: http://www.smoothhd.com...
  • Mass SQL Injection : The Chinese Way

    The blog pretty much speaks for itself: http://www.circleid.com/posts/20081022_sql_injection_attacks_chinese_way/ Client-side browser vulns are of little use without an effective way of spreading them to the victims - unfortunately - it's still relatively...
  • Out of band security update planned for today (MS08-067)

    Updated 10/23/2008 @ 1:17pm EST We have pushed the update live - here's the direct link to the bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (if it doesn't work for you - keep trying - it will be live real soon now). Also...
  • Flash 10 & IE8b2 Per Site ActiveX

    So I've got IE8b2 installed on all of my machines and I've noticed that since installing Flash 10 that all web sites now prompt me before running Flash 10! The new gold bar experience users will see when they install Flash 10 on IE8 is described here...
  • Flash 10 is out - install it like . . . yesterday.

    If I were a bad guy and I wanted to pwn lots of people via the web - I'd probably focus my efforts on ubiquitous software guaranteed to give me a lot of bang for my buck (like Flash and Acrobat). Software like Flash would seem like a good target given...
  • Win7 to officially be called . . . Win7?

    I actually for once - LOVE that we are keeping the name of the OS simple and leaving it at Win7. I will admit - I was somewhat disappointed when XP's name was announced internally (internally it was known as Whistler) and I was downright horrified when...
  • MAPP + Exploitability Index == Protected Customers, Better Security Update Prioritization

    Today we officially launched our MAPP program ( http://www.microsoft.com/security/msrc/mapp/partners.mspx ) and at the same time we also started providing exploitability information about our vulnerabilities to the world. These two things are pretty huge...
  • DayCon II / OSU Security Day / SafeCode

    Welp - just got back from speaking at a couple of events in Dayton, OH. First up was THE Ohio State University security day . . . I delivered my 'targeted attacks' presentation which I've been doing for over 2 years now (everything's the same - only the...
  • Shostack on "Threat Modeling"

    Adam Shostack is incredibly smart - and he also happens to be responsible for managing the threat modeling aspect of the SDL these days. Here's got a nice 10 page paper here on threat modeling - very much worth the read if you're into that sort of thing...
  • iPhone running WM 6.1?

    Okay - I'm not sure if this is real or not - but the interview itself is hilarious - the questions the woman asks at the end and the kid's responses are hysterical: http://wmpoweruser.com/?p=1330
  • SkyFire?!?!?!

    OMG - how is it possible that I JUST today found out about this? http://www.skyfire.com What is it? It's a new FREE (for now) browser for WM phones . . . that doesn't absolutely positively suck. I just installed it on my Q9 smartphone and it rendered...
  • I'm a PC and I fight for the users . . .

    Tron Guy makes a cameo in our "I'm a PC" video wall: http://media.lifewithoutwalls.com/ugc/t/r/o/tronguy/tronguy_336_252.wmv Here's the algorithm for finding direct links to videos based on user name: http://media.lifewithoutwalls.com/ugc/[1st letter...
  • Extreme Ad Makeover - We are now entering "the 2nd phase"?

    You know, I have one simple request. And that is if we are to have an ad campaign with sharks, that we have sharks with frickin’ laser beams attached to their heads! http://www.nytimes.com/2008/09/18/business/media/18adco.html?pagewanted=1&_r=1&ei...
  • Zune 3.0 - Using wifi to download songs right from the ZMP (speed test)

    Today a friend asked me how fast downloading songs / albums from the ZMP was and I had to admit - I wasn't sure. The day the firmware came out I immediately hooked up my Zune to my wifi network at home and then connected to the marketplace and then started...
  • Zune 3.0 - Insanely great creamy goodness from the Zune team

    So I have a Zune 80 (black) and I freaking love it. The Zune software kicks the living crap out of anything Apple has ever released in terms of quality and functionality and ease of use. The software just works, the Zune just works - it's probably the...
  • GOVCERT.NL and German authorities recommend against installing Chrome!?

    It was only a matter of time - the first few days worth of bugs were so bad I gave up covering them / reading them and one *has* to question Google's commitment and ability to write secure code: http://www.computerworld.co.ke/articles/2008/09/09/security...
  • 6 on 6? (Hot IE on WM action)

    Whoa . . . a full fledged browser on my Smartphone! Yes please! http://news.cnet.com/8301-13860_3-10039152-56.html?tag=newsLeadStoriesArea.0 Don't get me wrong - the browser on WM6.1 is nice . . . but it's still not all that great - lots of pages...
  • New Microsoft Ad with Bill and Jerry - it's actually sorta FUNNY!

    And holy crap - it's 4.5 minutes long!!! You can watch the ad in better definition than you can on Youtube by going here (and it looks like down on the timeline we'll have them all up there soon): http://www.microsoft.com/windows/ Okay - I have...
  • Why I'm not running Chrome anymore (back to IE8 beta 2 for me)

    http://www.milw0rm.com/exploits/6367 Long strings leading to stack overruns? Really Google? Srsly? I guess I have the answer to my questions about whether they have an SDL / or the notion of banned APIs / or automated code scanning stuff . . . I mean...
  • It begins . . .

    UPDATE : Go here and watch the video - it's higher resolution and better: http://www.microsoft.com/windows/ Our $300MM ad campaign featuring Seinfeld: http://www.techcrunch.com/2008/09/04/first-bill-gatesjerry-seinfeld-advertisement-wheres-the-microsoft...
  • Breaking out of the Chrome sandbox - 2 interesting vulns in 24 hours? Got IE8? :)

    So it hasn't even been out 24 hours yet but Chrome is, as predicted, getting scrutinized heavily and well . . . it's falling down at a pretty alarming rate (as say compared to say - IE8 beta 2 which has been out longer :)) So yesterday Aviv Raff discovered...