August 29, 2007
Windows Live now supports Information Cards
Yahoo! Microsoft is finally eating its own dogfood when it comes to identity and access control for the masses!!!
You can now login to your Windows Live account using an Information Card. Notice the dropdown now has "Information Card" as an option in this screenshot of my login tonight:
This is awesome. It's still in beta... but is a serious step forward. Now to see it available in Messenger, Windows Mail and the like.
And more importantly... to the MVP leaders at Microsoft... PLEASE consider issuing managed cards for MVP awardees. You could expire it yearly and give us access to our MVP site, Microsoft Company Store, private newsgroups, Connect site and the MVP Summit stuff.
I hate passwords. It is so nice to see Microsoft do this; one less password I now have to worry about!
August 14, 2007
Writing Vista Sidebar Gadgets securely
During today's patch release cycle from Microsoft, a new set of vulnerabilties were fixed against Vista Sidebar gadgets that could allow for remote code execution. You can read the security bulletin on this threat over on TechNet here if you would like more information.
David Ross and Michael Howard wrote an interesting article a few months back on how to "Inspect Your Gadgets" to make them more resilient to such attacks. Since they run with full trust in the side bar... care should be taken to validate and sanitize all inputs, as well as to ensure no untrusted comms and XSS occur.
It's a short, but well written article that I believe all sidebar gadget authors should read.
Is DREAD really dead?
A couple of years ago I stated that I wasn't a fan of DREAD when threat modeling. I prefer the standard information security risk formula of "risk = Probability(chance) * Damage Potential (damage)" I was pleased to hear from a Microsoft security dude that "DREAD WAS DEAD" back then, and I haven't looked back.
Tonight I found a VERY interesting post by David LeBlanc on DREAD and how to use it with escalation to calculate the severity of vulnerabilities. I highly recommend you check his post out.
It is interesting to note that he mentions this is NOT how Microsoft is doing it, especially in MSRC. Yet DREAD is still being explored in this light. Not sure what to make of it. The breakdown into the 9 buckets surprises me, but in a good way. There is some reflective thought in his categorization, and would be a welcomed advancement in prioritization for patch releases... IF Microsoft could keep a semi-regular SP cycle. And if we could access slipstream media more readily. Just where is XP SP3 and Vista SP1 anyways? (Check out Alan's post on some leakage on the topic)