book

Writing Secure Code

by Michael Howard and David LeBlanc

December 2002

Intermediate to advanced

800 pages

18h 17m

English

Microsoft Press

Read now

Unlock full access

Who Should Read This BookOrganization of This BookInstalling and Using the Sample FilesSystem RequirementsSupport InformationAcknowledgments
Applications on the Wild Wild WebThe Need for Trustworthy ComputingGetting Everyone’s Head in the GameUsing Tact to Sell Security to the OrganizationSecure Products Are Quality ProductsThe Media (and Your Competition) Leap on Security IssuesPeople Shy Away from Products That Don’t Work As AdvertisedDon’t Be a VictimSecurity Vulnerabilities Are Expensive to FixUsing SubversionSome Ideas for Instilling a Security CultureGet the Boss to Send an E-MailNominate a Security EvangelistStay Abreast of Security IssuesInterviewing Security PeopleProvide Ongoing Security EducationProvide Bug TriagingThe Attacker’s Advantage and the Defender’s DilemmaPrinciple #1: The defender must defend all points; the attacker can choose the weakest point.Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities.Principle #3: The defender must be constantly vigilant; the attacker can strike at will.Principle #4: The defender must play by the rules; the attacker can play dirty.Summary
Process ImprovementsThe Role of EducationResistance to Mandatory TrainingOngoing TrainingAdvancing the Science of SecurityEducation Proves the More Eyes FallacyNow the Evidence!Design PhaseSecurity Questions During InterviewsDefine the Product Security GoalsSecurity Is a Product FeatureMaking Time for SecurityThreat Modeling Leads to Secure DesignBuild End-of-Life Plans for Insecure FeaturesSetting the Bug BarSecurity Team ReviewDevelopment PhaseBe Hardcore About Who Can Check In New Code (Check-Ins Checked)Security Peer Review of New Code (Check-Ins Checked)Define Secure Coding GuidelinesReview Old DefectsExternal Security ReviewSecurity PushBe Mindful of Your Bug CountsKeep Track of Bug MetricsNo Surprises and No Easter Eggs!Test PhaseShipping and Maintenance PhasesHow Do You Know When You’re Done?Response ProcessAccountabilitySummary
SD3: Secure by Design, by Default, and in DeploymentSecure by DesignSecure by DefaultSecure in DeploymentSecurity PrinciplesLearn from MistakesMinimize Your Attack SurfaceEmploy Secure DefaultsUse Defense in DepthUse Least PrivilegeSeparation of PrivilegeBackward Compatibility Will Always Give You GriefAssume External Systems Are InsecurePlan on FailureFail to a Secure ModeRemember That Security Features != Secure FeaturesNever Depend on Security Through Obscurity AloneDon’t Mix Code and DataFix Security Issues CorrectlySummary
Secure Design Through Threat ModelingAssemble the Threat-Modeling TeamDecompose the ApplicationFormally Decomposing the ApplicationDetermine the Threats to the SystemUsing STRIDE to Categorize ThreatsThreat TreesSmall enhancements to make threat trees more readableItems to Note While Threat ModelingRank the Threats by Decreasing RiskUsing DREAD to Calculate RiskBringing It All Together: Decomposition, Threat Trees, STRIDE, and DREADBubbling Up the Overall RiskGoing Over the Threat-Modeling Process One More TimeChoose How to Respond to the ThreatsOption One: Do NothingOption Two: Warn the UserOption Three: Remove the ProblemOption Four: Fix the ProblemChoose Techniques to Mitigate the ThreatsSecurity TechniquesAuthenticationBasic AuthenticationDigest AuthenticationForms-Based AuthenticationMicrosoft PassportWindows AuthenticationNTLM authenticationKerberos v5 authenticationX.509 Certificate AuthenticationIPSecRADIUSAuthorizationAccess Control ListsPrivilegesIP RestrictionsServer-Specific PermissionsTamper-Resistant and Privacy-Enhanced TechnologiesSSL/TLSIPSecDCOM and RPCsEncrypting File SystemProtect Secrets, or Better Yet, Don’t Store SecretsEncryption, Hashes, MACs, and Digital SignaturesAuditingFiltering, Throttling, and Quality of ServiceLeast PrivilegeMitigating the Sample Payroll Application ThreatsA Cornucopia of Threats and SolutionsSummary
Stack OverrunsHeap OverrunsArray Indexing ErrorsFormat String BugsUnicode and ANSI Buffer Size MismatchesA Real Unicode Bug ExamplePreventing Buffer OverrunsSafe String Handlingstrcpystrncpysprintf_snprintfStandard Template Library Stringsgets and fgetsUsing Strsafe.hA Word of Caution About String-Handling FunctionsThe Visual C++ .NET /GS OptionSummary

Why ACLs Are ImportantA Diversion: Fixing the Registry CodeWhat Makes Up an ACL?A Method of Choosing Good ACLsEffective Deny ACEsCreating ACLsCreating ACLs in Windows NT 4Creating ACLs in Windows 2000Creating ACLs with Active Template LibraryGetting the ACE Order RightBe Wary of the Terminal Server and Remote Desktop SIDsNULL DACLs and Other Dangerous ACE TypesNULL DACLs and AuditingDangerous ACE TypesEveryone (WRITE_DAC)Everyone (WRITE_OWNER)Everyone (FILE_ADD_FILE)Everyone (DELETE)Everyone (FILE_DELETE_CHILD)Everyone (GENERIC_ALL)What If I Can’t Change the NULL DACL?Other Access Control Mechanisms.NET Framework RolesCOM+ RolesIP RestrictionsSQL Server Triggers and PermissionsA Medical ExampleAn Important Note About Access Control MechanismsSummary
Least Privilege in the Real WorldViruses and TrojansBack OrificeSubSevenFunLove VirusILoveYou VirusWeb Server DefacementsBrief Overview of Access ControlBrief Overview of PrivilegesSeBackupPrivilege IssuesSeRestorePrivilege IssuesSeDebugPrivilege IssuesSeTcbPrivilege IssuesSeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege IssuesSeLoadDriverPrivilege IssuesSeRemoteShutdownPrivilege IssuesSeTakeOwnershipPrivilege IssuesBrief Overview of TokensHow Tokens, Privileges, SIDs, ACLs, and Processes RelateSIDs and Access Checks, Privileges and Privilege ChecksThree Reasons Applications Require Elevated PrivilegesACL IssuesOpening Resources for GENERIC_ALLPrivilege IssueUsing LSA SecretsSolving the Elevated Privileges IssueSolving ACL IssuesSolving Privilege IssuesSolving LSA IssuesA Process for Determining Appropriate PrivilegeStep 1: Find Resources Used by the ApplicationStep 2: Find Privileged APIs Used by the ApplicationStep 3: Which Account Is Required?Step 4: Get the Token ContentsStep 5: Are All the SIDs and Privileges Required?Step 6: Adjust the TokenAllow Less-Privileged Accounts to Run Your ApplicationUse Restricted TokensRemoving privilegesSpecifying restricting SIDsApplying a deny-only attribute to SIDsWhen to Use Restricted TokensRestricted Token Sample CodeSoftware Restriction Policies and Windows XPPermanently Removing Unneeded PrivilegesLow-Privilege Service Accounts in Windows XP and Windows .NET Server 2003The Impersonate Privilege and Windows .NET Server 2003Debugging Least-Privilege IssuesWhy Applications Fail as a Normal UserHow to Determine Why Applications FailThe Windows Event ViewerRegMon and FileMonSummary
Using Poor Random NumbersThe Problem: randCryptographically Random Numbers in Win32Cryptographically Random Numbers in Managed CodeCryptographically Random Numbers in Web PagesUsing Passwords to Derive Cryptographic KeysMeasuring the Effective Bit Size of a PasswordKey Management IssuesLong-Term and Short-Term KeysUse Appropriate Key Lengths to Protect DataKeep Keys Close to the SourceThe CryptGenKey and CryptExportKey FunctionsKey Exchange IssuesCreating Your Own Cryptographic FunctionsUsing the Same Stream-Cipher Encryption KeyWhy People Use Stream CiphersThe Pitfalls of Stream CiphersWhat If You Must Use the Same Key?Bit-Flipping Attacks Against Stream CiphersSolving Bit-Flipping AttacksWhen to Use a Hash, Keyed Hash, or Digital SignatureCreating a Keyed HashForgetting to use a keyUsing the same key to encrypt data and key-hash dataBasing K2 on K1Creating a Keyed HashCreating a Digital SignatureReusing a Buffer for Plaintext and CiphertextUsing Crypto to Mitigate ThreatsDocument Your Use of CryptographySummary
Attacking Secret DataSometimes You Don’t Need to Store a SecretCreating a Salted HashUsing PKCS #5 to Make the Attacker’s Job HarderGetting the Secret from the UserProtecting Secrets in Windows 2000 and LaterA Special Case: Client Credentials in Windows XPProtecting Secrets in Windows NT 4Protecting Secrets in Windows 95, Windows 98, Windows Me, and Windows CEGetting Device Details Using PnPNot Opting for a Least Common Denominator SolutionManaging Secrets in MemoryA Compiler Optimization CaveatEncrypting Secret Data in MemoryLocking Memory to Prevent Paging Sensitive DataProtecting Secret Data in Managed CodeManaging Secrets in Memory in Managed CodeRaising the Security BarStoring the Data in a File on a FAT File SystemUsing an Embedded Key and XOR to Encode the DataUsing an Embedded Key and 3DES to Encrypt the DataUsing 3DES to Encrypt the Data and Storing a Password in the RegistryUsing 3DES to Encrypt the Data and Storing a Strong Key in the RegistryUsing 3DES to Encrypt the Data, Storing a Strong Key in the Registry, and ACLing the File and the Registry KeyUsing 3DES to Encrypt the Data, Storing a Strong Key in the Registry, Requiring the User to Enter a Password, and ACLing the File and the Registry KeyTrade-Offs When Protecting Secret DataSummary
The IssueMisplaced TrustA Strategy for Defending Against Input AttacksHow to Check ValidityTainted Variables in PerlUsing Regular Expressions for Checking InputBe Careful of What You Find—Did You Mean to Validate?Regular Expressions and UnicodeA Regular Expression Rosetta StoneRegular Expressions in PerlRegular Expressions in Managed CodeC# ExampleVisual Basic .NET ExampleManaged C++ ExampleRegular Expressions in ScriptRegular Expressions in C++A Best Practice That Does Not Use Regular ExpressionsSummary
What Does Canonical Mean, and Why Is It a Problem?Canonical Filename IssuesBypassing Napster Name FilteringVulnerability in Apple Mac OS X and ApacheDOS Device Names VulnerabilitySun Microsystems StarOffice /tmp Directory Symbolic-Link VulnerabilityCommon Windows Canonical Filename Mistakes8.3 Representation of Long FilenamesNTFS Alternate Data StreamsTrailing Characters\\?\ FormatDirectory Traversal and Using Parent Paths (..)Walking out of the current directoryWill the real filename please stand up?Absolute vs. Relative FilenamesCase-Insensitive FilenamesUNC SharesWhen Is a File Not a File? Mailslots and Named PipesWhen Is a File Not a File? Device Names and Reserved NamesCanonical Web-Based IssuesBypassing AOL Parental ControlsBypassing eEye’s Security ChecksZones and the Internet Explorer 4 “Dotless-IP Address” BugInternet Information Server 4.0 ::$DATA VulnerabilityWhen is a Line Really Two Lines?Yet Another Web Issue—Escaping7-Bit and 8-Bit ASCIIHexadecimal Escape CodesUTF-8 Variable-Width EncodingHow UTF-8 Encodes DataUCS-2 Unicode EncodingDouble EncodingHTML Escape CodesVisual Equivalence Attacks and the Homograph AttackPreventing Canonicalization MistakesDon’t Make Decisions Based on NamesUse a Regular Expression to Restrict What’s Allowed in a NameStopping 8.3 Filename GenerationDon’t Trust the PATH—Use Full Path NamesAttempt to Canonicalize the NameCalling CreateFile SafelyWeb-Based Canonicalization RemediesRestrict What Is Valid InputBe Careful When Dealing with UTF-8ISAPIs—Between a Rock and a Hard PlaceA Final Thought: Non-File-Based Canonicalization IssuesServer NamesUsernamesSummary
The IssuePseudoremedy #1: Quoting the InputPseudoremedy #2: Use Stored ProceduresRemedy #1: Never Ever Connect as sysadminRemedy #2: Building SQL Statements SecurelyBuilding SQL Stored Procedures SecurelyAn In-Depth Defense in Depth ExampleSummary
Cross-Site Scripting: When Output Turns BadSometimes the Attacker Doesn’t Need a <SCRIPT> BlockThe Attacker Doesn’t Need the User to Click a Link!Other XSS-Related AttacksXSS Attacks Against Local FilesHTML Help FilesXSS Attacks Against HTML ResourcesXSS RemediesEncoding OutputAdding Double Quotes Around All Tag PropertiesInserting Data in the innerText PropertyForcing the CodepageThe Internet Explorer 6.0 SP1 HttpOnly Cookie OptionInternet Explorer “Mark of the Web”Internet Explorer <FRAME SECURITY> AttributeASP.NET 1.1 ValidateRequest configuration optionDon’t Look for Insecure ConstructsBut I Want Users to Post HTML to My Web Site!How to Review Code for XSS BugsOther Web-Based Security Topicseval() Can Be BadHTTP Trust IssuesREFERER ErrorsISAPI Applications and FiltersSensitive Data in Cookies and FieldsBe Wary of “Predictable Cookies”SSL/TLS Client IssuesSummary
The Golden I18N Security RulesUse Unicode in Your ApplicationPrevent I18N Buffer OverrunsWords and BytesValidate I18NVisual ValidationDo Not Validate Strings with LCMapStringUse CreateFile to Validate FilenamesCharacter Set Conversion IssuesUse MultiByteToWideChar with MB_PRECOMPOSED and MB_ERR_INVALID_CHARSUse WideCharToMultiByte with WC_NO_BEST_FIT_CHARSComparison and SortingUnicode Character PropertiesNormalizationSummary
Avoiding Server HijackingTCP Window AttacksChoosing Server InterfacesAccepting ConnectionsWriting Firewall-Friendly ApplicationsUse One Connection to Do the JobDon’t Require the Server to Connect Back to the ClientUse Connection-Based ProtocolsDon’t Multiplex Your Application over Another ProtocolDon’t Embed Host IP Addresses in Application-Layer DataMake Your Application ConfigurableSpoofing and Host-Based and Port-Based TrustIPv6 Is Coming!Summary
An RPC PrimerWhat Is RPC?Creating RPC ApplicationsCompiling the CodeHow RPC Applications CommunicateContext Handles and StateSecure RPC Best PracticesUse the /robust MIDL SwitchUse the [range] AttributeRequire Authenticated ConnectionsClient-Side SettingsServer-Side SettingsA Note Regarding Kerberos SupportPerformance of Different Security SettingsUse Packet Privacy and IntegrityUse Strict Context HandlesDon’t Rely on Context Handles for Access ChecksBe Wary of NULL Context HandlesDon’t Trust Your PeerUse Security CallbacksImplications of Multiple RPC Servers in a Single ProcessConsider Adding an Annotation for Your EndpointUse Mainstream ProtocolsSecure DCOM Best PracticesDCOM BasicsApplication-Level SecurityDCOM User ContextsRun as the Launching UserRun as the Interactive UserRun as the Local System AccountRun as a Specific UserProgrammatic SecuritySources and SinksAn ActiveX PrimerSecure ActiveX Best PracticesWhat ActiveX Components Are Safe for Initialization and Safe for Scripting?Best Practices for Safe for Initialization and ScriptingIs Your Control Safe?Limit Domain UsageUsing SiteLockSetting the Kill BitSummary
Application Failure AttacksCPU Starvation AttacksMemory Starvation AttacksResource Starvation AttacksNetwork Bandwidth AttacksSummary
Code Access Security: In PicturesFxCop: A “Must-Have” ToolAssemblies Should Be Strong-NamedStrong-Named Assemblies and ASP.NETSpecify Assembly Permission RequirementsRequest Minimal Permission SetRefuse Unneeded PermissionsRequest Optional PermissionsOverzealous Use of AssertFurther Information Regarding Demand and AssertKeep the Assertion Window SmallDemands and Link DemandsAn Example LinkDemand Security BugUse SuppressUnmanagedCodeSecurityAttribute with CautionRemoting DemandsLimit Who Uses Your CodeNo Sensitive Data in XML or Configuration FilesReview Assemblies That Allow Partial TrustCheck Managed Wrappers to Unmanaged Code for CorrectnessIssues with DelegatesIssues with SerializationThe Role of Isolated StorageDisable Tracing and Debugging Before Deploying ASP.NET ApplicationsDo Not Issue Verbose Error Information RemotelyDeserializing Data from Untrusted SourcesDon’t Tell the Attacker Too Much When You FailSummary
The Role of the Security TesterSecurity Testing Is DifferentBuilding Security Test Plans from a Threat ModelDecompose the ApplicationIdentify the Component InterfacesRank the Interfaces by Potential VulnerabilityAscertain the Data Structures Used by Each InterfaceAttacking Applications with STRIDEAttacking with Data MutationThe Data and the ContainerPerturbing the containerPerturbing the dataRandom dataPartially incorrect dataTaking it further—use different sizesSpecial CharactersOn-the-Wire AttacksBefore TestingBuilding Tools to Find FlawsTesting Sockets-Based ApplicationsTesting HTTP-Based Server ApplicationsTesting Named Pipes ApplicationsTesting COM, DCOM, ActiveX, and RPC ApplicationsTesting ActiveX Controls in <OBJECT> tagsTesting File-Based ApplicationsTesting Registry-Based ApplicationsTesting Command Line ArgumentsTesting XML PayloadsTesting SOAP ServicesTesting for Cross-Site Scripting and Script-Injection BugsTesting Clients with Rogue ServersShould a User See or Modify That Data?Testing with Security TemplatesWhen You Find a Bug, You’re Not Done!Test Code Should Be of Great QualityTest the End-to-End SolutionDetermining Attack SurfaceDetermine Root Attack VectorsDetermine Bias For Attack VectorsCount the Biased Vectors in the ProductSummary
Dealing with Large ApplicationsA Multiple-Pass ApproachLow-Hanging FruitInteger OverflowsA Related Issue: Integer UnderflowsChecking ReturnsPerform an Extra Review of Pointer CodeNever Trust the DataSummary
Principle of Least PrivilegeClean Up After Yourself!Using the Security Configuration EditorLow-Level Security APIsUsing the Windows InstallerSummary
Malicious vs. Annoying Invasions of PrivacyMajor Privacy LegislationPersonally Identifiable InformationThe EU Directives on Data ProtectionSafe Harbor PrinciplesNoticeChoiceOnward TransferAccessSecurityData IntegrityEnforcementOther Privacy LegislationPrivacy vs. SecurityBuilding a Privacy InfrastructureThe Role of the Chief Privacy OfficerThe Role of the Privacy AdvocateDesigning Privacy-Aware ApplicationsIncluding Privacy in the Development ProcessPrivacy Specification TemplatePrivacy Review TemplatePrivacy Policy StatementP3P ContentExploring Privacy FeaturesImplementing P3PPrivacy for Client-Side ApplicationsCover Your TracksDon’t Phone HomeProtecting the Application from the Application UsersLimiting access to your applicationLeaving a paper trailPrivacy Through Obfuscation and EncryptionProtecting the Transfer of DataPutting the Pieces TogetherSummary
Don’t Tell the Attacker AnythingService Best PracticesSecurity, Services, and the Interactive DesktopService Account GuidelinesLocalSystemNetwork ServiceLocalServiceDomain AccountsLocal AccountsDon’t Leak Information in Banner StringsBe Careful Changing Error Messages in FixesDouble-Check Your Error PathsKeep It Turned Off!Kernel-Mode MistakesHigh-Level Security IssuesHandlesSymbolic LinksQuotaSerialization PrimitivesBuffer-Handling IssuesIRP CancellationAdd Security Comments to CodeLeverage the Operating SystemDon’t Rely on Users Making Good DecisionsCalling CreateProcess SecurelyDo Not Pass NULL for lpApplicationNameUse Quotes Around the Path to Executable in lpCommandLineDon’t Create Shared/Writable SegmentsIn a .def FileIn a .h* or .c* FileOn the Linker Command LineUsing Impersonation Functions CorrectlyDon’t Write User Files to \Program FilesDon’t Write User Data to HKLMDon’t Open Objects for FULL_CONTROL or ALL_ACCESSObject Creation MistakesCare and Feeding of CreateFileCreating Temporary Files SecurelyImplications of Setup Programs and EFSFile System Reparse Point IssuesClient-Side Security Is an OxymoronSamples Are TemplatesDogfood Your Stuff!You Owe It to Your Users If…Determining Access Based on an Administrator SIDAllow Long PasswordsBe Careful with _allocaATL Conversion MacrosDon’t Embed Corporate NamesMove Strings to a Resource DLLApplication LoggingMigrate Dangerous C/C++ to Managed Code
Security Issues in DocumentationThe BasicsThreat Mitigation Through DocumentationDocumenting Security Best PracticesThreat #4: ISOAP_xxx Account Has Many PrivilegesThreat #13: Client <-- --> Server Communication Is InsecureThreat #14: By Default, SOAP-Server Is Accessible to EveryoneThreat #19: Most of Our Testing Is with Single-Purpose ServersSecurity Issues in Error MessagesA Typical Security MessageInformation Disclosure IssuesInformed ConsentProgressive DisclosureBe SpecificConsider Not Asking the QuestionUsability Test Your Security MessagesA Note When Reviewing Product SpecificationsSecurity UsabilitySummary
APIs with Buffer Overrun Issuesstrcpy, wcscpy, lstrcpy, _tcscpy, and _mbscpystrcat, wcscat, lstrcat, _tcscat, and _mbscatstrncpy, wcsncpy, _tcsncpy, lstrcpyn, and _mbsnbcpystrncat, wcsncat, _tcsncat, and _mbsnbcatmemcpy and CopyMemorysprintf and swprintf_snprintf and _snwprintfprintf familystrlen, _tcslen, _mbslen, and wcslengetsscanf(“%s”,…), _tscanf, and wscanfStandard Template Library stream operator (>>)MultiByteToWideChar_mbsinc, _mbsdec, _mbsncat, _mbsncpy, _mbsnextc, _mbsnset, _mbsrev, _mbsset, _mbsstr, _mbstok, _mbccpy, and _mbslenAPIs with Name-Squatting IssuesCreateDirectory, CreateEvent, CreateFile, CreateFileMapping, CreateHardLink, CreateJobObject, CreateMailslot, CreateMutex, CreateNamedPipe, CreateSemaphore, CreateWaitableTimer, MoveFile, and classes that wrap these APIsAPIs with Trojaning IssuesCreateProcess(NULL,…), CreateProcessAsUser, and CreateProcessWithLogonWinExec and ShellExecuteLoadLibrary, LoadLibraryEx, and SearchPathWindows Styles and Control TypesTB_GETBUTTONTEXT, LVM_GETISEARCHSTRING, and TVM_GETISEARCHSTRINGTTM_GETTEXTCB_GETLBTEXT, CB_GETLBTEXTLEN, SB_GETTEXT, SB_GETTEXTLENGTH, SB_GETTIPTEXT, LB_GETTEXT, and LB_GETTEXTLENES_PASSWORDImpersonation APIsSetSecurityDescriptorDacl(…,…,NULL,…)APIs with Denial of Service IssuesInitializeCriticalSection and EnterCriticalSection_alloca and related functions and macrosTerminateThread and TerminateProcessNetworking API IssuesbindrecvsendNetApi32 callsMiscellaneous APIsIsBadReadPtr, IsBadWritePtr, IsBadCodePtr, IsBadStringPtr, IsBadHugeReadPtr, and IsBadHugeWritePtrCopyFile and MoveFile
No one will do that!Why would anyone do that?We’ve never been attacked.We’re secure—we use cryptography.We’re secure—we use ACLs.We’re secure—we use a firewall.We’ve reviewed the code, and there are no security bugs.We know it’s the default, but the administrator can turn it off.If we don’t run as administrator, stuff breaks.But we’ll slip the schedule!It’s not exploitable!But that’s the way we’ve always done it.If only we had better tools….
GeneralWeb and Database-SpecificRPCActiveX, COM, and DCOMCrypto and Secret ManagementManaged Code
A Final Thought

Content preview from Writing Secure Code

Chapter 5. Public Enemy #1: The Buffer Overrun

Buffer overruns have been a known security problem for quite some time. One of the best-known examples was the Robert T. Morris finger worm in 1988. This exploit brought the Internet almost to a complete halt as administrators took their networks off line to try to contain the damage. Problems with buffer overruns have been identified as far back as the 1960s. In the summer of 2001, when the first edition of this book was written, searching the Microsoft Knowledge Base at http://search.support.microsoft.com/kb for the words buffer, security, and bulletin yielded 20 hits. Several of these bulletins refer to issues that can lead to remote escalation of privilege. Anyone who reads the BugTraq mailing ...