Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Browse by Tags

Related Posts
  • Blog Post: Is there a Botnet building on MS08-067 exploits?

    There are a lot of reports on a Botnet building on the back of exploits targeting MS08-067: New Windows worm builds massive botnet MS08-067 Vulnerability: Botnets Reloaded Bots exploiting Microsoft's latest RPC flaw Exploit-MS08-067 Bundled in Commercial Malware Kit Time for forced updates? Conficker...
  • Blog Post: SPAM moving to SMS?

    Well, I do not hope and I do not expect it to. Why? Well, mobile text messages are not free – mails are (at least kind of). Nevertheless, if the "vulnerability" is within the mobile provider, all of a sudden, SMS could become a real SPAM channel. Recently happened in China: China to Probe Online Text...
  • Blog Post: Announcing the Exploitability Index

    At Blackhat we announced an important change to our Security Bulletins becoming effective during the October release. One of the requests we often heard talking to our customers is, that they would like to get better information on how hard it is to exploit a vulnerability. We will introduce an Exploitability...
  • Blog Post: „Scareware“ on the Raise

    We have regular ConfCalls with our security support to exchange trends and issues we see. During the last one we had an interesting discussion I would like to share with you: We seem to get a hell lot of calls mainly from the consumer segment with Virus/Trojan/Spyware infections. The way they get the...
  • Blog Post: Conficker and Microsoft Anti-Malware Software

    I want to add a few things as it is still not over: More and more enterprises are still hit. My last blog post showed you what you can do but I wanted to add two resources and a comment. The comment first: There were some discussions about our Anti-Malware solution. We had protections in all our products...
  • Blog Post: Oracle DBAs rarely install Patches

    Wow, this is scary: A company called Sentrigo just published a study about how DBAs patch Oracle databases . Even though you could challenge their findings (they asked only 305 people) and therefore only shows half the truth, it is really scary (I quote): When asked: "Have you installed the latest...
  • Blog Post: Bitlocker now FIPS 140-2 Certified for Windows Vista SP1 and Windows Server 2008

    Just a quick one: We received the FIPS 140-2 certification for Bitlocker in Windows Vista SP1 and Windows Server 2008. The certificates were posted on the CMVP website on November 25th. The Security Policy Document along with the certificates can be viewed at, http://csrc.nist.gov/groups/STM/cmvp/documents...
  • Blog Post: Scam Awareness Month in the UK

    I guess you know Get Safe Online in the meantime. They are publishing a lot of good and insightful information. Now, they collaborate with the Office of Fair Trading in the UK for a Scam Awareness Month. Again, there is a log of excellent information on the web for you to look at: Get Safe Online Blog...
  • Blog Post: Apple Recommends Running Multiple AV Engines

    This is an interesting thing: I just read this post on ZDNet . The blamed us for being the key target for viruses and they always told me that they do not have a security problem. I am convinced that there is no software product having no security vulnerabilities and Apple proved over time that they...
  • Blog Post: File Classification Infrastructure: More content

    At the Analyst Event last week I was asked more than once about the File Classification Infrastructure. As it was something I never looked into the details, I started from the blog post I wrote mid May File Classification Infrastructure in Windows Server 2008 R2 and just wanted to collect some information...
  • Blog Post: Introducing Microsoft Office Isolated Conversion Environment

    Over the last few months it became evident: The attacks are moving up the stack. We see less and less attacks on the operating systems but much, much more on the application. This is a trend that was basically predicted and unfortunately in this case the prediction was true. We suffered ourselves...
  • Blog Post: HP confirms vulnerabilities on 82 Laptop models.

    Remember this post OEMs: Join in to "Secure by Default" ? I wrote it in June… Now, HP just confirmed a vulnerability in their software delivered on 82 laptop models on all the different Windows versions: HP Quick Launch Buttons Critical Security Update What about the Security Development Lifecycle...
  • Blog Post: SDL and End to End Trust

    Last week we published – as you hopefully know – our "End to End Trust" whitepaper. If not, please read my blog post on it J Now, Eric Bidstrup just commented on End to End Trust in the light of the Security Development Lifecycle (or better: the other way around). It might be interesting for you to...
  • Blog Post: Cloud computing providers: Clueless about security?

    To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs. Recent incidents made me doubt: Amazon not only having significant downtime but in the same time losing customer data. Sony’s game network being significantly compromised. This is definitely not...
  • Blog Post: Security Advisory on the recent Internet Explorer Vulnerability

    I guess you might have seen it by now but if not, please make sure you read and understand the material available: This night we released a Security Advisory on a Vulnerability in Internet Explorer Could Allow Remote Code Execution . The reason for that is that our investigations have shown that this...
  • Blog Post: The Best Security Blogs on the Web

    Well, this is not what I am claiming to have…. This is what I am looking for. At the moment, I am monitoring/reading the following security-related blogs (sorted alphabetically): Microsoft BitLocker™ Drive Encryption Team Blog Chief Security Advisor Finland (in Finish) Chief Security Advisor...
  • Blog Post: Look at the Enhanced Mitigation Evaluation Toolkit

    Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation...
  • Blog Post: Google Chrome and Silent Patching

    This morning I opened one of the Swiss Sunday newspapers and Google Chrome made it to the front-page with a “best practice approach” for deploying security updates. In the article itself it was claimed that Chrome is one of the best browsers with regards to security as the deploy patches silently, without...
  • Blog Post: The Value of Operating System Comparisons

    Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a...
  • Blog Post: Testing our Security Technology

    Quite a while ago, I blogged on Virtual Labs, an offering we are making to you to get your hands dirty with our products and give you the opportunity to work with different hands-on labs. There is the VirtualLabs offering, containing MSDN and TechNet labs. The idea behind them is: It's simple: no...
  • Blog Post: Some Thoughts on UAC

    I blogged several times already on UAC as this has been (and partly still is) a very disputed security feature in Windows Vista (which I still support!). I just found today a not really new blog post on UAC, which I think is worth reading. It is from April this year and is called UAC: Desert Topping...
  • Blog Post: Participate in the Windows Server 2008 Security Guide Beta program!

    We just started the Beta program for the Windows Server 2008 Security Guide. So, if you plan to roll out Windows Server 2008 soon, participate and have a look at it: Here is the Technet Executive overview. To join the Beta program, click here . Roger
  • Blog Post: How to Hack Windows Vista

    No, no. For sure. I am not going to give you advise how to hack – but look at this video: http://www.offensive-security.com/movies/vistahack/vistahack.html . I am always amazed about these kind of videos, which still surprise people. If look years back, we published the 10 Immutable Laws of Security...
  • Blog Post: Why Apple has to fix the Safari flaw

    Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it? Now, we can debate on what a vulnerability is and what not. Personally I am convinced...
  • Blog Post: We Need Solid and Strong Transparent Processes for the Cloud

    This morning I was reading an article called Google seeks to assure customers on cloud security practices on ComputerWeekly. I had to read this – obviously . It references a paper written by the Google Security Officer called Security Whitepaper: Google Apps Messaging and Collaboration Products...