Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Microsoft Security Blog

  • Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux WS (V. 4) Ubuntu 6.06 LTS Desktop Apple Mac OS X 10.5 (Leopard) Apple Mac OS X 10.4 (Tiger) For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities...
  • CIO.COM: Can Mozilla Support Their Security Claims?

    Mozilla bills Firefox as the most secure Web browser on the planet, but is it really? Follow along with this series and see if the claims hold up to close scrutiny. Today, I started a multi-part article series on cio.com (Security landing page: http://www.cio.com/topic/1419/Security ) probing Mozilla’s claims of security superiority. My plan is to post up a new article every few days probing aspects of claims they’ve made either on the Firefox security page or in some other public forum. As...
  • Black Hat : Got2 Luv the H8ers

    So, this afternoon, I'm in the Microsoft booth at Black Hat when this guy comes up (badge hidden of course) and starts talking to some of my colleagues. Right away, it was pretty obvious that he was antagonistic. I will refer to him as "h8er" from here on out. Though I am paraphrasing a bit, this is based upon a true story. It gave me a chuckle, so I thought I'd share. h8er: So, how does it feel to work for a company that has made so many bad security decisions. MSFT guy: Well, I feel lucky to be...
  • Download: Windows Vista One Year Vulnerability Report

    Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product. This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products. The results of the analysis show that Windows Vista has an...
  • Ubuntu CVE Tracker

    Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site:  For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker . I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues.  For example, take a look at the page Vulnerability Report: Ubuntu...
  • July 2007 - Operating System Vulnerability Scorecard

    Summer and work travel have really had an impact and I've missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July. I hit a few road bumps: Sun changed their Security Alerts web site, making it a bit more challenging. I gave up for now, but will try to add them back with subsequent scorecards. Novell, in a similar but different move, created a new psdb page for their version Enterprise Linux v10 SP1 products. At first, I thought they had not released any...
  • BYOD–is it Good, Bad or Ugly from the User Viewpoint?

    Bring your own device--or BYOD --is a tech trend that is changing the way many organizations manage technology. In previous posts, we’ve shared some background on our Trust in Computing Research project , and some of the interesting data we’ve uncovered related to the consumerization of IT, and the BYOD trend. In this post we’re going to take a closer look at the BYOD concept from the perspective of the individual user. BYOD sounds like a great idea, but it may be a case of “be careful what you wish...
  • Warning : Fake Microsoft notification allegedly from Windows Live

    Okay, so there are about a million social techniques being used in email to get your attention and entice you to click on some bad link, but since this one purports to be from Microsoft, I thought I’d post a quick warning and do a bit of digging, since it is the first of these that I’ve gotten and I received 3 variations (different alleged friends on the invite) over the weekend. First, let’s take a quick look at the Fake email First, note that the “From:” address isn’t even valid.  If you weren...
  • SQL Server - Fact Checking Recent Vulnerability History

    UPDATE: The story that originally got my attention has been updated in all of the places I could still find it yesterday, so I'm pulling my references to the story and just focusing on the positive story of SQL Security improvement. Jeff Last week a web-based news story comes to my attention which asserted that last year SQL Server had "... most vulnerabilities last year of any commercial database..." That prompted me to do some fact checking and I thought it worth documenting the real (really good...
  • Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...