Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

May, 2006

  • New Enterprise Linux - Ubuntu

    For business use, the largest driver of Linux adoption has been the Enterprise Linux releases. Product names aside, I am referring to those Linux-based distributions that offer longer, multi-year support commitments for a version of the product. To date, the primary examples of this (and not coincidentally market leaders) have been Red Hat Enterprise Linux, Novell SuSE Linux Enterprise Server and Mandriva Linux. Matt Zimmerman of the Ubuntu team has just announced that: Ubuntu, Kubuntu and...
  • Address Space Layout Randomization (ASLR) in Windows Vista Beta2 ?

    UPDATE: Mike Howard has posted to his blog , confirming David and providing details on the Vista ASLR features. So, a couple of weeks ago, Jesper Johannsen wrote how the Windows Firewall was one of his favorite security features in Windows Vista. My favorite security enhancements tend to be architectural security improvements. I recall the Data Execution Prevention and NX bit support as two good previous examples of this. I've just noticed a full-disclosure post from David Litchfield...
  • Windows Vista Beta2 Security Paper

    Was reading Dana Epp's blog and found reference to a new Microsoft paper called Microsoft ® Windows Vista™ Security Advancements . Good overview of most security enhancements in Beta2. The funny part of this story is that Dana noticed the paper while reading Mike's blog , which I hadn't read yet today. I hadn't read this paper yet, so thanks to Dana and Michael. The paper itself is here .
  • Novell Removes /truth and Security from Linux Site

    Provocative, but technically true. You may or may not recall that Novell published www.novell.com/linux/truth in response to Microsoft's www.microsoft.com/getthefacts site. I browsed out there yesterday to see the current truth for myself and was redirected to http://www.novell.com/whynovell/ . You can still look at the google cache of the /truth site by using the search terms " site:novell.com inurl:truth " and selecting one of the cache links. Bye-bye Security Novell /truth discussed seven...
  • JeffOS EAL4+ Secure System

    (read my background article first) JeffOS gets EAL4+ certification... not really. Primarily because I haven't created JeffOS. But hey, I'm thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation. What? Does the evaluated configuration make a difference? IF JeffOS is evaluated EAL4+, doesn't that mean all of JeffOS is certified? I'm afraid not, security super friends. Take a look at this chart from Windows® and SuSE Linux EAL4+ Workload...
  • The Importance of the “Evaluated Configuration” in Common Criteria Evaluations

    How many of you have heard of the Common Criteria ? If you've ever done security work with government, you probably have. If not, then possibly not. Either way, read on and I’ll give you my own view, including some of the barnacles clinging to the hull of the general program. Common Criteria Background Way back in the depths of computing history, government departments used to issue request for proposal (RFPs) for computers having certain specific security requirements. Commercial-off-the-shelf...
  • Coverity Confused Claims Cause Consternation and Confusion

    Okay, maybe it only causes me consternation, but this is exactly the sort of thing that raises my temperature. With the academic background of Coverity founders, one should expect a certain amount of rigor and care when it comes to analysis and conclusions, but I find myself disappointed. Jeff, you say, what are you talking about!?!? It’s been a while now, but you may recall a headline similar to this one, Security research suggests Linux has fewer flaws , or this one, Study: MySQL Hard on...
  • Workload Vulnerability Index

    In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching. Here is how the report defines it: This vulnerability workload index gives a measure of the number of important vulnerabilities that security operations staff would be required to address each day. The higher...
  • Washington Post - A Time to Patch III: Apple

    You've probably already read Brian Krebs article A Time to Patch III: Apple , but if you haven't, I encourage you to read it and read the various responses he received - the responses run the gamut of Linux advocates ("You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word?"), conspiracy theorists ("...This sounds much more like Microsoft propaganda..."), open source advocates ("... finally pointing out that Apple is a company...
  • On Disingenuous Analysis and Transparency

    So, I am perusing security blogs this weekend and I read this interesting entry by Mark Cox of Red Hat about transparency where he says "...the Microsoft PR engine has been churning out disingenuous articles and doing demonstrations based on vulnerability count comparisons." In general, I think Mark's a good guy with a hard job, doing the best he can to be open and transparent. In my opionion, his team does a far better job with security advisory communications than, for example, Novell SuSE...