Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

July, 2006

  • Further Perspectives on Symantec Vista "Research"

    Since my original post on last week's Symantec paper, they've released another one as noted by Joris Evers in Symantec continues Vista bug hunt . Now that I've read both of the first two papers, I note two perspectives from Symantec on this: 1) the perspective of the researchers in their paper, and 2) the uses that the Symantec marketing team may be attempting with the content. On the first perspective, the papers read like an analysis I would expect from a test team performed on a pre-release...
  • New Windows Vista Security Blog

    Ben Fathi, the Corporate VP of the Security Technology Unit has kicked off a new blog focused on Windows Vista Security. I've added a link on the side and you can read it here: http://blogs.msdn.com/windowsvistasecurity/ . Also, while I'm on the topic of Ben, let me remind you that he also hosts a Technet Chat that allows you to connect and ask him and his extended team any question you want each month directly. You can add the next one (August 10th) to your calendar, or pick from the list of...
  • Symantec Stirs the Pot

    UPDATE: Several readers sent me a link to the paper , so I have it now. Thanks! I didn't use "FUD" in my title, because it frankly gets used so often, and sometimes even applied to me . FUD (or Fear, uncertainty, and doubt ) is a sales or marketing strategy of disseminating negative (and vague) information on a competitor. Now, why I don't think this applies to my recent vulnerability metrics posts is: 1) I was very specific in the data and analysis, 2) the data was factual, 3) the analysis...
  • Apples, Oranges and Vulnerability Metrics

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...
  • Windows vs Linux (Red Hat) - Workstation - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...
  • Debian Site Hacked Again

    Debian developers learned this morning that someone had hacked into one of the project servers (gluck), so the debian team took all of the servers offline to investigate, flatten and rebuild. Here's the message: http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html Please note that you should not confuse this hack of the Open Source debian project with the one from November, 2004, Hackers Attack Debian Linux . That was a completely different incident.
  • FAQ (frequently asked questions) about Think Security Vulnerability Comparisons

    This document will be updated as time goes on. It is a repository for questions and answers related to analyses posted on my blog comparing vulnerability counts, days-of-risk and workload vulnerability indices for Windows and Linux distributions. If you have more questions, post them as comments and I'll update with an answer as appropriate. Best Regards ~ Jeff Q1. Why is there a difference in "vulnerability fix events" and "unique vulnerabilities fixed" - what are they and what does that mean...
  • Windows vs Linux (Red Hat) - Server - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...
  • Windows 98 - the End is Nigh and a Look Back

    What OS were you using in 1998? Windows 98? Red Hat 5.1? Something else? The MSRC blog recently re-iterated the upcoming end of life for Windows 98 , Window 98SE and Windows ME, indicating that there will be no support after the July 11th patch Tuesday. (There’s more detail about this and other Support Lifecycle dates on the Support Lifecycle Website: http://www.microsoft.com/lifecycle .) After a short new lease on life , the road is reaching it's end later than originally planned. Or, earlier...