Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

October, 2006

  • Oracle Announces Unbreakable Linux (aka Red Hat)

    And by "unbreakable", of course, they mean that if you drop the shrinkwrap box on the floor, the CDs won't break because it's really well padded. At least, that's what I think it means, because I don't see how anybody could think it means unbreakable security. I think I kind of feel sorry for Mary Ann Davidson, who had been distancing herself from the previous "unbreakable" campaign in more recent articles with quotes like: And Oracle no longer talks about its products as unbreakable. Earlier...
  • The Final Word - Jim Allchin Letter Clarifies Patchguard on Vista

    Jim Allchin posted up a public letter that clears up any possible confusion on what API changes will or will not be in the initial version of Windows Vista. It isn't that long, so read it yourself here: http://www.microsoft.com/security/windowsvista/allchin.mspx For those that simply won't click through , here are the key bits: Here is what we are doing to maintain the integrity and security of 64-bit Windows, while still addressing the needs of our security partners: • Contrary to...
  • No 64-bit Windows Vista Security from <YourVendor> ?, Give Sophos a Try

    UPDATE: It turns out that the Global Director of SophosLabs is Mark Harris , an old colleague from our days at McAfee. I've asked Mark if I could interview him on the blog here to get some details about their HIPS solution, so stay tuned! Sophos issued a press release today that I want to highlight for you. Here's the bit I have the most admiration for: "Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with high-spec Vista in mind," said Richard...
  • Windows Vista and 3rd Party Security Protection

    Over the past month or so, I have been amazed by the amount of speculation, strong assertions and outright misinformation that has been printed with respect to Kernel Patch Protection and the offical Application Programming Interfaces (APIs) into the kernel. Thankfully, Jim Allchin respond to this directly and clarified . IMO, the lead messaging on this was driven by Symantec (e.g. Windows Vista Kernel Mode Security and the messaging that Symantec released with it.) For example, from this Symantec...
  • Technorati Claim Post

    Technorati Profile
  • Windows vs Linux - Workstation - Q3 2006 addendum (High+Remote)

    This post is dedicated to n00dles , for daring to ask for even more detail ;-) and should be considered as an addendum to Windows vs Linux - Workstation Comparison - Q3 2006 . Same caveats apply: NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I...
  • Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...
  • 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real soon now) In my studies of vulnerabilities, I have compiled a large database of information covering vulnerabilities identified at http://cve.mitre.org and http://nvd.nist.gov that includes, among...
  • The Goodness of IE Enhanced Security Configuration

    Way back before IE7 with "low rights IE" and its other improvements, Microsoft shipped IE6 for Windows Server 2003 in Enhanced Security Configuration . We're now getting ready for Windows Vista and Longhorn Server is on the horizon as well and I decided to look at how much the Enhanced Security Configuration (ESC) had benefitted customer security, if at all. Immediately, security professionals are going to say that you shouldn't be browsing from servers anyway - and I agree. From a security perspective...
  • Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat is the acknowledged market share leader in Enterprise Linux Any distro without Enterprise support is generally not a long term consideration for business customers Red Hat offers the best/longest...