Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

January, 2007

  • Mac OS X Security Myth #2: Nobody Attacks Mac OS X

    Following up on Mac OS X Security Myth #1: Mac OS X Has Few Security Bugs , this post continues my look at "perception versus reality" for Mac OS X security. There aren't a lot of sources of validated compromises, but one of the few we can check is www.zone-h.com , which gathers and documents web server compromises, along with a lot of information about the compromised systems. I went to the zone-h home page and clicked on Attacks Archive . Next, I click Enable Filters to open up some filtering...
  • Mac OS X Security Myth #1: Mac OS X Has Few Security Bugs

    Inspired by the MacWorld Expo and Apple's security marketing claims (not to mention that ad campaign from last year), I've decided to add Mac OS X to the list of products that I monitor for "perception versus reality." First, let's review what Apple has to say about their security : Freedom’s not just another word for nothing left to lose. Strong security ensures your ability to conduct your business unhampered. Mac OS X delivers the highest level of security through the adoption of industry...
  • Exposed? : Examining Secunia Unpatched Warnings - Part 2

    This is Part 2 of my look at the perceptions and realities concerning disclosed, but unpatched vulnerability trends between Windows and Linux. You may want to read Part 1 first. UPDATE: Oh, and Part 3 with results will be posting on Friday. I followed some comments on OSNews.com and noticed that folks seemed to think Part 2 was the final segment and results were not posted. Sorry if I was not clear - the parts are fairly long, so I broke it into: part1/setup, part2/method, and part3/results. ...
  • Mac OS X Security Myth #3: Mac OS X Has More Security Designed In

    Following up on Mac OS X Security Myth#1 (fewer vulns) and Security Myth#2 (nobody attacks), this post continues my look at "perception versus reality" for Mac OS X security. There are a couple of different ways that I've heard this Myth expressed. The first can be seen as promulgated by Apple marketing as "built upon Unix security foundation", or, as articulated at http://www.apple.com/macosx/features/security/ : Security At the Core Apple makes its source code available...
  • Exposed? : Examining Secunia Unpatched Warnings - Part 3

    This is the final post in my 3 part series trying to get an accurate view of disclosed, but unpatched issues for Windows and Linux. In Part 1 , I looked at Secunia "unpatched" warnings and raised the question of whether the unpatched data was accurate and whether the data was tracked consistently between different products. In Part 2 , I acknowledged how challenging it is to get a "now" view of unpatched data for Linux distributions and explored some methods for charting unpatched data over periods...
  • Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions and trying to shine some light on things. Take a look at this graphic, which you can see today at www.secunia.com on their Vulnerability Report: RedHat Enterprise Linux WS 4 page: No unpatched...
  • Common Objections - Comparing Linux Distros with Windows

    Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics ) has brought out some of the common objections from those that don't necessarily like the results. Very rarely do I get comments that can find a substantive problem with the analysis - instead the arguments tend to be detailed variations of "your comparison is not fair." Now, nevermind that the "common perception" I am typically exploding was an even less fair comparison... ah, but let's not digress...
  • CNET, Experts and Windows Vista Security

    UPDATE: Corrected my math problem, based upon astute reader feedback (he says sheepishly) Reading online news this morning, I came across the CNET headline: Experts: Don't buy Vista for the security . Wondering what the experts were saying, I clicked and read the article and once again I got a good laugh about the relationship between the "headline" and the "story." Having read all the quotes, it didn't add up to "don't buy Vista for security" to me. So, for fun, let's review the paragraphs...
  • World of Warcraft : New Server, 10 Day Free Trial and South Park

    Note: I'm going to start blogging more non-security entries, so if you don't want to see these, I recommend subscribing specifically to the security feed. If you haven't joined the computer crack that is World of Warcraft , now could be the time. I myself seem to go in cycles, but with the release of Burning Crusade , I've been playing much more often. The problem is, my old guild is gone and I don't have as many friends to game with. Additionally, my server was massively overloaded. So, a couple...
  • (Belated) Security Predictions for 2007

    Between region-wide power outages and minor personal emergencies (eg. basement flooding), I didn't get my 2007 Security Predictions finished in the first week of January as planned. In the spirit of better late than never, though, here are my top Security Predictions for the year, in no particular order: The Security Industry will continue to grow , with several small new companies becoming more relevant to existing and emerging security problems. This trend will be reinforced by folks wanting...