Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

March, 2008

  • SQL Server - Fact Checking Recent Vulnerability History

    UPDATE: The story that originally got my attention has been updated in all of the places I could still find it yesterday, so I'm pulling my references to the story and just focusing on the positive story of SQL Security improvement. Jeff Last week a web-based news story comes to my attention which asserted that last year SQL Server had "... most vulnerabilities last year of any commercial database..." That prompted me to do some fact checking and I thought it worth documenting the real (really good...
  • Mac OS X Security - Reality Check #2

    First, let me express a caveat. I don't really care for "hack the box" contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances. So, don't read too much into the PWN 2 OWN results. I don't. Okay, having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security...
  • Mac OS X Security - Reality Check #1

    UPDATE: A colleague sent me a link to the source paper that the article discusses: http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf . As anyone who reads my blog knows, I like to shine a light on areas of common security misperceptions. I am even happier when others do it. I think Apple has really taken a playbook from Oracle (ie, "Unbreakable marketing") with respect to security in the past year with unsupported security claims in their marketing, drawing the attention of security...
  • Security Bloggers Meet up 2008 @ RSA Conference 2008

    Wednesday April 9, 2008 The RSA Conference is only about a month away now, so I wanted to extend an invitation for you to Meet Up with me and my fellow security bloggers if you are going to be there. Chances are, if you're a long-time blogger, you've already got an invite, but if not, send me a message and I'll get an RSVP sent out to you. We really are trying to keep this mainly an Security Blogger networking event, so send me your name, contact information and a pointer to your blog, so I can come...