Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

December, 2012

  • Operating System Infection Rates: Application Vulnerabilities & Exploits Trend Up, Increase OS Infection Rates

    One topic that I get asked about each time we release a new volume of the Microsoft Security Intelligence Report is malware infection rates for operating systems and service packs.  We released new data late this year in volume 13 of the report (SIRv13).  Accordingly, I am dedicating a couple of articles to discussing the new malware infection rate data for operating systems and service packs.

    The latest data published in SIRv13, focusing on the first half of 2012, shows that newer operating systems, such as Windows 7 and Windows Vista, continue to have lower malware infection rates than older operating systems like Windows XP Service Pack 3. Windows 7 Service Pack 1 and Windows Server 2008 R2 had the lowest infection rates in the second quarter of 2012.  The infection rate for Windows XP Service Pack 3, the oldest supported operating system from Microsoft, is the highest by a significant margin.


  • Register Now for the Security Development Conference 2013 and Save!

    Last year, the inaugural Security Development Conference brought together leading security professionals from a variety of industries around the world to share security development practices and how their organizations successfully adopted them.  More than 300 organizations attended this conference.  At the conference I had the opportunity to discuss the importance of security development practices with keynote speaker Richard A. Clarke, former Special Advisor to the President for Cyber Security.  I also had the opportunity to discuss the urgency for organizations to adopt security development practices with General Michael V. Hayden, former Director, U.S. Central Intelligence Agency and U.S. National Security Agency.  You can read more about last year’s event in our wrap up blog post.

    Registration is now open for the second annual Security Development Conference (SDC 2013) which is being held in San Francisco on May 14th and 15th.  SDC 2013 will bring together some of the best and brightest information security professionals from a variety of industries. Attendees will learn about proven security development practices through interactions with peers, industry luminaries and organizations that have successfully adopted such practices. There are three tracks at SDC 2013 targeting different areas critical to the success of security development. Track sessions will cover the latest security development techniques and processes that can reduce risk and help protect organizations in this rapidly evolving technology landscape.

  • Important Advancements Toward a Safer, More Trusted Internet

    Today we see many authors of malicious software going to great lengths to distribute their wares. Some attackers invest significant resources to find victims and avoid detection by antimalware products. They also vary their attacks – they experiment with not only exploiting software vulnerabilities but also attempt pure social-engineering approaches. To counter this, it is important to build layered defenses in order to improve the security of a system. Because of changes we’ve made...
  • Using the Past to Predict the Future: Top 5 Threat Predictions for 2013

    As the holidays approach and 2013 is on the horizon, December is a natural time to reflect on events of the past year and what we have learned from them.  Subsequently, every December I inevitably am asked to extrapolate or predict what the threat landscape might look like next year.  I’m not Nostradamus, and I know that we can’t use the past to predict the future with absolute accuracy.  But I wanted to share my thoughts on the top five trends that I predict we’ll see in the coming year based on current observations of the threat landscape.

  • New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash

    Author:  Matt Thomlinson, General Manager, Trustworthy Computing

    Targeted attacks by determined adversaries (also known as Advanced Persistent Threats or APTs) have been a hot topic recently.  Although targeted attacks continue to make up a small fraction of the attacks we see today, reports of attacks targeting organizations and governments have attracted a lot of attention. We know that one of the first things determined adversaries do if they are able to successfully compromise their target organization’s network is to try to compromise the organization’s directory services.  The reason is clear: a directory service contains the credentials that users, administrators and systems use to authenticate to the network and get access to the organization’s resources.  If the attackers can get access to all these credentials, they can get access to more resources on the network.

  • Compliance Series: Software Security and Compliance Introduction

    One of the most pressing challenges facing organizations today is attaining and maintaining compliance with various industry and government regulations and standards. Failure to comply with certain regulations can result in heavy financial penalties that can put many organizations under severe pressure.  This series of blog posts will look at how the Microsoft Security Development Lifecycle (SDL) can be used to help organizations meet various compliance requirements.

  • The SDL Chronicles: Free resources to help drive SDL adoption and realize solid return on investment

    The Microsoft Security Development Lifecycle (SDL) has been used at Microsoft for more than eight years to help reduce the number and severity of vulnerabilities in Microsoft products and services, thus limiting the opportunities for attackers to compromise computers. Microsoft has freely shared the processes, tools and guidance that form the SDL for more than five years to help our customers, partners and industry colleagues also develop more secure software. However, it can be difficult to make a business case for the adoption and enforcement of a software development process that could be perceived as a “development tax”.