Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

April, 2014

  • New Microsoft Threat Modeling Tool 2014 Now Available

    Today we’re announcing the release of the Microsoft Threat Modeling Tool 2014. This is the latest version of the free Security Development Lifecycle Threat Modeling Tool that was previously released back in 2011.

    More and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating. Threat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.  

    We have been threat modeling at Microsoft for more than 10 years. It is a key piece of the design phase of the Microsoft Security Development Lifecycle (SDL).  In 2011 we released the SDL Threat Modeling Tool, free of charge, to make it easier for customers and partners to threat model as part of their software development processes. The tool has been very popular and we have received a lot of positive customer feedback in addition to suggestions for improvement. Read more

  • Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability

    Posted by: Tracey Pretorius, Director, Trustworthy Computing

    On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers’ data. The vulnerability, known as “Heartbleed,” could potentially allow a cyberattacker to access a website’s customer data along with traffic encryption keys.

    After a thorough investigation, we determined that Microsoft Services are not impacted by the OpenSSL “Heartbleed” vulnerability. In addition, Windows’ implementation of SSL/TLS was not impacted.

    Microsoft always encourages customers to be vigilant with the security of their online accounts, change their account passwords periodically and to use complex passwords. More information on how to create strong passwords is available here: Microsoft Security & Safety Center: Create strong passwords.  Read more

  • TechNet Radio: IT Time - The Risk of Running Windows XP After Support Ends

    On Monday, Tim Rains was featured on TechNet Radio in which he discussed “The Risk of Running Windows XP After Support Ends” with Blain Barton, Senior Technical Evangelist at Microsoft.  This is a recommended video for any IT Professionals currently using Windows XP today in their environment.  Questions covered in the discussion include:

    • [3:44] What are the kind of security risks folks may face as support of XP ends?
    • [4:48] How does Microsoft protect its customers from security threats?
    • [6:11] What exactly does Windows XP end of support mean?
    • [8:38] What is risk of continuing to run XP?
    • [14:48] What motivates cyber attackers?
    • [18:17] What is ransomware?
    • [21:48] What are some typical threats users should expect against Windows XP?
    • [30:26] What should people do if they’re running Windows XP?

    Read more

  • Protecting Point of Sale Devices from Targeted Attacks

    Posted by: Sean Finnegan Director, Cybersecurity

    Last week, we published a paper on “Threat Modeling a Retail Environment.” The intent of this paper was to help provide the retail industry with risk and mitigation guidance that could be applied in their environment where there is a unique set of requirements and challenges.  As a follow on to that information, today we published a new paper focused on “Protecting Point of Sale Devices from Targeted Attacks.”  Given point of sale (POS) devices were the focus of many recent targeted attacks in the retail industry, we thought this guidance would be helpful. Read more