Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: Perception: Case in Point

    I love it when a good, real-life example falls right into your lap. As you know from my recent posts, I’ve been doing a series of articles probing Mozilla and Firefox security claims.  I think I’ve been pretty open about why, but I always seem to get pushback around the idea that there might be...
  • Blog Post: Exploitability Index - More Information for Customers

    Yesterday at Black Hat 2008, along with some other stuff , we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin. Based upon talking with Microsoft customers over the past five years, they are...
  • Blog Post: CIO.COM: Mozilla and “Counting Still Easy…”

    [DISCLOSURE for those who don’t read about boxes: I work for Microsoft.] I admit that I enjoy discussing issues and digging into claims to see if I can find fractures or flaws in logic. When I ran product management teams for companies in previous roles, I would always review our draft product glossies...
  • Blog Post: What if We Had Vuln-Free Software?

    I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security. How would...
  • Blog Post: Severity Rating Systems - Part 1

    Read the full Part 1 on CSOonline . Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) - found at http://nvd.nist.gov/ . So, let me say...
  • Blog Post: RSA Crypto Panel: Martin Hellman on 0.01% Events

    In the past, I haven't always stayed to hear the Crypto panel, but based upon the excellent one this year, I'll definitely include it in my plans going forward. If you want to hear an overview of what they all said, I can recommend Robert Vamosi's story Cryptographers speak of threats, voting, and Blu...
  • Blog Post: Red Hat Enterprise Linux 4 Passes 1000 Vulnerabilities

    A few weeks after my July OS Vulnerability Scorecard posting, I was amused to see a posting about it on truthhhappens.redhatmagazine.com (click to see the post). I can't even do it justice by paraphrasing, so here is the text: A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix...
  • Blog Post: Windows Server codename "Longhorn" - Server Core Install

    This past weekend I dug into an aspect of Windows Server codename "Longhorn" to personally check out something that I've been excited about for a while - a "server core" installation. Doing the Installation After burning myself a Beta3 disk, I fired it up and after a few basic screens (USEnglish...
  • Blog Post: Just for Fun: Covering My Coverage

    Since published my Windows Vista - 90 Day Vulnerability Report , I have been reading a lot of the various commentary and generally, I take it with a grain of salt. Many of the comments indicate that the person didn't even read the report, which is fairly typical, while others bash it without raising...
  • Blog Post: Windows XP vs Windows Vista Security

    So, a couple of days ago, I happened upon the tantalizing headline of Review: Vista, XP Users Equally At Peril To Viruses, Exploits. What!? As you can imagine, the headline sucked me in and I had to read it. Frankly, the article as well as the scientific rigor of their testing "failed to impress." Take...
  • Blog Post: CIO.COM: Can Mozilla Support Their Security Claims?

    Mozilla bills Firefox as the most secure Web browser on the planet, but is it really? Follow along with this series and see if the claims hold up to close scrutiny. Today, I started a multi-part article series on cio.com (Security landing page: http://www.cio.com/topic/1419/Security ) probing Mozilla...