Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: JeffOS EAL4+ Secure System

    (read my background article first) JeffOS gets EAL4+ certification... not really. Primarily because I haven't created JeffOS. But hey, I'm thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation. What? Does the evaluated configuration make...
  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Windows vs Linux (Red Hat) - Server - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Apples, Oranges and Vulnerability Metrics

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: Fallout in Linux Land

    Yesterday, Eric S. Raymond (ESR) publicly dumped Red Hat Fedora and made the switch to Ubuntu: Eric S. Raymond Gives Up on Fedora , burning bridges left and right behind him. In Eric's words: Over the last five years, I've watched Red Hat/Fedora throw away what was at one time a near-unassailable...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Trustworthy Computing : Learning About Threats Over 10 Years–Part 5

    This post continue my analysis of industry vulnerability disclosures started in part 4 last week and is part of an ongoing series of posts based upon Tim Rains and my recent special edition Microsoft Security Intelligence Report (SIR) called “ The evolution of malware and the threat landscape – a ten...
  • Blog Post: Linus’s Law aka "Many Eyes Make All Bugs Shallow"

    How many of you have heard “many eyes make all bugs shallow”? My guess is that many of you have and that it may have been in conjunction with an argument supporting why Linux and Open Source products have better security. For example, Red Hat publishes a document at www.redhat.com/whitepapers/services...
  • Blog Post: Red Hat Launches 11 RHEL5 Security Advisories

    Dual standards at work again. When the first vulnerability was announced in Windows Vista a month after release, it was big news. 11 security advisories, including 3 Critical ones, on the day of launch? Apparently no big deal for Red Hat ... read more detail
  • Blog Post: What If? The First Days of a Security Enhanced OS ...

    This story is especially dedicated to all the new IT Pro friends I met in Budapest this past week. I had meant to share this story with you, but it got squeezed out by more important discussions... With the Windows Vista release drawing more near each week, I've been thinking back to the release of...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat...
  • Blog Post: New Enterprise Linux - Ubuntu

    For business use, the largest driver of Linux adoption has been the Enterprise Linux releases. Product names aside, I am referring to those Linux-based distributions that offer longer, multi-year support commitments for a version of the product. To date, the primary examples of this (and not coincidentally...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Ubuntu 6.06 LTS (Dapper Drake) - 90 Day Security Vulnerability Scorecard

    Based upon Debian, Ubuntu has cool release names like "Warty Warthog", "Hoary Hedgehog", "Breezy Badger" and "Dapper Drake" and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu...
  • Blog Post: Novell Removes /truth and Security from Linux Site

    Provocative, but technically true. You may or may not recall that Novell published www.novell.com/linux/truth in response to Microsoft's www.microsoft.com/getthefacts site. I browsed out there yesterday to see the current truth for myself and was redirected to http://www.novell.com/whynovell/ . You can...
  • Blog Post: Windows 98 - the End is Nigh and a Look Back

    What OS were you using in 1998? Windows 98? Red Hat 5.1? Something else? The MSRC blog recently re-iterated the upcoming end of life for Windows 98 , Window 98SE and Windows ME, indicating that there will be no support after the July 11th patch Tuesday. (There’s more detail about this and other Support...
  • Blog Post: Windows vs Linux (Red Hat) - Workstation - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: On Disingenuous Analysis and Transparency

    So, I am perusing security blogs this weekend and I read this interesting entry by Mark Cox of Red Hat about transparency where he says "...the Microsoft PR engine has been churning out disingenuous articles and doing demonstrations based on vulnerability count comparisons." In general, I think...
  • Blog Post: January 2007 - Vuln Scorecard

    I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which...
  • Blog Post: Severity Rating Systems - Part 1

    Read the full Part 1 on CSOonline . Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) - found at http://nvd.nist.gov/ . So, let me say...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: Common Objections - Comparing Linux Distros with Windows

    Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics ) has brought out some of the common objections from those that don't necessarily like the results. Very rarely do I get comments that can find a substantive problem with the analysis - instead the arguments...
  • Blog Post: Workload Vulnerability Index

    In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching. Here is how the...