Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: Computing Trends: Cloud, Big Data and the Evolving Threat Landscape

    Today at RSA China , Jing de Jong-Chen (senior director, Trustworthy Computing) delivered a keynote outlining the next steps in Microsoft’s evolved security, privacy and reliability strategies for cloud and big data. Scott Charney’s Trustworthy Computing Next whitepaper highlights several...
  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Trustworthy Computing: Learning About Threats for Over 10 Years - Part 6

    In this series of articles, we have been looking at some of the ways that the threat landscape has evolved over the past decade. In this final article in the series I discuss software servicing, or the art and science of effectively and efficiently keeping software up to date. What File Versions are...
  • Blog Post: Trustworthy Computing: Learning About Threats for Over 10 Years - Part 3

    In the first two parts of this series ( part 1 , part 2 ) I explored some of the ways that the threat landscape has evolved over the past decade and introduced a new special edition Microsoft Security Intelligence Report (SIR) called “ The evolution of malware and the threat landscape – a...
  • Blog Post: Perception: Case in Point

    I love it when a good, real-life example falls right into your lap. As you know from my recent posts, I’ve been doing a series of articles probing Mozilla and Firefox security claims.  I think I’ve been pretty open about why, but I always seem to get pushback around the idea that there might be...
  • Blog Post: Windows 8 Release Preview Available for Download

    Today on the Building Windows 8 blog , Microsoft announced the availability of the Windows 8 Release Preview . (Read the press release here .) There are a couple of things to note that are of note to us here in the land of Trustworthy Computing: New Family Safety features and enriched privacy...
  • Blog Post: Windows Vista x64 Security – Pt 2 – Patchguard

    NOTE: I know this is a long post. If you don’t want to read all the details I discuss here, I still encourage you to go read What Were They Thinking? Anti-Virus Software Gone Wrong , by Skywing, to give you a perspective on “known good” extensions to kernels. Also, as always, this blog post represents...
  • Blog Post: Mac OS X Security - Reality Check #1

    UPDATE: A colleague sent me a link to the source paper that the article discusses: http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf . As anyone who reads my blog knows, I like to shine a light on areas of common security misperceptions. I am even happier when others do it. I think Apple...
  • Blog Post: The Value of UAC in Windows Vista

    Last week at the RSA conference, I had the excellent opportunity to talk to a lot of people about security (in general) as well as about security enhancements in Windows Vista. One of the interesting discussions I had centered around UAC and it's security value. I *think* the conversation started when...
  • Blog Post: New Security Tools for IIS and SQL

    In cast you didn't see it, the Microsoft Security Response Center (MSRC) team just announced the release of three tools to help customers fend off SQL injection attacks: UrlScan 3.0 Beta ( see Wade Hilmo's blog for more ), a security tool that restricts the types of HTTP requests that Internet Information...
  • Blog Post: Exploitability Index - More Information for Customers

    Yesterday at Black Hat 2008, along with some other stuff , we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin. Based upon talking with Microsoft customers over the past five years, they are...
  • Blog Post: Security Intelligence Report v6

    This morning, we released the latest version of the Microsoft Security Intelligence Report (SIRv6), examining industry-wide software vulnerability disclosures, Microsoft vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. I am one of the primary...
  • Blog Post: Expanding SDL for Cloud and Agile Development

    With more and more business customers deciding between client, cloud, or both for their computing environments, security guidance must be dynamic and evolve along with the community.  Because security and privacy are key concerns affecting adoption of cloud computing, the industry has an opportunity...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: Warning : Fake Microsoft notification allegedly from Windows Live

    Okay, so there are about a million social techniques being used in email to get your attention and entice you to click on some bad link, but since this one purports to be from Microsoft, I thought I’d post a quick warning and do a bit of digging, since it is the first of these that I’ve gotten and I...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Trustworthy Computing : Learning About Threats Over 10 Years–Part 5

    This post continue my analysis of industry vulnerability disclosures started in part 4 last week and is part of an ongoing series of posts based upon Tim Rains and my recent special edition Microsoft Security Intelligence Report (SIR) called “ The evolution of malware and the threat landscape – a ten...
  • Blog Post: SDL Team Adds Test Tools to the SDL Tools Arsenel

    Those of you that have been reading my blog a while know that part of my interest in security metrics is in trying to find ways to measure if Microsoft efforts to improve fundamental in security products is bearing fruit.  Central to the Microsoft efforts is the Security Development Lifecycle process...
  • Blog Post: Real Life Protection! IE7 on Vista

    Happy day, if you get this dialog box: This screenshot comes from Zdnet article Vista passes one security test that points out some of the benefits of the multiple levels of security in IE7 and Windows Vista, with respect to the zero day issue warned about in and Microsoft Security Advisory and...
  • Blog Post: The Goodness of IE Enhanced Security Configuration

    Way back before IE7 with "low rights IE" and its other improvements, Microsoft shipped IE6 for Windows Server 2003 in Enhanced Security Configuration . We're now getting ready for Windows Vista and Longhorn Server is on the horizon as well and I decided to look at how much the Enhanced Security Configuration...
  • Blog Post: Huh? Is that a "Yes" or a "No", Mr. Symantec CEO?

    With such an eye-catching headline of Symantec CEO says no Vista for me , how could I not read it? My hat is off to you Joris, for having the most popular security story of the day! WARNING: This post is chock-full of exaggerated incredulity and hyperbole! (Though not necessarily as much as most recent...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: U.S. ISPs Commit to Help Protect Consumers from Botnets

    Botnets and other malware continue to threaten the computing environment online that our society relies upon for communication, commerce and collaboration. In the past several years, we along with industry partners have made great strides toward containing and even pushing back against security threats...
  • Blog Post: Download: Server Core Potential Security Benefit

    With Windows Server 2008, the Microsoft Windows Server team introduced a new installation option –Server Core. Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present...
  • Blog Post: Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat...