Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Perception: Case in Point

    I love it when a good, real-life example falls right into your lap. As you know from my recent posts, I’ve been doing a series of articles probing Mozilla and Firefox security claims.  I think I’ve been pretty open about why, but I always seem to get pushback around the idea that there might be...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Red Hat Launches 11 RHEL5 Security Advisories

    Dual standards at work again. When the first vulnerability was announced in Windows Vista a month after release, it was big news. 11 security advisories, including 3 Critical ones, on the day of launch? Apparently no big deal for Red Hat ... read more detail
  • Blog Post: What If? The First Days of a Security Enhanced OS ...

    This story is especially dedicated to all the new IT Pro friends I met in Budapest this past week. I had meant to share this story with you, but it got squeezed out by more important discussions... With the Windows Vista release drawing more near each week, I've been thinking back to the release of...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Ubuntu 6.06 LTS (Dapper Drake) - 90 Day Security Vulnerability Scorecard

    Based upon Debian, Ubuntu has cool release names like "Warty Warthog", "Hoary Hedgehog", "Breezy Badger" and "Dapper Drake" and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu...
  • Blog Post: CIO.COM: Mozilla and “Counting Still Easy…”

    [DISCLOSURE for those who don’t read about boxes: I work for Microsoft.] I admit that I enjoy discussing issues and digging into claims to see if I can find fractures or flaws in logic. When I ran product management teams for companies in previous roles, I would always review our draft product glossies...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: New Firefox (sort of) Available

    I had heard that the Firefox update would be coming out last week, then I heard the 12th and then I heard the 14th. Looks like it is out on the ftp server now: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.7/win32/en-US/Firefox%20Setup%201.5.0.7.exe , but they're not yet pointing to it...
  • Blog Post: Common Objections - Comparing Linux Distros with Windows

    Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics ) has brought out some of the common objections from those that don't necessarily like the results. Very rarely do I get comments that can find a substantive problem with the analysis - instead the arguments...
  • Blog Post: Red Hat Enterprise Linux 4 Passes 1000 Vulnerabilities

    A few weeks after my July OS Vulnerability Scorecard posting, I was amused to see a posting about it on truthhhappens.redhatmagazine.com (click to see the post). I can't even do it justice by paraphrasing, so here is the text: A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix...
  • Blog Post: Background and Overview for Days-of-Risk

    I just published a Basic Guide to Days of Risk over on my CSO Magazine Blog , in preparation for a new quarterly days-of-risk study I'm going to start publishing. If you don't have a good understanding of the days-of-risk metrics, the post will give you the background on the metric and reference several...
  • Blog Post: Oracle Announces Unbreakable Linux (aka Red Hat)

    And by "unbreakable", of course, they mean that if you drop the shrinkwrap box on the floor, the CDs won't break because it's really well padded. At least, that's what I think it means, because I don't see how anybody could think it means unbreakable security. I think I kind of feel sorry for Mary...
  • Blog Post: Ubuntu CVE Tracker

    Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site:  For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker . I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because...
  • Blog Post: February 2007 - Vuln Scorecard

    I just posted my February 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. I do include the first 3 months of Windows Vista as...
  • Blog Post: Download: Internet Explorer and Firefox Vulnerability Analysis

    Summary: For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating...
  • Blog Post: 2006 Client OS Days of Risk

    As a follow-up to my previous Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows , where I compare Microsoft, Red Hat, Novell SUSE, Apple Mac OS X and Sun Solaris, I've also completed a look at the latest client products that were available for the full year of 2006 (this means Novell NLD9 instead...
  • Blog Post: Windows Vista - 6-Month Vulnerability Study

    I was nudged by some colleagues this week, telling me that some folks may only be reading my technet blog, but that I hadn't been doing a great job of cross-posting some things. Six months is a much more interesting time frame than the previous Windows Vista - 90 Day Vulnerability Report , and gives...
  • Blog Post: July 2007 - Operating System Vulnerability Scorecard

    Summer and work travel have really had an impact and I've missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July. I hit a few road bumps: Sun changed their Security Alerts web site, making it a bit more challenging. I gave up for now, but will try to add them...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 3

    This is the final post in my 3 part series trying to get an accurate view of disclosed, but unpatched issues for Windows and Linux. In Part 1 , I looked at Secunia "unpatched" warnings and raised the question of whether the unpatched data was accurate and whether the data was tracked consistently between...
  • Blog Post: Windows vs Linux - Workstation - Q3 2006 addendum (High+Remote)

    This post is dedicated to n00dles , for daring to ask for even more detail ;-) and should be considered as an addendum to Windows vs Linux - Workstation Comparison - Q3 2006 . Same caveats apply: NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure...
  • Blog Post: Firefox in 2008 – No Single Version Available for The Full Year?

    I’ve been busy doing analysis for the next article in my cio.com Firefox series of articles, looking at vulnerability disclosures during 2007 and 2008 and I stumbled upon a little factoid that I had not previously noticed – no single version of Firefox was available for the full year of 2008. In retrospect...