Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Red Hat Launches 11 RHEL5 Security Advisories

    Dual standards at work again. When the first vulnerability was announced in Windows Vista a month after release, it was big news. 11 security advisories, including 3 Critical ones, on the day of launch? Apparently no big deal for Red Hat ... read more detail
  • Blog Post: What If? The First Days of a Security Enhanced OS ...

    This story is especially dedicated to all the new IT Pro friends I met in Budapest this past week. I had meant to share this story with you, but it got squeezed out by more important discussions... With the Windows Vista release drawing more near each week, I've been thinking back to the release of...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Ubuntu 6.06 LTS (Dapper Drake) - 90 Day Security Vulnerability Scorecard

    Based upon Debian, Ubuntu has cool release names like "Warty Warthog", "Hoary Hedgehog", "Breezy Badger" and "Dapper Drake" and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu...
  • Blog Post: January 2007 - Vuln Scorecard

    I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which...
  • Blog Post: Severity Rating Systems - Part 1

    Read the full Part 1 on CSOonline . Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) - found at http://nvd.nist.gov/ . So, let me say...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: Common Objections - Comparing Linux Distros with Windows

    Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics ) has brought out some of the common objections from those that don't necessarily like the results. Very rarely do I get comments that can find a substantive problem with the analysis - instead the arguments...
  • Blog Post: Red Hat Enterprise Linux 4 Passes 1000 Vulnerabilities

    A few weeks after my July OS Vulnerability Scorecard posting, I was amused to see a posting about it on truthhhappens.redhatmagazine.com (click to see the post). I can't even do it justice by paraphrasing, so here is the text: A Microsoft vulnerability report suggests that Microsoft wasn’t able to fix...
  • Blog Post: Background and Overview for Days-of-Risk

    I just published a Basic Guide to Days of Risk over on my CSO Magazine Blog , in preparation for a new quarterly days-of-risk study I'm going to start publishing. If you don't have a good understanding of the days-of-risk metrics, the post will give you the background on the metric and reference several...
  • Blog Post: Oracle Announces Unbreakable Linux (aka Red Hat)

    And by "unbreakable", of course, they mean that if you drop the shrinkwrap box on the floor, the CDs won't break because it's really well padded. At least, that's what I think it means, because I don't see how anybody could think it means unbreakable security. I think I kind of feel sorry for Mary...
  • Blog Post: December 2006 Catch-up

    Well, between the Holidays and 2 weeks of being sick, I didn't stay very current during December. So, to get back on track, I thought I'd create this summary, backdate it to December 31 (today is January 2nd, 2007), just so I can share my comments on some of the interesting security happenings during...
  • Blog Post: February 2007 - Vuln Scorecard

    I just posted my February 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. I do include the first 3 months of Windows Vista as...
  • Blog Post: 2006 Client OS Days of Risk

    As a follow-up to my previous Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows , where I compare Microsoft, Red Hat, Novell SUSE, Apple Mac OS X and Sun Solaris, I've also completed a look at the latest client products that were available for the full year of 2006 (this means Novell NLD9 instead...
  • Blog Post: Windows Vista - 6-Month Vulnerability Study

    I was nudged by some colleagues this week, telling me that some folks may only be reading my technet blog, but that I hadn't been doing a great job of cross-posting some things. Six months is a much more interesting time frame than the previous Windows Vista - 90 Day Vulnerability Report , and gives...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 3

    This is the final post in my 3 part series trying to get an accurate view of disclosed, but unpatched issues for Windows and Linux. In Part 1 , I looked at Secunia "unpatched" warnings and raised the question of whether the unpatched data was accurate and whether the data was tracked consistently between...
  • Blog Post: Hats off to Mr. Mark Cox and Team

    Let me take a moment to clarify something, as some folks seem to have gotten the wrong impression. I having nothing but the utmost respect for Mark Cox and the Red Hat security team that he leads. They do a hard job and they do it well, balancing the pressures imposed by the community from full disclosure...
  • Blog Post: Windows vs Linux - Workstation - Q3 2006 addendum (High+Remote)

    This post is dedicated to n00dles , for daring to ask for even more detail ;-) and should be considered as an addendum to Windows vs Linux - Workstation Comparison - Q3 2006 . Same caveats apply: NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure...
  • Blog Post: Windows Vista 90 Day Vulnerability Analysis

    February 28 th marked 90 days that Windows Vista had been available to business customers. Has it been a good or a bad 90 days for security vulnerabilities? Dang, this is a sweet chart, but click here to read all the details and download the full report . Best regards ~ Jeff
  • Blog Post: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

    This report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just...
  • Blog Post: 2006 Days of Risk Comparison

    Among the other metrics that I track, I also periodically look at days-of-risk, or the average amount of time that customers are exposed to public vulnerabilities before a vendor provides a patch. You can take a look at the full findings on Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows...