Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: JeffOS EAL4+ Secure System

    (read my background article first) JeffOS gets EAL4+ certification... not really. Primarily because I haven't created JeffOS. But hey, I'm thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation. What? Does the evaluated configuration make...
  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Mac OS X Security - Reality Check #1

    UPDATE: A colleague sent me a link to the source paper that the article discusses: http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf . As anyone who reads my blog knows, I like to shine a light on areas of common security misperceptions. I am even happier when others do it. I think Apple...
  • Blog Post: Weekly Roundup: May 4, 2012 – Think Before You Click

    Trending Security News Security news stories this week continue to validate the importance of cybersecurity skills in the marketplace and FEMA released a new National Preparedness Report providing insights on the state of national critical infrastructure protection. Here are some of the security news...
  • Blog Post: Apples, Oranges and Vulnerability Metrics

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: Supplemental Data for Calculating Mozilla Patching Speed

    A couple of days ago, Secunia published their Secunia 2008 Report , and one of their tables garnered quite a bit of attention with respect to Mozilla patching quickly: Brian Krebs , Washington Post, Fanning the Flames of the Browser Security Wars Brian Prince, eWeek, Security Report Ignites Firefox vs...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Download: Server Core Potential Security Benefit

    With Windows Server 2008, the Microsoft Windows Server team introduced a new installation option –Server Core. Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present...
  • Blog Post: SIRv5 Vulnerability Trends Webcast - 1 of 2 - Industry Trends

    With the recent release of v5 of the Security Intelligence Report, I decided to produce a couple of webcast videos where I present my findings to you directly in a brief presentation. In this first one, I go over the industry-wide trends.   1H08 Vulnerability Trends - Part1 - Industry To see all...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Ubuntu 6.06 LTS (Dapper Drake) - 90 Day Security Vulnerability Scorecard

    Based upon Debian, Ubuntu has cool release names like "Warty Warthog", "Hoary Hedgehog", "Breezy Badger" and "Dapper Drake" and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu...
  • Blog Post: Weekly Roundup: May 18, 2012 – Smartphone Security, Cyber Threat Trends and the Importance of Secure Development

    Trending Security News Security news stories this week focused on smartphone security and GPS tracking; our Security Development Conference in DC; and a report on security technology trends with a few stories also covering malware stats and cyber-attacks. Here are the security news stories and two blog...
  • Blog Post: Cloud Computing Trends Report : Maturity of IT Departments

    As cloud computing matures, a growing number of organizations are interested in moving to cloud environments to help lower IT costs, increase efficiencies, and realize greater flexibility. However, organizations that consider cloud computing have also voiced a number of concerns. In multiple studies...
  • Blog Post: Windows Vista vs Windows XP SP2 Vulnerability Report 2007

    In the wake of my Windows Vista One Year Vulnerability Report , I have received many questions regarding the current vulnerability record of Windows Vista as compares with Windows XP SP2. This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2...
  • Blog Post: CIO.COM: Mozilla and “Counting Still Easy…”

    [DISCLOSURE for those who don’t read about boxes: I work for Microsoft.] I admit that I enjoy discussing issues and digging into claims to see if I can find fractures or flaws in logic. When I ran product management teams for companies in previous roles, I would always review our draft product glossies...
  • Blog Post: What if We Had Vuln-Free Software?

    I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security. How would...
  • Blog Post: SDL Awareness and Adoption High Among Security Professionals

    UPDATE - Hear what others are saying about this survey: (Dark Reading) Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods (NetworkWorld) Code Writers Finally Get Security? Maybe (Help Net Security) Root issues causing software vulnerabilities Errata Security has released...
  • Blog Post: Microsoft Security Intelligence Report - 1st Half 2007

    The third volume of the Microsoft Security Intelligence Report (SIR) is now available for download at: www.microsoft.com/sir - this link will take you to a summary portal that has links to the downloadable document, upcoming webcasts about the SIR results, and so on. As one of the primary authors for...
  • Blog Post: January 2007 - Vuln Scorecard

    I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which...
  • Blog Post: Severity Rating Systems - Part 1

    Read the full Part 1 on CSOonline . Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) - found at http://nvd.nist.gov/ . So, let me say...
  • Blog Post: Feb09 Security Bulletin SDL Benefit Summary

    Summaries from previous months: Jan09 Security Bulletin SDL Benefit Summary When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that.  This year, I decided to try and...
  • Blog Post: Further Perspectives on Symantec Vista "Research"

    Since my original post on last week's Symantec paper, they've released another one as noted by Joris Evers in Symantec continues Vista bug hunt . Now that I've read both of the first two papers, I note two perspectives from Symantec on this: 1) the perspective of the researchers in their paper, and...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: Mac OS X Security Myth #2: Nobody Attacks Mac OS X

    Following up on Mac OS X Security Myth #1: Mac OS X Has Few Security Bugs , this post continues my look at "perception versus reality" for Mac OS X security. There aren't a lot of sources of validated compromises, but one of the few we can check is www.zone-h.com , which gathers and documents web...