Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: Windows Vista : Threat-driven Design combined with Security Quality Process

    What is the difference between foundational security and security features? Name 3 security companies. Who did you name? Symantec? Checkpoint? RSA? ISS? These companies all offer products that provide security features or capabilities. What if Microsoft had no firewall? What if we had no PKI and...
  • Blog Post: Windows Vista x64 Security – Pt 2 – Patchguard

    NOTE: I know this is a long post. If you don’t want to read all the details I discuss here, I still encourage you to go read What Were They Thinking? Anti-Virus Software Gone Wrong , by Skywing, to give you a perspective on “known good” extensions to kernels. Also, as always, this blog post represents...
  • Blog Post: Windows Vista Beta2 Security Paper

    Was reading Dana Epp's blog and found reference to a new Microsoft paper called Microsoft ® Windows Vista™ Security Advancements . Good overview of most security enhancements in Beta2. The funny part of this story is that Dana noticed the paper while reading Mike's blog , which I hadn't read yet today...
  • Blog Post: The Value of UAC in Windows Vista

    Last week at the RSA conference, I had the excellent opportunity to talk to a lot of people about security (in general) as well as about security enhancements in Windows Vista. One of the interesting discussions I had centered around UAC and it's security value. I *think* the conversation started when...
  • Blog Post: Zune Killer App - Windows Media Center

    I admit it, I did not buy a Zune last year when they were first released. I don't have a large music collection and I'm generally happy listening to the radio to get my music fix, or the digital music channels available from my cable company, if you will. However, as some of you may realize from my previous...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: Real Life Protection! IE7 on Vista

    Happy day, if you get this dialog box: This screenshot comes from Zdnet article Vista passes one security test that points out some of the benefits of the multiple levels of security in IE7 and Windows Vista, with respect to the zero day issue warned about in and Microsoft Security Advisory and...
  • Blog Post: Huh? Is that a "Yes" or a "No", Mr. Symantec CEO?

    With such an eye-catching headline of Symantec CEO says no Vista for me , how could I not read it? My hat is off to you Joris, for having the most popular security story of the day! WARNING: This post is chock-full of exaggerated incredulity and hyperbole! (Though not necessarily as much as most recent...
  • Blog Post: Interview with Patchguard Architect Forrest Foltz (Windows Vista x64 Security - Patchguard follow up)

    Here I am doing my thing, looking at some of the security improvements in Windows Vista x64 (see pt1 and pt2 ), when all of a sudden, Patchguard seems to be hot news . [NOTE: Readers, if you need more details on Patchguard, start with my previous post Windows Vista x64 Security – Pt 2 – Patchguard...
  • Blog Post: CNET, Experts and Windows Vista Security

    UPDATE: Corrected my math problem, based upon astute reader feedback (he says sheepishly) Reading online news this morning, I came across the CNET headline: Experts: Don't buy Vista for the security . Wondering what the experts were saying, I clicked and read the article and once again I got a good...
  • Blog Post: Building My Windows Vista Media Center (VMC) - Part 2 - The Tuner

    You can read the first part of this blog series at Building My Windows Vista Media Center - Part 1 - The System , where I talk about what hardware and software I selected for my home Vista Media Center, which I will refer to as VMC from now on. This entry is primarily about my selection of tuner for...
  • Blog Post: Windows Vista vs Windows XP SP2 Vulnerability Report 2007

    In the wake of my Windows Vista One Year Vulnerability Report , I have received many questions regarding the current vulnerability record of Windows Vista as compares with Windows XP SP2. This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2...
  • Blog Post: Microsoft Security Intelligence Report - 1st Half 2007

    The third volume of the Microsoft Security Intelligence Report (SIR) is now available for download at: www.microsoft.com/sir - this link will take you to a summary portal that has links to the downloadable document, upcoming webcasts about the SIR results, and so on. As one of the primary authors for...
  • Blog Post: January 2007 - Vuln Scorecard

    I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which...
  • Blog Post: Windows Vista x64 Security - Pt 1

    I recently took home a build of Windows Vista for my home machine, which happens to be a dual processor 64-bit Dell machine, and it made me curious about the differences between the x86 and x64 version of Vista – specifically security differences. After doing a brief bit of research, I found three...
  • Blog Post: Windows Vista User Account Control (UAC)

    Jesper apparently stirred up things a bit with his latest post, Please don't disable security features, at least while we are testing them , asking folks to recognize that a Beta is not a final product and that you should wait to see the final before making hasty decisions like disabling a security feature...
  • Blog Post: Feb09 Security Bulletin SDL Benefit Summary

    Summaries from previous months: Jan09 Security Bulletin SDL Benefit Summary When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that.  This year, I decided to try and...
  • Blog Post: Further Perspectives on Symantec Vista "Research"

    Since my original post on last week's Symantec paper, they've released another one as noted by Joris Evers in Symantec continues Vista bug hunt . Now that I've read both of the first two papers, I note two perspectives from Symantec on this: 1) the perspective of the researchers in their paper, and...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: Where, oh Where, are Perfect Security Features?

    In my recent exploration of Windows Vista x64 security features and Patchguard (see pt1 and pt2 ), one of the issues sent my thoughts in the direction of how "perfect" security feature are (or are not) and how that affected security value to customers. So, here is the scenario. You read about a new security...
  • Blog Post: Address Space Layout Randomization (ASLR) in Windows Vista Beta2 ?

    UPDATE: Mike Howard has posted to his blog , confirming David and providing details on the Vista ASLR features. So, a couple of weeks ago, Jesper Johannsen wrote how the Windows Firewall was one of his favorite security features in Windows Vista. My favorite security enhancements tend to be architectural...
  • Blog Post: Symantec's Plea : Protect our Protection Racket

    I must emphasize that these are my thoughts as an individual and do not necessarily reflect those of Microsoft, or MSN, or any of the teams I happen to work with. While some of the notions in this article may be provocative, they are consistent with my charter of provoking thoughtful discussions and...
  • Blog Post: December 2006 Catch-up

    Well, between the Holidays and 2 weeks of being sick, I didn't stay very current during December. So, to get back on track, I thought I'd create this summary, backdate it to December 31 (today is January 2nd, 2007), just so I can share my comments on some of the interesting security happenings during...
  • Blog Post: UAC, an Excellent Description and Discussion by Crispin Cowan

    I was excited when Dr. Crispin Cowan joined the company a while back - what security person wouldn't be! As one of the key drivers behind StackGuard , Linux Security Modules and co-founder of Immunix, which produced AppArmor - few people are as qualified as Dr. Cowan to talk about security features and...
  • Blog Post: February 2007 - Vuln Scorecard

    I just posted my February 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. I do include the first 3 months of Windows Vista as...