Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: JeffOS EAL4+ Secure System

    (read my background article first) JeffOS gets EAL4+ certification... not really. Primarily because I haven't created JeffOS. But hey, I'm thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation. What? Does the evaluated configuration make...
  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Windows vs Linux (Red Hat) - Server - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Apples, Oranges and Vulnerability Metrics

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Linus’s Law aka "Many Eyes Make All Bugs Shallow"

    How many of you have heard “many eyes make all bugs shallow”? My guess is that many of you have and that it may have been in conjunction with an argument supporting why Linux and Open Source products have better security. For example, Red Hat publishes a document at www.redhat.com/whitepapers/services...
  • Blog Post: Red Hat Launches 11 RHEL5 Security Advisories

    Dual standards at work again. When the first vulnerability was announced in Windows Vista a month after release, it was big news. 11 security advisories, including 3 Critical ones, on the day of launch? Apparently no big deal for Red Hat ... read more detail
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Ubuntu 6.06 LTS (Dapper Drake) - 90 Day Security Vulnerability Scorecard

    Based upon Debian, Ubuntu has cool release names like "Warty Warthog", "Hoary Hedgehog", "Breezy Badger" and "Dapper Drake" and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu...
  • Blog Post: Novell Removes /truth and Security from Linux Site

    Provocative, but technically true. You may or may not recall that Novell published www.novell.com/linux/truth in response to Microsoft's www.microsoft.com/getthefacts site. I browsed out there yesterday to see the current truth for myself and was redirected to http://www.novell.com/whynovell/ . You can...
  • Blog Post: Windows 98 - the End is Nigh and a Look Back

    What OS were you using in 1998? Windows 98? Red Hat 5.1? Something else? The MSRC blog recently re-iterated the upcoming end of life for Windows 98 , Window 98SE and Windows ME, indicating that there will be no support after the July 11th patch Tuesday. (There’s more detail about this and other Support...
  • Blog Post: Windows vs Linux (Red Hat) - Workstation - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: On Disingenuous Analysis and Transparency

    So, I am perusing security blogs this weekend and I read this interesting entry by Mark Cox of Red Hat about transparency where he says "...the Microsoft PR engine has been churning out disingenuous articles and doing demonstrations based on vulnerability count comparisons." In general, I think...
  • Blog Post: January 2007 - Vuln Scorecard

    I just posted my January 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Sun, and Mac OS X, broken down by server and workstation. I do include the first 2 months of Windows Vista as well, which...
  • Blog Post: Q1 2008 - Client OS Vulnerability Scorecard

    This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red...
  • Blog Post: Common Objections - Comparing Linux Distros with Windows

    Once again, my effort to explore common misperceptions (more recently exploring unpatched statistics ) has brought out some of the common objections from those that don't necessarily like the results. Very rarely do I get comments that can find a substantive problem with the analysis - instead the arguments...
  • Blog Post: Workload Vulnerability Index

    In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching. Here is how the...
  • Blog Post: Artima: Microsoft Under Attack

    A new article called Microsoft Under Attack summarizes itself by saying: Not by angry customers suing for damages after security breaches, or by governments breaking up monopolies, but by open source developers and security professionals accusing them of being obsessed by security. The content...
  • Blog Post: Background and Overview for Days-of-Risk

    I just published a Basic Guide to Days of Risk over on my CSO Magazine Blog , in preparation for a new quarterly days-of-risk study I'm going to start publishing. If you don't have a good understanding of the days-of-risk metrics, the post will give you the background on the metric and reference several...
  • Blog Post: February 2007 - Vuln Scorecard

    I just posted my February 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. I do include the first 3 months of Windows Vista as...
  • Blog Post: Download: Internet Explorer and Firefox Vulnerability Analysis

    Summary: For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating...
  • Blog Post: Trend Micro CTO hints that Trend will Open Source Code

    In a stunning revelation in Trend Micro: Open source is more secure , Trend CTO Raimund Genes hints that Trend may release their code as an open source project! Though Genes stopped short of actually saying that Trend would be releasing their code and joining the Free Software movement, there are...