Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Browse by Tags

  • Blog Post: Windows Vista : Threat-driven Design combined with Security Quality Process

    What is the difference between foundational security and security features? Name 3 security companies. Who did you name? Symantec? Checkpoint? RSA? ISS? These companies all offer products that provide security features or capabilities. What if Microsoft had no firewall? What if we had no PKI and...
  • Blog Post: 2006 January through September Vulnerability Trends

    This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real...
  • Blog Post: Trustworthy Computing: Learning About Threats for Over 10 Years - Part 6

    In this series of articles, we have been looking at some of the ways that the threat landscape has evolved over the past decade. In this final article in the series I discuss software servicing, or the art and science of effectively and efficiently keeping software up to date. What File Versions are...
  • Blog Post: Windows Vista x64 Security – Pt 2 – Patchguard

    NOTE: I know this is a long post. If you don’t want to read all the details I discuss here, I still encourage you to go read What Were They Thinking? Anti-Virus Software Gone Wrong , by Skywing, to give you a perspective on “known good” extensions to kernels. Also, as always, this blog post represents...
  • Blog Post: Windows Vista Beta2 Security Paper

    Was reading Dana Epp's blog and found reference to a new Microsoft paper called Microsoft ® Windows Vista™ Security Advancements . Good overview of most security enhancements in Beta2. The funny part of this story is that Dana noticed the paper while reading Mike's blog , which I hadn't read yet today...
  • Blog Post: The Value of UAC in Windows Vista

    Last week at the RSA conference, I had the excellent opportunity to talk to a lot of people about security (in general) as well as about security enhancements in Windows Vista. One of the interesting discussions I had centered around UAC and it's security value. I *think* the conversation started when...
  • Blog Post: Windows vs Linux (Red Hat) - Server - 1st Half 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Apples, Oranges and Vulnerability Metrics

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: March 2007 - Vuln Scorecard

    I just posted my March 2007 - Operating System Vulnerability Scorecard over on CSOOnline, which includes charts comparing the vulnerabilities in Windows, Red Hat Linux, Ubuntu, Novell, Sun, and Mac OS X, broken down by server and workstation. Here is the workstation chart: I plan to update this...
  • Blog Post: What You Should Know About Drive-By Download Attacks - Part 1

    My last blog post focused on Java exploits and the need to keep all software up to date. Since writing that article I have received some questions from customers asking for more details on how attackers are using such vulnerabilities to compromise systems. Subsequently, this two-part blog post is dedicated...
  • Blog Post: How New is Your OS Platform ?

    I was giving a talk last week covering some of the x86 vulnerability analysis that I do and I got a surprising (to me) comment: You are showing Red Hat 3 numbers - why are you intentionally comparing Windows to such an old version ? This sort of surprised (and puzzled me), but in some sense...
  • Blog Post: Real Life Protection! IE7 on Vista

    Happy day, if you get this dialog box: This screenshot comes from Zdnet article Vista passes one security test that points out some of the benefits of the multiple levels of security in IE7 and Windows Vista, with respect to the zero day issue warned about in and Microsoft Security Advisory and...
  • Blog Post: The Goodness of IE Enhanced Security Configuration

    Way back before IE7 with "low rights IE" and its other improvements, Microsoft shipped IE6 for Windows Server 2003 in Enhanced Security Configuration . We're now getting ready for Windows Vista and Longhorn Server is on the horizon as well and I decided to look at how much the Enhanced Security Configuration...
  • Blog Post: Linus’s Law aka "Many Eyes Make All Bugs Shallow"

    How many of you have heard “many eyes make all bugs shallow”? My guess is that many of you have and that it may have been in conjunction with an argument supporting why Linux and Open Source products have better security. For example, Red Hat publishes a document at www.redhat.com/whitepapers/services...
  • Blog Post: Huh? Is that a "Yes" or a "No", Mr. Symantec CEO?

    With such an eye-catching headline of Symantec CEO says no Vista for me , how could I not read it? My hat is off to you Joris, for having the most popular security story of the day! WARNING: This post is chock-full of exaggerated incredulity and hyperbole! (Though not necessarily as much as most recent...
  • Blog Post: Windows vs Linux - Workstation Comparison - Q3 2006

    NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for...
  • Blog Post: Download: Server Core Potential Security Benefit

    With Windows Server 2008, the Microsoft Windows Server team introduced a new installation option –Server Core. Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present...
  • Blog Post: Red Hat and Windows - Defining an Apples-to-Apples Workstation Build

    Why Red Hat? As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities. Some object to this ( Red Hat is Not Linux ), but it would be hard to select another alternative because: Red Hat...
  • Blog Post: Exposed? : Examining Secunia Unpatched Warnings - Part 1

    Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security? Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions...
  • Blog Post: Interview with Patchguard Architect Forrest Foltz (Windows Vista x64 Security - Patchguard follow up)

    Here I am doing my thing, looking at some of the security improvements in Windows Vista x64 (see pt1 and pt2 ), when all of a sudden, Patchguard seems to be hot news . [NOTE: Readers, if you need more details on Patchguard, start with my previous post Windows Vista x64 Security – Pt 2 – Patchguard...
  • Blog Post: CNET, Experts and Windows Vista Security

    UPDATE: Corrected my math problem, based upon astute reader feedback (he says sheepishly) Reading online news this morning, I came across the CNET headline: Experts: Don't buy Vista for the security . Wondering what the experts were saying, I clicked and read the article and once again I got a good...
  • Blog Post: Building My Windows Vista Media Center (VMC) - Part 2 - The Tuner

    You can read the first part of this blog series at Building My Windows Vista Media Center - Part 1 - The System , where I talk about what hardware and software I selected for my home Vista Media Center, which I will refer to as VMC from now on. This entry is primarily about my selection of tuner for...
  • Blog Post: Windows Vista vs Windows XP SP2 Vulnerability Report 2007

    In the wake of my Windows Vista One Year Vulnerability Report , I have received many questions regarding the current vulnerability record of Windows Vista as compares with Windows XP SP2. This short paper is a compilation of vulnerability data for Microsoft Windows Vista and Microsoft Windows XP SP2...
  • Blog Post: The Threat Landscape in India – More Active Than First Thought

    The threat landscape in India has turned out to be more active than initially suspected. India has had a relatively low malware infection rate for some time, which seemed subdued for a region that has such a large high tech industry. But with the new data we recently released in the latest Microsoft...
  • Blog Post: Windows 98 - the End is Nigh and a Look Back

    What OS were you using in 1998? Windows 98? Red Hat 5.1? Something else? The MSRC blog recently re-iterated the upcoming end of life for Windows 98 , Window 98SE and Windows ME, indicating that there will be no support after the July 11th patch Tuesday. (There’s more detail about this and other Support...