Apple Inc.'s Safari is the juiciest target in the upcoming PWN2OWN hacking contest, last year's winner predicted today. "It's an easy target," said Charlie Miller, the vulnerability researcher who last year walked off with a $10,000 cash prize for breaking into an Apple laptop just a few minutes into the contest. PWNOWN is slated for its third appearance at the CanSecWest security conference later this month in Vancouver, British Columbia. "It might be because I'm biased about the...

I’ve been busy doing analysis for the next article in my cio.com Firefox series of articles, looking at vulnerability disclosures during 2007 and 2008 and I stumbled upon a little factoid that I had not previously noticed – no single version of Firefox was available for the full year of 2008. In retrospect, I should have known this would happen, given the Mozilla policy of supporting the predecessor version for 6 months after a new release. Here is what the timeline looks like:   In my interactions...

Summaries from previous months: Jan09 Security Bulletin SDL Benefit Summary When I do analysis and reports on Microsoft products, I typically look for where the Security Development Lifecycle (SDL) has helped to provide improvement and provide some stats on that.  This year, I decided to try and do this monthly to make it easier for me that when I do it all at once. This report is my attempt to capture and share that information.  I hope you find it useful. February Summary First, here...

I love it when a good, real-life example falls right into your lap. As you know from my recent posts, I’ve been doing a series of articles probing Mozilla and Firefox security claims.  I think I’ve been pretty open about why, but I always seem to get pushback around the idea that there might be some false perceptions out there that I want to push back on. Well, yesterday, Ed Burnette posted a blog entry on his ZDnet blog titled Firefox 3.0.6 fixes 69 bugs, some critical .  This is of course...

[DISCLOSURE for those who don’t read about boxes: I work for Microsoft.] I admit that I enjoy discussing issues and digging into claims to see if I can find fractures or flaws in logic. When I ran product management teams for companies in previous roles, I would always review our draft product glossies and papers and generate a lot of red ink, providing feedback like “we can’t make this claim, we have no evidence to support it.” There are some countries where that is a particular concern (though...

I am a couple of articles into my series: Can Mozilla Support Claims of Firefox Being the Most Secure Web Browser? , and Can Mozilla Support Claims of Firefox Being the Most Secure Web Browser? (Part 2) In part 2, I probed Mozilla’s usage of an ‘at risk’ chart to claim that their customers were only exposed to unpatched vulnerabilities for nine days in 2006. With some quick research, I came up with enough vulnerabilities to show that Firefox users were vulnerable to unpatched security...

Mozilla bills Firefox as the most secure Web browser on the planet, but is it really? Follow along with this series and see if the claims hold up to close scrutiny. Today, I started a multi-part article series on cio.com (Security landing page: http://www.cio.com/topic/1419/Security ) probing Mozilla’s claims of security superiority. My plan is to post up a new article every few days probing aspects of claims they’ve made either on the Firefox security page or in some other public forum. As...

I thought I had posted this link in the past, but it turns out I did not, so ... Last summer (2007), one of my papers was published in IEEE Security & Privacy, which describes a method for estimating the number of disclosed but unfixed vulnerabilities in some version of software utilizing publicly available data. The citation reference is: Jeffrey R. Jones, "Estimating Software Vulnerabilities," IEEE Security & Privacy , vol. 5, no. 4, 2007, pp. 28-32. IEEE kindly made the paper...

So, near the end of last week, I fired up my Xbox and downloaded the new “experience” – a massive update to the UI, which includes avatars. Lots of cool new stuff, but when I checked out my friend’s avatars, now that was really cool. This *is* stepto . ;-) If you know him, then no further explanation is necessary. If you don’t, check out the picture on his blog header…

With the recent release of v5 of the Security Intelligence Report, I decided to produce a couple of webcast videos where I present my findings to you directly in a brief presentation. In this second one, I go over the vulnerability disclosure trends for vulnerabilities affecting Microsoft products. 1H08 Vulnerability Trends - Part 2 - Microsoft To see all of my videos on http://edge.technet.com , click here ( http://edge.technet.com/Tags/SecurityGuy/ ). Best regards, Jeff