Microsoft Security Blog

The official Microsoft blog for discussing industry and Microsoft security topics.

Microsoft Security Blog

  • Cyberspace 2025 Student Essay Contest

    Posted by: Kevin Sullivan, Principal Security Strategist, Trustworthy Computing

    When Sam Coxwell submitted his entry to last year’s Microsoft cybersecurity essay contest, he was focused on one thing, winning.  His entry “Cybercrime: Why does it pay, and what can we do about it?” centered on the future of cybersecurity policy research.  It was one of 48 entries we received from students around the world researching the complexities that impact cybersecurity policy.

    Today, we’re kicking off this year’s contest, the  Cyberspace 2025 Essay contest.  This year, we want to hear from University students who are conducting original research on how they see the future of cyberspace.  The inspiration for this topic comes from our recently published paper, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain, where we consider the impact that such factors as demographics, education, immigration, regulation, technology, collaboration, and even trade will have on the future landscape of cyberspace and cybersecurity. Additionally, the report showed that even in a borderless internet, countries and regions can be on different paths depending on policy choices. If policy makers could see into the future, could it better inform their decision making today?  Microsoft believes that identifying and implementing the right public policies today, can significantly impact a country’s or region’s cyberspace tomorrow.  Read more

  • Risk Meets Reward: Windows Phone 8.1 Security Overview

    Flying cars, intergalactic travel, and transporters are not the commonplace items in 2014 that were envisioned for the future throughout the twentieth century. Still, when considering the shoe phone from the television series “Get Smart” through to the fairly limited functionality of the Star Trek communicator, mobile phones might be the single best example of technology that has lived up to our science fiction dreams. Not only can we make calls from nearly anywhere, but we now have access at our fingertips to data that enables both productive remote work experiences and for many people, the ability to fully experience the web with no secondary device. Remote workers can now complete tasks that would previously have required extensive travel or access to an office while sipping a latte at their favorite espresso bar. But with reward comes risk. Read more

  • Industry Vulnerability Disclosures Trending Up

    A vulnerability disclosure, as the term is used in the Microsoft Security Intelligence Report, is the revelation of a software vulnerability to the public at large. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.

    The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (NVD). This database is the US government’s repository of standards-based vulnerability management data. The NVD represents all disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.

    Industry-wide vulnerability disclosures trending upwards
    Figure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011 and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of 2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures across the entire industry each year during this period. For additional context, the peak period for industrywide vulnerability disclosures was 2006-2007 when 6,000 - 7,000 vulnerabilities were disclosed each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5 percent from the first half of the year, and up 12.6 percent from the second half of 2012.  Read more

  • Topics from Cybersecurity Bootcamp #1 – Cyber Hygiene

    This past week I was privileged to attend Stanford’s inaugural cybersecurity boot camp , where two dozen congressional staffers joined academic and industry experts to discuss ways to protect he government, the public and industry from cyber threats. For me, it was encouraging to see congressional staff members deeply engaged in security and threat discussions on a range of cybersecurity topics and it was a good reminder of how broad a topic it really is. With that in mind, I thought it...
  • Major Rights Management Update to Office and Azure

    For many of the CISOs I talk to regularly, data leakage prevention continues to be a topic of high interest. Whether using either a cloud service or an on premise solution there are a number of reasons that it is important to protect the workplace documents you share with others. To date, data protection technologies have become increasingly more complex in order to support the number of devices and platforms that are intended to consume the content. In some cases we have seen organizations forgo these vital controls simply due to a lack of graceful and/or effective solutions. Read more

  • What will cybersecurity look like in 2025?, Part 3: How Microsoft is shaping the future of cybersecurity

    Today’s post concludes our three-part series on Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain which presented three views of the world and cyberspace in 2025—Plateau, Peak, and Canyon.

    • PEAK – the Peak scenario represents a world of innovation, where information and communications technology (ICT) fulfills its potential to strengthen governance models, economies and societies
    • PLATEAU -  the Plateau scenario is a “status quo” world, in which political, economic and societal forces can both bolster and hinder technological progress
    • CANYON – the Canyon scenario is a metaphor for an isolated world, characterized by unclear, ineffective government policies and standards, rooted in protectionist stances

    Microsoft is optimistic about the future of cybersecurity.  We believe that public and private sector leaders working together can chart a course that enhances the security, privacy, and reliability of cyberspace in 2025 and expands ICT opportunity for economies in all stages of development.  That’s why we support legislation that facilitates the free flow of information, builds trust, and encourages innovation. Because data increasingly flows across geopolitical borders, the company favors greater standardization and better worldwide alignment of privacy regulations, policies, and standards. Read more

  • What will cybersecurity look like in 2025?, Part 2: Microsoft envisions an optimistic future

    The future of cybersecurity will be influenced by more than just technical factors like the spread of malware, or even targeted cyber-attacks.  Global responses to social issues such as population growth, educational investments, or even trade liberalization will also play a significant role. 

    Continuing our series examining what cybersecurity will look like in the year 2025, let’s look at how the technology and social policy decisions addressing important issues, will influence three scenarios we believe could emerge in the next 10 years —Peak, Plateau, and Canyon.  Each of which are demonstrated in our report, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain.

    According to the report, growth will likely have the biggest impact on cybersecurity.  Growth means more people, more devices, more connectivity, and more data.  India, for example, will experience growth of more than 3,000 percent in its total number of broadband subscriptions, from about 20 million in 2012 to more than 700 million. In contrast, during the same period, the entire European Union (28 countries/regions) will add only 105 million new broadband subscriptions, from nearly 143 million in 2012 to 248 million in 2025. Read more

  • IE increases protections, implements “out-of-date ActiveX control blocking”

    Last week, Internet Explorer announced important changes it will be making to better protect customers from cybercriminal attacks.  Beginning on September 9, Internet Explorer will block out-of-date ActiveX controls, such as older versions of the Oracle Java Runtime Environment (JRE) as part of the August 2014 release of MS14-051 Cumulative Security Update for Internet Explorer (2976627).  ActiveX controls are small programs, sometimes called add-ons that are used by web sites to serve up content, like videos and games, and let you interact with content like toolbars.  While ActiveX controls have become increasingly popular over time, many of these applications are neglected or left unpatched for long periods of time potentially leaving people exposed and vulnerable to attack from cybercriminals.  This is because many ActiveX controls that exist today are not automatically updated.  Read more

  • What will cybersecurity look like in 2025?, Part 1: The catalysts that will shape the future

    Cybersecurity challenges are emerging not just from the commonly recognized sources – criminals, malware, or even targeted cyber-attacks – they can grow from public policies as well. 

    A research report we released last month, Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain, seeks to look over the horizon and beyond technical trends to anticipate future catalysts for change as well as equip policy makers for tomorrow’s digital landscape. Read more

  • Now Available: Enhanced Mitigation Experience Toolkit (EMET) 5.0

    Today we are pleased to announce  the general availability of our Enhanced Mitigation Experience Toolkit (EMET) 5.0.  It has been almost five years since we released the first version of the tool and so much has changed since then.  Thanks to the overwhelming support, feedback and demand from our community, the tool has evolved quite a bit and now includes a number of new mitigations, expanded compatibility, user friendly UI, additional reporting capabilities, customer support through Microsoft Premier Support Services and more.  Read more