Vulnerabilities, that is. It has been about a year now since SQL Server 2005, so I thought this would be a good time to review how it has done security-wise. The latest SQL Server product from Microsoft has had zero vulnerabilities disclosed or fixed in its first year of availability. First, I want to applaud the SQL team as one that really embraced the Security Development Lifecycle (SDL), and, as a result, SQL 2005 went through two passes of the SDL. SQL 2000 SP3 went through a "mini SDL" process...

I've gotten quite a few questions about what this partnership means, but I think the best response is to point people to Bill Hilf on Port25 . Bill is the GM for platform strategy and the original guy who got the Linux/OSS interoperability lab started at Microsoft and the person who I would expect to be the most informed concerning key aspects of the Novell agreement. At the end of the day, this type of agreement isn't going to make me a fan of Novell SUSE security any more than...

And by "unbreakable", of course, they mean that if you drop the shrinkwrap box on the floor, the CDs won't break because it's really well padded. At least, that's what I think it means, because I don't see how anybody could think it means unbreakable security. I think I kind of feel sorry for Mary Ann Davidson, who had been distancing herself from the previous "unbreakable" campaign in more recent articles with quotes like: And Oracle no longer talks about its products as unbreakable. Earlier...

Jim Allchin posted up a public letter that clears up any possible confusion on what API changes will or will not be in the initial version of Windows Vista. It isn't that long, so read it yourself here: http://www.microsoft.com/security/windowsvista/allchin.mspx For those that simply won't click through , here are the key bits: Here is what we are doing to maintain the integrity and security of 64-bit Windows, while still addressing the needs of our security partners: • Contrary to...

UPDATE: It turns out that the Global Director of SophosLabs is Mark Harris , an old colleague from our days at McAfee. I've asked Mark if I could interview him on the blog here to get some details about their HIPS solution, so stay tuned! Sophos issued a press release today that I want to highlight for you. Here's the bit I have the most admiration for: "Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with high-spec Vista in mind," said Richard...

Over the past month or so, I have been amazed by the amount of speculation, strong assertions and outright misinformation that has been printed with respect to Kernel Patch Protection and the offical Application Programming Interfaces (APIs) into the kernel. Thankfully, Jim Allchin respond to this directly and clarified . IMO, the lead messaging on this was driven by Symantec (e.g. Windows Vista Kernel Mode Security and the messaging that Symantec released with it.) For example, from this Symantec...

Technorati Profile

This post is dedicated to n00dles , for daring to ask for even more detail ;-) and should be considered as an addendum to Windows vs Linux - Workstation Comparison - Q3 2006 . Same caveats apply: NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I...

NOTE: I am not asserting that my vulnerability analysis demonstrates that Windows is more secure. Rather, I frequently hear and read Linux advocates making unsupported assertions to the opposite that Linux is inherently more secure than Windows. The "unsupported" part of that bothers me, so I check for myself. What I keep finding is that Linux distributions have more vulnerabilities, more serious vulnerabilities and the data does not support the assertions of security superiority for Linux and Open...

This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others: 2006 January through September Vulnerability Trends (you are here) Windows vs Linux Workstation Comparison Windows vs Linux Server Comparison (TBD real soon now) In my studies of vulnerabilities, I have compiled a large database of information covering vulnerabilities identified at http://cve.mitre.org and http://nvd.nist.gov that includes, among...