Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product. This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products. The results of the analysis show that Windows Vista has an...

This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed: Microsoft Windows Vista Microsoft Windows XP SP2 Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux WS (V. 4) Ubuntu 6.06 LTS Desktop Apple Mac OS X 10.5 (Leopard) Apple Mac OS X 10.4 (Tiger) For January through March of 2008, Mac OS X users experienced the highest number of vulnerabilities...

Mozilla bills Firefox as the most secure Web browser on the planet, but is it really? Follow along with this series and see if the claims hold up to close scrutiny. Today, I started a multi-part article series on cio.com (Security landing page: http://www.cio.com/topic/1419/Security ) probing Mozilla’s claims of security superiority. My plan is to post up a new article every few days probing aspects of claims they’ve made either on the Firefox security page or in some other public forum. As...

So, this afternoon, I'm in the Microsoft booth at Black Hat when this guy comes up (badge hidden of course) and starts talking to some of my colleagues. Right away, it was pretty obvious that he was antagonistic. I will refer to him as "h8er" from here on out. Though I am paraphrasing a bit, this is based upon a true story. It gave me a chuckle, so I thought I'd share. h8er: So, how does it feel to work for a company that has made so many bad security decisions. MSFT guy: Well, I feel lucky to be...

Summary: For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world. Over the past few years, there has been much discussion of the need for improvements...

Summer and work travel have really had an impact and I've missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July. I hit a few road bumps: Sun changed their Security Alerts web site, making it a bit more challenging. I gave up for now, but will try to add them back with subsequent scorecards. Novell, in a similar but different move, created a new psdb page for their version Enterprise Linux v10 SP1 products. At first, I thought they had not released any...

Continuing the Interactive Timeline series outlining some of the seminal events that have occurred over the last decade, this post looks at more of the key events that shaped the early Millennium, helping to create the perfect storm.  Rise of Malicious Software In 1991, about 1,000 computer viruses existed worldwide. Malicious software became known to many computer users through the widespread infections caused by the email-based Melissa (1999) and ILOVEYOU (2000) viruses. By 2001, there were...

This post continue my analysis of industry vulnerability disclosures started in part 4 last week and is part of an ongoing series of posts based upon Tim Rains and my recent special edition Microsoft Security Intelligence Report (SIR) called “ The evolution of malware and the threat landscape – a ten year review, ” which we presented in a breakout session earlier this month at RSA Conference 2012. In the first three parts of this series ( part 1 , part 2 , part 3 ), Tim Rains explored some of the...

Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site:  For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker . I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues.  For example, take a look at the page Vulnerability Report: Ubuntu...

UPDATE: The story that originally got my attention has been updated in all of the places I could still find it yesterday, so I'm pulling my references to the story and just focusing on the positive story of SQL Security improvement. Jeff Last week a web-based news story comes to my attention which asserted that last year SQL Server had "... most vulnerabilities last year of any commercial database..." That prompted me to do some fact checking and I thought it worth documenting the real (really good...