End of July we issued the fourth MSRC progress report showing not only the work we did on the Security Updates but with all the different programs with run out of MSRC as well. I guess this could be interesting for you as well: Microsoft Security Response Center (MSRC) Progress Report
I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To . . . → Read More: Keep all your software updated and current
CORRECTION:So far there is “only” Proof of Concept code in the wild, no real exploit.
In our last update cycle we published the security bulletin MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution. Relatively soon after the release, there was a public exploit code available – we informed here: Proof-of-Concept Code available for . . . → Read More: Security Updates and Exploit Code
Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along . . . → Read More: 10 Years of Trustworthy Computing at Microsoft
A good paper: NSA – Best Practices for Keeping Your Home Network Secure
A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:
Get to know the security update release process Learn how to evaluate risk See how to mitigate security risks Understand how quickly you need to apply . . . → Read More: Microsoft Security Update Guide, Second Edition
Our Security Research and Defense team published a blog post, which is really interesting to read to understand how to protect Windows Vista and Windows 7: On the effectiveness of DEP and ASLR.
There is a lot of information on how both raise the bar for attackers. These are the key take away:
DEP and . . . → Read More: On the effectiveness of DEP and ASLR
You might know about Bluehat, which is an internal security conference we run several times an year. Some of the presentations we record and make them publically available. There is a really good one on the Microsoft Security Response Center. Dustin (the presenter) blogged on it Behind the Curtain of Second Tuesdays: Challenges in Software . . . → Read More: Behind the Curtain of Second Tuesdays: Challenges in Software Security Response
As soon as zero-days appear on the Internet, two things happen: Somebody publishes an exploit and somebody else an unoffical patch. How trustworthy are such updates? How should you handle them? It is all about risk management! . . . → Read More: The Risks of Unofficial Patches
This month it is pretty important to read the Security Research and Defense blog post: Assessing the risk of the August security updates
It might help you to get an overview on the biggest release ever