Skip to content

Microsoft Secure


Address Space Layout Randomization (ASLR) in Windows Vista Beta2 ? 

UPDATE:  Mike Howard has posted to his blog, confirming David and providing details on the Vista ASLR features.   So, a couple of weeks ago, Jesper Johannsen wrote how the Windows Firewall was one of his favorite security features in Windows Vista.  My favorite security enhancements tend to be architectural security improvements.  I recall the...Read more

Windows Vista Beta2 Security Paper 

Was reading Dana Epp’s blog and found reference to a new Microsoft paper called  Microsoft® Windows Vista™ Security Advancements.  Good overview of most security enhancements in Beta2. The funny part of this story is that Dana noticed the paper while reading Mike’s blog, which I hadn’t read yet today. I hadn’t read this paper yet, so...Read more

Novell Removes /truth and Security from Linux Site 

Provocative, but technically true.  You may or may not recall that Novell published in response to Microsoft’s site.  I browsed out there yesterday to see the current truth for myself and was redirected to  You can still look at the google cache of the /truth site by using the search terms “ inurl:truth” and...Read more

JeffOS EAL4+ Secure System 

(read my background article first) JeffOS gets EAL4+ certification… not really.  Primarily because I haven’t created JeffOS.  But hey, I’m thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation.  What?  Does the evaluated configuration make a difference?  IF JeffOS is evaluated EAL4+, doesn’t that...Read more

Coverity Confused Claims Cause Consternation and Confusion 

Okay, maybe it only causes me consternation, but this is exactly the sort of thing that raises my temperature.  With the academic background of Coverity founders, one should expect a certain amount of rigor and care when it comes to analysis and conclusions, but I find myself disappointed. Jeff, you say, what are you talking...Read more

Workload Vulnerability Index 

In the recent Risk Report: A Year of Red Hat Enterprise Linux 4 in Red Hat Magazine, Mark Cox defined an interesting new security metric, the Workload Vulnerability Index, that provides a weighted measure of the impact that ongoing security vulnerabilities have to those doing patching.  Here is how the report defines it: This vulnerability...Read more

Washington Post – A Time to Patch III: Apple 

You’ve probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven’t, I encourage you to read it and read the various responses he received – the responses run the gamut of Linux advocates (“You do understand that Mac OS X is not a version of Linux, and is not...Read more

On Disingenuous Analysis and Transparency 

So, I am perusing security blogs this weekend and I read this interesting entry by Mark Cox of Red Hat about transparency where he says “…the Microsoft PR engine has been churning out disingenuous articles and doing demonstrations based on vulnerability count comparisons.”    In general, I think Mark’s a good guy with a hard job,...Read more

Book: Security Development Lifecycle 

For those of you that haven’t seen it yet, Mike Howard and Steve Lipner have published a new book, The Security Development Lifecycle.  Read about it on Mike’s blog. Should help more folks “Think Security” ~ Jeff...Read more