Security Balance

New Firefox versions will warn you when your Flash plugin is out of date.
This is a cool idea and will help users that are not aware of the need to update software like Flash and Acrobat Reader. I can also see this as the beginning of a trend to centralize the updating of all the crap we [...]

For those who are addicted to vulnerability information feeds, you are probably already aware of the XML Libraries data parsing  vulnerabilities. This is the kind of vulnerability that creeps me out. When you’ve got vulnerabilities related to an easily identifiable software, like “Windows 2008″, “Firefox 3.5″ or “Java Runtime Environment 6″, it is easy to [...]

I was reading this post from Richard Bejtlich today and I found this quote from the Verizon Security Blog:
“With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact [...]

Hoff posted some nice comments on the Azure’s failure regarding patching the infrastructure used by cloud services. An interesting conclusion about it is that future patching mechanisms will have to be integrated to VMotion-like features, in a way that when you apply an OS patch to the infrastructure it can dynamically deal with that without [...]

I like the spin that Pete Lindstrom gives to some classical security discussions, but I think he is completely missing the point here:
“If finding vulnerabilities makes software more secure, why do we assert that software with the highest vulnerability count is less secure (than, e.g., a competitor)?”
If we agree with him we could also say [...]

I have been away from the blog for a while because of a series of reasons, but I couldn’t avoid to comment on this recently published advisory from Microsoft, MS08-067. Just as some worms we witnessed in the past, this one is related to a core Windows service, meaning that almost all boxes are vulnerable. [...]

This is how Chris Hoff is calling the fact that vulnerability researchers don’t spend time looking for holes in commercial (and expensive) software products, like virtualization platforms.
I think we are living with this for a long time. I can mention mainframe software (even without buying hardware researchers could run it on emulators like Hercules), ERP [...]

A few years ago, it would be impossible to imagine something like what Dan Kaminsky has done with the recently uncovered DNS cache poisoning vulnerability. Although the technical details of the issue are still not public (and are probably “wicked cool”, 3117, etc), the mosr impressive fact of the whole story is that there was [...]

This study from Jeff Jones blog show why the Server Core feature of Windows Server 2008 was so expected by security professionals. We can see a 40% reduction on the vulnerability numbers for a server running Windows if it was using something like Server Core. My main concern now is if software providers will enable [...]

Jeff Jones has just published some pretty interesting vulnerability numbers from Q1 2008.
Ok, I know that the source is Microsoft, but the numbers and their meanings are very well documented, im my opinion. I’m one of the believers that these numbers show the results of the impressive security initiative from Microsoft. It’s also good to [...]