The Microsoft Malware Protection Center recently published their third Security Intelligence Report. The front page of the report says
An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2007
Inside it continues:
This report provides an in-depth perspective on software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related MSRC bulletin), malicious software, and potentially unwanted software. The lists below summarize the key points from each section of the report...
The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands...
Contrast that proper use of the word vulnerabilities in those excerpts with the incorrect use of the word threat in the quotes I noted in Someone Please Explain Threats to Microsoft:
As you go about filling in the threat model threat list, it’s important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team...
When we’re threat modeling, we should ensure that we’ve identified as many of the potential threats as possible (even if you think they’re trivial). At a minimum, the threats we list that we chose to ignore will remain in the document to provide guidance for the future.
In that excerpt, all uses of the word threat should be replaced with the word vulnerability, with possible exception of the term "threat modeling." In reality it should be "attack modeling," but in all other cases Microsoft is clearly talking about discovering holes/flaws/problems in their software, i.e., vulnerabilities.
So, it seems that the people who have the big security picture -- those who write the Microsoft Security Intelligence Reports -- know the difference between a threat and a vulnerability. The developers who focus on Microsoft's software -- those exercising the Microsoft Security Development Lifecycle -- are using "threat" when they should be saying "vulnerability."
It would be good for the SIR people to talk to the SDLC people. Without that coordination Microsoft's developers will continue to view the security problem incorrectly, and by extension, so will the customers who look to Microsoft for intellectual guidance.
On a related note, I was happy to see the latest SIR available as a .pdf.