Another Low Blow From Microsoft: MBSA Failure!

dotsecure_at_hushmail.com
Date: 02/10/04

  • Next message: Marc Maiffret: "[Full-Disclosure] EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption" 
    Date: Tue, 10 Feb 2004 10:21:14 -0800
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com, patchmanagement@listserv.patchmanagement.org

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Another Low Blow from Microsoft.

    Within the last few weeks at our company we have been doing testing to
    find out total number of patched machines we have against the latest
    Messenger Service Vulnerability. After checking few thousand computers
    we have found several hundred were still affected even though patch has
    been applied. We have scanned with Retina, Foundstone and Qualys tools
    which they all showed as “VULNERABLE”, however when we scanned with Microsoft
    Base Security Analyzer it showed as “NOT VULNERABLE”. This was at first
    confusing; one would think an assessment tool released by the original
    vendor would actually be accurate. On the flipside it really didn’t make
    sense to us why would three different commercial scanners show as vulnerable
    if they are truly patched. So we decided to do the ultimate test. We
    ran messenger service exploit against the machines that MS Base Analyzer
    showed as “Not Vulnerable” and 3rd party vulnerability scanners that
    showed as “Vulnerable”. Results were as expected, machines were exploited
    and Microsoft Base Analyzer failed to detect the vulnerable machines
    properly.

    We have concluded that, although the patch was installed on these machines,
     the patch management script failed to reboot those few hundred systems,
     therefore these machines were vulnerable until the next successful reboot.
    After a successful reboot all 3rd party tools showed the machines as
    not vulnerable and the exploit tool did not successfully exploit the
    machines. 3rd Party tool assessments were accurate the machines were
    truly vulnerable prior reboot.

    Had we trusted Microsoft Base Analyzer we would still be vulnerable.

    To prove this, I have captured screen shots and converted them in pdf
    format for your viewing pleasure. The screenshots shows exact same scan
    conducted with Foundstone tool and MBSA.

    Screenshots: http://www.elusiveworld.com/scanshots.pdf

    I would love to see if there are any more like us out there who encountered
    this problem. If you had similar problems our recommendation to you do
    not fully depend on MBSA, since the tool is just as buggy as the company
    itself.

    Questions comments email me at dotsecure@hushamail.com
    or Aim: Evilkind.

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
    nj85QSec1HrAe9aYeSMHiOqcI1Zk
    =ORo8
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

  • Next message: Marc Maiffret: "[Full-Disclosure] EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"

    Relevant Pages

    • Another Low Blow From Microsoft: MBSA Failure!
      ... Another Low Blow from Microsoft. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ... therefore these machines were vulnerable until the next successful reboot. ...
      (Bugtraq)
    • [Full-Disclosure] Another Low Blow From Microsoft: MBSA Failure!
      ... Another Low Blow from Microsoft. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ... therefore these machines were vulnerable until the next successful reboot. ...
      (Full-Disclosure)
    • Re: I love IP Tables....
      ... customers that they isolate their video machines to the maximum extent ... possible with suitable firewall and AV protection on the other machines ... By contrast it is rare for a critical remote vulnerability to be known for more than 3 days in Linux distributions without having the update to fix it released. ... ONE reason Linux is MORE secure than Windows is the multiple eyes. ...
      (Fedora)
    • RE: /sumthin Revisited
      ... Perhaps a new worm or a recon tool. ... machines indicated that they were running potentially vulnerable software. ... so it may be an old vulnerability. ...
      (Incidents)
    • [Full-Disclosure] RE: Another Low Blow From Microsoft: MBSA Failure!
      ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
      (Full-Disclosure)