RE: Another Low Blow From Microsoft: MBSA Failure!

From: Joe DeMarco (demarcoj_at_comcast.net)
Date: 02/10/04

  • Next message: Cedric Cochin: "PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior" 
    To: <bugtraq@securityfocus.com>
Date: Tue, 10 Feb 2004 14:26:51 -0500

    Maybe it's just me but, I wouldn't consider a patch successfully applied
    until the machine is rebooted. Registry changes usually require this
    process.

    -----Original Message-----
    From: dotsecure@hushmail.com [mailto:dotsecure@hushmail.com]
    Sent: Tuesday, February 10, 2004 1:21 PM
    To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
    patchmanagement@listserv.patchmanagement.org
    Subject: Another Low Blow From Microsoft: MBSA Failure!

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Another Low Blow from Microsoft.

    Within the last few weeks at our company we have been doing testing to
    find out total number of patched machines we have against the latest
    Messenger Service Vulnerability. After checking few thousand computers
    we have found several hundred were still affected even though patch has
    been applied. We have scanned with Retina, Foundstone and Qualys tools
    which they all showed as "VULNERABLE", however when we scanned with
    Microsoft Base Security Analyzer it showed as "NOT VULNERABLE". This was
    at first confusing; one would think an assessment tool released by the
    original vendor would actually be accurate. On the flipside it really
    didn't make sense to us why would three different commercial scanners
    show as vulnerable if they are truly patched. So we decided to do the
    ultimate test. We ran messenger service exploit against the machines
    that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
    vulnerability scanners that showed as "Vulnerable". Results were as
    expected, machines were exploited and Microsoft Base Analyzer failed to
    detect the vulnerable machines properly.

    We have concluded that, although the patch was installed on these
    machines, the patch management script failed to reboot those few
    hundred systems, therefore these machines were vulnerable until the
    next successful reboot. After a successful reboot all 3rd party tools
    showed the machines as not vulnerable and the exploit tool did not
    successfully exploit the machines. 3rd Party tool assessments were
    accurate the machines were truly vulnerable prior reboot.

    Had we trusted Microsoft Base Analyzer we would still be vulnerable.

    To prove this, I have captured screen shots and converted them in pdf
    format for your viewing pleasure. The screenshots shows exact same scan
    conducted with Foundstone tool and MBSA.

    Screenshots: http://www.elusiveworld.com/scanshots.pdf

    I would love to see if there are any more like us out there who
    encountered this problem. If you had similar problems our recommendation
    to you do not fully depend on MBSA, since the tool is just as buggy as
    the company itself.

    Questions comments email me at dotsecure@hushamail.com
    or Aim: Evilkind.

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
    nj85QSec1HrAe9aYeSMHiOqcI1Zk
    =ORo8
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

  • Next message: Cedric Cochin: "PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior"

    Relevant Pages

    • RE: Another Low Blow From Microsoft: MBSA Failure!
      ... Not all patches require a reboot. ... > Messenger Service Vulnerability. ... We ran messenger service exploit against the machines ... After a successful reboot all 3rd party tools ...
      (Bugtraq)
    • Re: I love IP Tables....
      ... customers that they isolate their video machines to the maximum extent ... possible with suitable firewall and AV protection on the other machines ... By contrast it is rare for a critical remote vulnerability to be known for more than 3 days in Linux distributions without having the update to fix it released. ... ONE reason Linux is MORE secure than Windows is the multiple eyes. ...
      (Fedora)
    • RE: /sumthin Revisited
      ... Perhaps a new worm or a recon tool. ... machines indicated that they were running potentially vulnerable software. ... so it may be an old vulnerability. ...
      (Incidents)
    • [Full-Disclosure] RE: Another Low Blow From Microsoft: MBSA Failure!
      ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
      (Full-Disclosure)
    • RE: Another Low Blow From Microsoft: MBSA Failure!
      ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
      (Full-Disclosure)