RE: Another Low Blow From Microsoft: MBSA Failure!

From: Drew Copley (
Date: 02/11/04

  • Next message: James Riden: "Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"
    Date: Tue, 10 Feb 2004 16:00:34 -0800
    To: "Joe DeMarco" <>, <>


    > -----Original Message-----
    > From: Joe DeMarco []
    > Sent: Tuesday, February 10, 2004 11:27 AM
    > To:
    > Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
    > Maybe it's just me but, I wouldn't consider a patch
    > successfully applied until the machine is rebooted. Registry
    > changes usually require this process.

    Not all patches require a reboot. This has never been the case with this
    system's upgrades.

    If the process is inusage, if the dlls and/or executable are in usage --
    a reboot is required.

    If the process is in some other way locked -- a reboot is required.

    Some low level operations may only be performed outside of the OS.

    I upgrade software all the time without rebooting. So does anyone else
    that uses a lot of software and likes to keep everything up to date. No
    way would I reboot because my trillian or ultraedit was just patched --
    or my outlook or media player. Not usually, anyway.

    > -----Original Message-----
    > From: []
    > Sent: Tuesday, February 10, 2004 1:21 PM
    > To:;
    > Subject: Another Low Blow From Microsoft: MBSA Failure!
    > Hash: SHA1
    > Another Low Blow from Microsoft.
    > Within the last few weeks at our company we have been doing testing to
    > find out total number of patched machines we have against the latest
    > Messenger Service Vulnerability. After checking few thousand computers
    > we have found several hundred were still affected even though
    > patch has
    > been applied. We have scanned with Retina, Foundstone and Qualys tools
    > which they all showed as "VULNERABLE", however when we scanned with
    > Microsoft Base Security Analyzer it showed as "NOT
    > VULNERABLE". This was
    > at first confusing; one would think an assessment tool released by the
    > original vendor would actually be accurate. On the flipside it really
    > didn't make sense to us why would three different commercial scanners
    > show as vulnerable if they are truly patched. So we decided to do the
    > ultimate test. We ran messenger service exploit against the machines
    > that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
    > vulnerability scanners that showed as "Vulnerable". Results were as
    > expected, machines were exploited and Microsoft Base Analyzer
    > failed to
    > detect the vulnerable machines properly.
    > We have concluded that, although the patch was installed on these
    > machines, the patch management script failed to reboot those few
    > hundred systems, therefore these machines were vulnerable until the
    > next successful reboot. After a successful reboot all 3rd party tools
    > showed the machines as not vulnerable and the exploit tool did not
    > successfully exploit the machines. 3rd Party tool assessments were
    > accurate the machines were truly vulnerable prior reboot.
    > Had we trusted Microsoft Base Analyzer we would still be vulnerable.
    > To prove this, I have captured screen shots and converted them in pdf
    > format for your viewing pleasure. The screenshots shows exact
    > same scan
    > conducted with Foundstone tool and MBSA.
    > Screenshots:
    > I would love to see if there are any more like us out there who
    > encountered this problem. If you had similar problems our
    > recommendation
    > to you do not fully depend on MBSA, since the tool is just as buggy as
    > the company itself.
    > Questions comments email me at
    > or Aim: Evilkind.
    > -----BEGIN PGP SIGNATURE-----
    > Note: This signature can be verified at
    > Version: Hush 2.3
    > wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
    > nj85QSec1HrAe9aYeSMHiOqcI1Zk
    > =ORo8
    > -----END PGP SIGNATURE-----
    > Concerned about your privacy? Follow this link to get
    > FREE encrypted email:
    > Free, ultra-private instant messaging with Hush Messenger
    > Promote security and make money with the Hushmail Affiliate Program:

  • Next message: James Riden: "Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"