RE: Another Low Blow From Microsoft: MBSA Failure!

From: Drew Copley (dcopley_at_eeye.com)
Date: 02/11/04

  • Next message: James Riden: "Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"
    Date: Tue, 10 Feb 2004 16:00:34 -0800
    To: "Joe DeMarco" <demarcoj@comcast.net>, <bugtraq@securityfocus.com>
    
    

     

    > -----Original Message-----
    > From: Joe DeMarco [mailto:demarcoj@comcast.net]
    > Sent: Tuesday, February 10, 2004 11:27 AM
    > To: bugtraq@securityfocus.com
    > Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
    >
    > Maybe it's just me but, I wouldn't consider a patch
    > successfully applied until the machine is rebooted. Registry
    > changes usually require this process.

    Not all patches require a reboot. This has never been the case with this
    system's upgrades.

    If the process is inusage, if the dlls and/or executable are in usage --
    a reboot is required.

    If the process is in some other way locked -- a reboot is required.

    Some low level operations may only be performed outside of the OS.

    I upgrade software all the time without rebooting. So does anyone else
    that uses a lot of software and likes to keep everything up to date. No
    way would I reboot because my trillian or ultraedit was just patched --
    or my outlook or media player. Not usually, anyway.

    >
    > -----Original Message-----
    > From: dotsecure@hushmail.com [mailto:dotsecure@hushmail.com]
    > Sent: Tuesday, February 10, 2004 1:21 PM
    > To: full-disclosure@lists.netsys.com;
    > bugtraq@securityfocus.com;
    > patchmanagement@listserv.patchmanagement.org
    > Subject: Another Low Blow From Microsoft: MBSA Failure!
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Another Low Blow from Microsoft.
    >
    > Within the last few weeks at our company we have been doing testing to
    > find out total number of patched machines we have against the latest
    > Messenger Service Vulnerability. After checking few thousand computers
    > we have found several hundred were still affected even though
    > patch has
    > been applied. We have scanned with Retina, Foundstone and Qualys tools
    > which they all showed as "VULNERABLE", however when we scanned with
    > Microsoft Base Security Analyzer it showed as "NOT
    > VULNERABLE". This was
    > at first confusing; one would think an assessment tool released by the
    > original vendor would actually be accurate. On the flipside it really
    > didn't make sense to us why would three different commercial scanners
    > show as vulnerable if they are truly patched. So we decided to do the
    > ultimate test. We ran messenger service exploit against the machines
    > that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
    > vulnerability scanners that showed as "Vulnerable". Results were as
    > expected, machines were exploited and Microsoft Base Analyzer
    > failed to
    > detect the vulnerable machines properly.
    >
    > We have concluded that, although the patch was installed on these
    > machines, the patch management script failed to reboot those few
    > hundred systems, therefore these machines were vulnerable until the
    > next successful reboot. After a successful reboot all 3rd party tools
    > showed the machines as not vulnerable and the exploit tool did not
    > successfully exploit the machines. 3rd Party tool assessments were
    > accurate the machines were truly vulnerable prior reboot.
    >
    > Had we trusted Microsoft Base Analyzer we would still be vulnerable.
    >
    >
    > To prove this, I have captured screen shots and converted them in pdf
    > format for your viewing pleasure. The screenshots shows exact
    > same scan
    > conducted with Foundstone tool and MBSA.
    >
    > Screenshots: http://www.elusiveworld.com/scanshots.pdf
    >
    >
    > I would love to see if there are any more like us out there who
    > encountered this problem. If you had similar problems our
    > recommendation
    > to you do not fully depend on MBSA, since the tool is just as buggy as
    > the company itself.
    >
    > Questions comments email me at dotsecure@hushamail.com
    > or Aim: Evilkind.
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Note: This signature can be verified at
    > https://www.hushtools.com/verify
    > Version: Hush 2.3
    >
    > wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
    > nj85QSec1HrAe9aYeSMHiOqcI1Zk
    > =ORo8
    > -----END PGP SIGNATURE-----
    >
    >
    >
    >
    > Concerned about your privacy? Follow this link to get
    > FREE encrypted email: https://www.hushmail.com/?l=2
    >
    > Free, ultra-private instant messaging with Hush Messenger
    > https://www.hushmail.com/services.php?subloc=messenger&l=434
    >
    > Promote security and make money with the Hushmail Affiliate Program:
    > https://www.hushmail.com/about.php?subloc=affiliate&l=427
    >
    >
    >


  • Next message: James Riden: "Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption"

    Relevant Pages

    • RE: Another Low Blow From Microsoft: MBSA Failure!
      ... Messenger Service Vulnerability. ... We ran messenger service exploit against the machines ... next successful reboot. ... After a successful reboot all 3rd party tools ...
      (Bugtraq)
    • Re: Lets try again: VBA Code stops randomly
      ... a windows update came through which rebooted the PC. ... I think the reboot is what solved the problem. ... none of the other machines have gone wrong today either.!!! ... I loaded Rob Bovey's code cleaner and tried it. ...
      (microsoft.public.excel.programming)
    • Re: Dell OptiPlex 745 reboot problem -- BIOS update went poorly
      ... I've just installed Fedora-9 on a lab of Dell OptiPlex 745 ... After running firstboot when I went to reboot the machines they just hang ...
      (Fedora)
    • Re: Manually run Auto-Update
      ... Auto-Update downloads it's patches ... > (requiring only the occasional reboot) - the problem arises where the ... The machines ARE connected to the ... Windows) ...
      (microsoft.public.windowsupdate)
    • Re: Great SWT Program
      ... gets disrupted on a reboot. ... machines sideways, or put a cardboard guard or something over the ... around rather than a knee, ... suggesting anything negative about my current place of employment ...
      (comp.lang.java.programmer)