RE: Another Low Blow From Microsoft: MBSA Failure!
From: Drew Copley (dcopley_at_eeye.com)
Date: Tue, 10 Feb 2004 16:00:34 -0800 To: "Joe DeMarco" <firstname.lastname@example.org>, <email@example.com>
> -----Original Message-----
> From: Joe DeMarco [mailto:firstname.lastname@example.org]
> Sent: Tuesday, February 10, 2004 11:27 AM
> To: email@example.com
> Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
> Maybe it's just me but, I wouldn't consider a patch
> successfully applied until the machine is rebooted. Registry
> changes usually require this process.
Not all patches require a reboot. This has never been the case with this
If the process is inusage, if the dlls and/or executable are in usage --
a reboot is required.
If the process is in some other way locked -- a reboot is required.
Some low level operations may only be performed outside of the OS.
I upgrade software all the time without rebooting. So does anyone else
that uses a lot of software and likes to keep everything up to date. No
way would I reboot because my trillian or ultraedit was just patched --
or my outlook or media player. Not usually, anyway.
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com]
> Sent: Tuesday, February 10, 2004 1:21 PM
> To: firstname.lastname@example.org;
> Subject: Another Low Blow From Microsoft: MBSA Failure!
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Another Low Blow from Microsoft.
> Within the last few weeks at our company we have been doing testing to
> find out total number of patched machines we have against the latest
> Messenger Service Vulnerability. After checking few thousand computers
> we have found several hundred were still affected even though
> patch has
> been applied. We have scanned with Retina, Foundstone and Qualys tools
> which they all showed as "VULNERABLE", however when we scanned with
> Microsoft Base Security Analyzer it showed as "NOT
> VULNERABLE". This was
> at first confusing; one would think an assessment tool released by the
> original vendor would actually be accurate. On the flipside it really
> didn't make sense to us why would three different commercial scanners
> show as vulnerable if they are truly patched. So we decided to do the
> ultimate test. We ran messenger service exploit against the machines
> that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
> vulnerability scanners that showed as "Vulnerable". Results were as
> expected, machines were exploited and Microsoft Base Analyzer
> failed to
> detect the vulnerable machines properly.
> We have concluded that, although the patch was installed on these
> machines, the patch management script failed to reboot those few
> hundred systems, therefore these machines were vulnerable until the
> next successful reboot. After a successful reboot all 3rd party tools
> showed the machines as not vulnerable and the exploit tool did not
> successfully exploit the machines. 3rd Party tool assessments were
> accurate the machines were truly vulnerable prior reboot.
> Had we trusted Microsoft Base Analyzer we would still be vulnerable.
> To prove this, I have captured screen shots and converted them in pdf
> format for your viewing pleasure. The screenshots shows exact
> same scan
> conducted with Foundstone tool and MBSA.
> Screenshots: http://www.elusiveworld.com/scanshots.pdf
> I would love to see if there are any more like us out there who
> encountered this problem. If you had similar problems our
> to you do not fully depend on MBSA, since the tool is just as buggy as
> the company itself.
> Questions comments email me at email@example.com
> or Aim: Evilkind.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> Version: Hush 2.3
> -----END PGP SIGNATURE-----
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
> Free, ultra-private instant messaging with Hush Messenger
> Promote security and make money with the Hushmail Affiliate Program: