RE: MS defends MBSA

From: Arnott James M Contr AEDC/TEK (James.Arnott@arnold.af.mil)
Date: 04/24/02


From: Arnott James M Contr AEDC/TEK <James.Arnott@arnold.af.mil>
To: "'Speight, Howard F'" <SPEIGHTH@MAIL.ECU.EDU>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Wed, 24 Apr 2002 12:17:03 -0000


        I Have been playing with the MBSA as well for the past week or
so.... And I have not seen any issue with the scanner picking up applied
update ( at least the ones that it says it will be able to detect). I am
using Winstall to push the patches to the machines and it has work like a
charm on detecting that the patches where applied. I will say that I wish
that you could select a range of computers to scan, Not by IP address but by
computer name. Such as if a certain departments computer names start with
APL****** then you could ask the software to scan all computers with APL* as
a name and report.

        IT is nice to see that Microsoft has done something, and for my two
cents... Not a bad first go at it either.

-----Original Message-----
From: Speight, Howard F [mailto:SPEIGHTH@MAIL.ECU.EDU]
Sent: Tuesday, April 23, 2002 4:09 PM
To: 'focus-ms@securityfocus.com'
Subject: RE: MS defends MBSA

Just started playing with MBSA and it ranges from working perfectly to
causing all kinds of problems depending on the configuration of the machine
I'm trying to scan.

Seems to work fine as long as all updates were done by Windows update.

Discrepancies in reporting when updates are mixed (manual and windows
update).
Note: I install all major updates manually from CD before plugging into
network. Flat out reported the rollup for IIS (Q319733, MS02-018) was not
installed when done manually. Manually removed the patch using Add/Remove
programs, put it back using Windows Update, it was picked up on the next
scan.

Uninstall Client for Microsoft Networking and it will not run at all,
displays *error*\*error*(this computer). Yes, even if you select scan by IP,
returns computer not found. CMN Doesn't have to enabled (e.g. checked, just
installed) for the NIC.

Course uninstalling CMN or File and Print Sharing for MS Network also breaks
things depending on what you're trying to run (SMTP and NNTP), but I
digress...

Prerequisites are definitely more than just having the correct OS. Computer
Settings must be a certain way too!

Tool definitely has promise, but it's not there yet! I commend MS for the
effort... :-)

Howard
-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Tuesday, April 23, 2002 10:09 AM
To: focus-ms@securityfocus.com
Subject: MS defends MBSA

Link to IDG article:

http://idg.net/ic_849313_4394_1-3921.html

The article author, Brian Fonseca, describes the MBSA
as "a more user friendly version of HFNetChk built
around a new GUI". However, the article says that
"users should be aware that differences occur in the
manner notes -- an advisory indicating no patch is
present -- and warnings are posted by each." That
came from Steve Lipner, director of security assurance
at Microsoft.

The article continues:
"Lipner said hotfixes could also lead to MBSA
misinterpretation." Aaaahhhh. Okay. The thing that
got me was the following statement from Lipner: "If a
hotfix was applied to plug a code exploit that did not
come directly from a Microsoft security bulletin, MBSA
will "guess" a system update has occurred".

That being the case...why would a patch be on an MS
system that did not come directly from an MS Security
Bulletin? Would this then provide a means by which a
malicious admin could fool the MBSA reports?

It sounds as if the author is also leaning toward the
usual journalistic FUD with this statement:
"Available for free download, MBSA is designed to
unearth Microsoft product holes". The tool doesn't
unearth holes...it reports patches/hotfixes, and a few
other things.

I, for one, would be interested in hearing anything
anyone has to offer about using this tool...the more
specific ("it rocks" or "it sux" is *not* specific)
the better.

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/



Relevant Pages

  • RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185
    ... I don't dispute that there are security concerns there however the tool ... The breadth of Windows is ... security implication that needed to be scanned by the MBSA it would take ... Subject: RE: Microsoft Baseline Security Analyzer ...
    (Full-Disclosure)
  • Re: Discrepancy between MS Update and MSBSA
    ... MBSA and Windows Update analyze systems in different ways. ... system and other Microsoft products such as SQL Server. ... There are also cases where security updates are re-released, ...
    (microsoft.public.windows.server.security)
  • RE: Update List
    ... I suggest you use Microsoft Baseline Security Analyzer 2.0. ... MBSA to detect common security misconfigurations and missing security ...
    (microsoft.public.win2000.general)
  • RE: MBSA Error
    ... I believe the following message mentioned in the MBSA 2.0 FAQ is helpful: ... followed by "The catalog file is damaged or an invalid catalog"? ... Microsoft digital signature before being used. ... I get the folowing error when running a security scan for security ...
    (microsoft.public.win2000.general)
  • RE: MS defends MBSA
    ... I've have been playing with MBSA recently and have found it very useful, ... I too have found that it reports some manually ... to scan my user's machines and check them for dubious MS Office security ... it just needs some bugs cleaned up (or bugs in the hotfixes, ...
    (Focus-Microsoft)