RE: MS defends MBSAFrom: Arnott James M Contr AEDC/TEK (James.Arnott@arnold.af.mil)
- Previous message: Speight, Howard F: "RE: MS defends MBSA"
- Maybe in reply to: H C: "MS defends MBSA"
- Next in thread: Muhammad Faisal Rauf Danka: "Re: MS defends MBSA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Arnott James M Contr AEDC/TEK <James.Arnott@arnold.af.mil> To: "'Speight, Howard F'" <SPEIGHTH@MAIL.ECU.EDU>, "'email@example.com'" <firstname.lastname@example.org> Date: Wed, 24 Apr 2002 12:17:03 -0000
I Have been playing with the MBSA as well for the past week or
so.... And I have not seen any issue with the scanner picking up applied
update ( at least the ones that it says it will be able to detect). I am
using Winstall to push the patches to the machines and it has work like a
charm on detecting that the patches where applied. I will say that I wish
that you could select a range of computers to scan, Not by IP address but by
computer name. Such as if a certain departments computer names start with
APL****** then you could ask the software to scan all computers with APL* as
a name and report.
IT is nice to see that Microsoft has done something, and for my two
cents... Not a bad first go at it either.
Just started playing with MBSA and it ranges from working perfectly to
causing all kinds of problems depending on the configuration of the machine
I'm trying to scan.
Seems to work fine as long as all updates were done by Windows update.
Discrepancies in reporting when updates are mixed (manual and windows
Note: I install all major updates manually from CD before plugging into
network. Flat out reported the rollup for IIS (Q319733, MS02-018) was not
installed when done manually. Manually removed the patch using Add/Remove
programs, put it back using Windows Update, it was picked up on the next
Uninstall Client for Microsoft Networking and it will not run at all,
displays *error*\*error*(this computer). Yes, even if you select scan by IP,
returns computer not found. CMN Doesn't have to enabled (e.g. checked, just
installed) for the NIC.
Course uninstalling CMN or File and Print Sharing for MS Network also breaks
things depending on what you're trying to run (SMTP and NNTP), but I
Prerequisites are definitely more than just having the correct OS. Computer
Settings must be a certain way too!
Tool definitely has promise, but it's not there yet! I commend MS for the
Link to IDG article:
The article author, Brian Fonseca, describes the MBSA
as "a more user friendly version of HFNetChk built
around a new GUI". However, the article says that
"users should be aware that differences occur in the
manner notes -- an advisory indicating no patch is
present -- and warnings are posted by each." That
came from Steve Lipner, director of security assurance
The article continues:
"Lipner said hotfixes could also lead to MBSA
misinterpretation." Aaaahhhh. Okay. The thing that
got me was the following statement from Lipner: "If a
hotfix was applied to plug a code exploit that did not
come directly from a Microsoft security bulletin, MBSA
will "guess" a system update has occurred".
That being the case...why would a patch be on an MS
system that did not come directly from an MS Security
Bulletin? Would this then provide a means by which a
malicious admin could fool the MBSA reports?
It sounds as if the author is also leaning toward the
usual journalistic FUD with this statement:
"Available for free download, MBSA is designed to
unearth Microsoft product holes". The tool doesn't
unearth holes...it reports patches/hotfixes, and a few
I, for one, would be interested in hearing anything
anyone has to offer about using this tool...the more
specific ("it rocks" or "it sux" is *not* specific)
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more