RE: MS defends MBSA

From: Arnott James M Contr AEDC/TEK (James.Arnott@arnold.af.mil)
Date: 04/24/02 

From: Arnott James M Contr AEDC/TEK <James.Arnott@arnold.af.mil>
To: "'luke.smith@member.sage-au.org.au'" <luke.smith@member.sage-au.org.au>, focus-ms@securityfocus.com
Date: Wed, 24 Apr 2002 15:46:33 -0000

In reply to Luke Smith:

Now I am curious... Are you installing MS02-001 on a domain controller.. and
MS01-022 is marked as yellow which means it can not be validated... I see
those come up on my 2000 prof. boxes as well.. But MS02-001 does not applied
to Windows 2000 Prof boxes. So I am not sure how the patch would apply.

I have seen some people state that the only way to get the patches to report
is through Windows Update... I have to say, I have not experienced that.
When I found that a patch was missing. I go to the page that is linked.
Download the patch, and read the systems that are effected.. And then apply
it through Winstall to the systems that need it. I have never patched these
machines through Windows Update. They all report that the patch is applied
after the reboot.

        I will say this... You must follow the secret MS guideline... " Even
if it says no reboot required... "REBOOT the machine any ways." I have patch
machines ran the scan and had no change in the results.. I then rebooted the
machine and scanned again.. And it found that the patch was applied.

I hope that this might help some...

-----Original Message-----
From: Luke Smith [mailto:luke.smith@member.sage-au.org.au]
Sent: Tuesday, April 23, 2002 5:51 PM
To: focus-ms@securityfocus.com
Subject: RE: MS defends MBSA

I've have been playing with MBSA recently and have found it very useful,
if a little inaccurate. I too have found that it reports some manually
installed patches as missing on some machines, specifically-

MS02-001 Trusting Domains Do Not Verify Domain Membership of SIDs in
Authorization Data
MS01-022 WebDAV Service Provider Can Allow Scripts to Levy Requests as
User
MS02-008 XMLHTTP Control Can Allow Access to Local Files

MBSA insists these hotfixes are missing even though I have
installed/removed/installed them again and again.

I get the same results from HFNETCHK.

MBSA goes far beyond the functionality of HFNETCHK. Having the ability
to scan my user's machines and check them for dubious MS Office security
setting is excellent. For example it found 4 users that had set Excel's
macro security to Low. I'm not too keen on enforcing a macro policy
making this a great passive security tool.

It also checks SQL Servers, IIS configurations (IISLockDown etc)..

I like it; it just needs some bugs cleaned up (or bugs in the hotfixes,
as the case may be), and needs to have its features kept up to date with
new products.

Luke.

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Wednesday, 24 April 2002 12:09 AM
To: focus-ms@securityfocus.com
Subject: MS defends MBSA

Link to IDG article:

http://idg.net/ic_849313_4394_1-3921.html

The article author, Brian Fonseca, describes the MBSA
as "a more user friendly version of HFNetChk built
around a new GUI". However, the article says that
"users should be aware that differences occur in the
manner notes -- an advisory indicating no patch is
present -- and warnings are posted by each." That
came from Steve Lipner, director of security assurance
at Microsoft.

The article continues:
"Lipner said hotfixes could also lead to MBSA
misinterpretation." Aaaahhhh. Okay. The thing that
got me was the following statement from Lipner: "If a
hotfix was applied to plug a code exploit that did not
come directly from a Microsoft security bulletin, MBSA
will "guess" a system update has occurred".

That being the case...why would a patch be on an MS
system that did not come directly from an MS Security
Bulletin? Would this then provide a means by which a
malicious admin could fool the MBSA reports?

It sounds as if the author is also leaning toward the
usual journalistic FUD with this statement:
"Available for free download, MBSA is designed to
unearth Microsoft product holes". The tool doesn't
unearth holes...it reports patches/hotfixes, and a few
other things.

I, for one, would be interested in hearing anything
anyone has to offer about using this tool...the more
specific ("it rocks" or "it sux" is *not* specific)
the better.

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Relevant Pages

  • Re: Network Auditing for MS Products Qt.
    ... This is the omnibus security tools web page: ... HFNETCHK forms the patch-checking basis for MBSA. ... sure what limit you are hitting--I would expect the command-line tools to be ... This will be used as a basis for our patch implementation ...
    (microsoft.public.security)
  • RE: Another Low Blow From Microsoft: MBSA Failure!
    ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
    (Bugtraq)
  • [Full-Disclosure] RE: Another Low Blow From Microsoft: MBSA Failure!
    ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
    (Full-Disclosure)
  • RE: Another Low Blow From Microsoft: MBSA Failure!
    ... MBSA detects Patches that have been applied. ... MBSA said the patch was there. ... Messenger Service Vulnerability. ... ran messenger service exploit against the machines that MS Base Analyzer ...
    (Full-Disclosure)
  • Re: baseline security analyzer
    ... > baseline security analyzer has been used on win xp SP1 and IE ... > MS02-068 Cumulative Patch for Internet Explorer ... If you have installed Windows XP SP1 then MS02-068 is not needed as XP ... As to why MBSA is saying the hot fixes are demanded is answered ...
    (microsoft.public.windowsxp.security_admin)