RE: MS defends MBSA
From: Beadles, Mark A (MBeadles@SmartPipes.com)Date: 04/24/02
- Previous message: John McGuire: "problems with hotfix rollup, windows update, mbsa, hfnetchk, and other tools"
- Maybe in reply to: H C: "MS defends MBSA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Beadles, Mark A" <MBeadles@SmartPipes.com> To: focus-ms@securityfocus.com Date: Wed, 24 Apr 2002 20:24:27 -0000
Tony Bradley writes:
>Playing devil's advocate though- how far are we going to get if we
>first have to check for patches and hotfixes for the tool that is
>supposed to check for patches and hotfixes??
Well, of course. The MBSA is a piece of software. Like every single other
piece of software ever written, there is the possibility that it will
require patches and hotfixes. There is nothing anyone can do about that,
since humans write software. This is a "bootstrap" problem that in the end
can only be solved by human judgment.
But I would hope, since the MBSA is less complex (by a few orders of
magnitude) than the OS which it is scanning, that patches/hotfixes to the
MBSA will occur at a much lower frequency than OS patches/hotfixes. That
should help improve our ability to keep a handle on an increasingly complex
software environment.
+ Mark Anthony Beadles + mbeadles@smartpipes.com +
+ Chief Architect + SmartPipes, Inc. +
+ Vox 614.923.5657 + Fax 614.923.6299 +
-----Original Message-----
From: Bradley, Tony [mailto:tony.bradley@eds.com]
Sent: Wednesday, 24 April 2002 12:27
To: 'luke.smith@member.sage-au.org.au'; focus-ms@securityfocus.com
Subject: RE: MS defends MBSA
** the opinions expressed are entirely my own and do not necessarily reflect
the opinions of my employer in any way **
I agree really. I think the tool performs reasonably well. I have not had a
chance to play with the full-blown retail version of Shavlik's HFNetCheck
Pro to see if it performs better. For our purposes it has been nicer to have
a GUI interface which is easier to walk non-techie users at remote sites
through and the scans are fairly comprehensive, if slightly erroneous at
times.
Playing devil's advocate though- how far are we going to get if we first
have to check for patches and hotfixes for the tool that is supposed to
check for patches and hotfixes??
Tony Bradley, MCSE_2K, MCSA, MCP, A+
Security Consultant
EDS GM Global Information Protection Programme
Electronic Data Systems
Phone: 248-265-0407 (8-365)
Email: tony.bradley@eds.com <mailto:tony.bradley@eds.com>
"Our real problem, then, is not our strength today; it is rather the vital
necessity of action today to ensure our strength tomorrow." ~ Dwight D.
Eisenhower ~
-----Original Message-----
From: Luke Smith [mailto:luke.smith@member.sage-au.org.au]
Sent: Tuesday, April 23, 2002 6:51 PM
To: focus-ms@securityfocus.com
Subject: RE: MS defends MBSA
I've have been playing with MBSA recently and have found it very useful, if
a little inaccurate. I too have found that it reports some manually
installed patches as missing on some machines, specifically-
MS02-001 Trusting Domains Do Not Verify Domain Membership of SIDs in
Authorization Data
MS01-022 WebDAV Service Provider Can Allow Scripts to Levy Requests as User
MS02-008 XMLHTTP Control Can Allow Access to Local Files
MBSA insists these hotfixes are missing even though I have
installed/removed/installed them again and again.
I get the same results from HFNETCHK.
MBSA goes far beyond the functionality of HFNETCHK. Having the ability to
scan my user's machines and check them for dubious MS Office security
setting is excellent. For example it found 4 users that had set Excel's
macro security to Low. I'm not too keen on enforcing a macro policy making
this a great passive security tool.
It also checks SQL Servers, IIS configurations (IISLockDown etc)..
I like it; it just needs some bugs cleaned up (or bugs in the hotfixes, as
the case may be), and needs to have its features kept up to date with new
products.
Luke.
-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Wednesday, 24 April 2002 12:09 AM
To: focus-ms@securityfocus.com
Subject: MS defends MBSA
Link to IDG article:
http://idg.net/ic_849313_4394_1-3921.html
The article author, Brian Fonseca, describes the MBSA
as "a more user friendly version of HFNetChk built
around a new GUI". However, the article says that
"users should be aware that differences occur in the
manner notes -- an advisory indicating no patch is
present -- and warnings are posted by each." That
came from Steve Lipner, director of security assurance
at Microsoft.
The article continues:
"Lipner said hotfixes could also lead to MBSA misinterpretation." Aaaahhhh.
Okay. The thing that got me was the following statement from Lipner: "If a
hotfix was applied to plug a code exploit that did not come directly from a
Microsoft security bulletin, MBSA will "guess" a system update has
occurred".
That being the case...why would a patch be on an MS
system that did not come directly from an MS Security
Bulletin? Would this then provide a means by which a
malicious admin could fool the MBSA reports?
It sounds as if the author is also leaning toward the
usual journalistic FUD with this statement:
"Available for free download, MBSA is designed to
unearth Microsoft product holes". The tool doesn't
unearth holes...it reports patches/hotfixes, and a few
other things.
I, for one, would be interested in hearing anything
anyone has to offer about using this tool...the more
specific ("it rocks" or "it sux" is *not* specific)
the better.
__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/
- Previous message: John McGuire: "problems with hotfix rollup, windows update, mbsa, hfnetchk, and other tools"
- Maybe in reply to: H C: "MS defends MBSA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
