I've have been playing with MBSA recently and have found it very useful,
if a little inaccurate. I too have found that it reports some manually
installed patches as missing on some machines, specifically-

MS02-001 Trusting Domains Do Not Verify Domain Membership of SIDs in
Authorization Data
MS01-022 WebDAV Service Provider Can Allow Scripts to Levy Requests as
User
MS02-008 XMLHTTP Control Can Allow Access to Local Files

MBSA insists these hotfixes are missing even though I have
installed/removed/installed them again and again.

I get the same results from HFNETCHK.

MBSA goes far beyond the functionality of HFNETCHK. Having the ability
to scan my user's machines and check them for dubious MS Office security
setting is excellent. For example it found 4 users that had set Excel's
macro security to Low. I'm not too keen on enforcing a macro policy
making this a great passive security tool.

It also checks SQL Servers, IIS configurations (IISLockDown etc)..

I like it; it just needs some bugs cleaned up (or bugs in the hotfixes,
as the case may be), and needs to have its features kept up to date with
new products.

Luke.

-----Original Message-----
From: H C [mailto:keydet89yahoo.com]
Sent: Wednesday, 24 April 2002 12:09 AM
To: focus-mssecurityfocus.com
Subject: MS defends MBSA

Link to IDG article:

http://idg.net/ic_849313_4394_1-3921.html

The article author, Brian Fonseca, describes the MBSA
as "a more user friendly version of HFNetChk built
around a new GUI". However, the article says that
"users should be aware that differences occur in the
manner notes -- an advisory indicating no patch is
present -- and warnings are posted by each." That
came from Steve Lipner, director of security assurance
at Microsoft.

The article continues:
"Lipner said hotfixes could also lead to MBSA
misinterpretation." Aaaahhhh. Okay. The thing that
got me was the following statement from Lipner: "If a
hotfix was applied to plug a code exploit that did not
come directly from a Microsoft security bulletin, MBSA
will "guess" a system update has occurred".

That being the case...why would a patch be on an MS
system that did not come directly from an MS Security
Bulletin? Would this then provide a means by which a
malicious admin could fool the MBSA reports?

It sounds as if the author is also leaning toward the
usual journalistic FUD with this statement:
"Available for free download, MBSA is designed to
unearth Microsoft product holes". The tool doesn't
unearth holes...it reports patches/hotfixes, and a few
other things.

I, for one, would be interested in hearing anything
anyone has to offer about using this tool...the more
specific ("it rocks" or "it sux" is *not* specific)
the better.

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]