Bugtraq mailing list archives

RE: Another Low Blow From Microsoft: MBSA Failure!


From: "Drew Copley" <dcopley () eeye com>
Date: Tue, 10 Feb 2004 16:00:34 -0800

 

-----Original Message-----
From: Joe DeMarco [mailto:demarcoj () comcast net] 
Sent: Tuesday, February 10, 2004 11:27 AM
To: bugtraq () securityfocus com
Subject: RE: Another Low Blow From Microsoft: MBSA Failure!

Maybe it's just me but, I wouldn't consider a patch 
successfully applied until the machine is rebooted. Registry 
changes usually require this process.

Not all patches require a reboot. This has never been the case with this
system's upgrades. 

If the process is inusage, if the dlls and/or executable are in usage --
a reboot is required.

If the process is in some other way locked -- a reboot is required.

Some low level operations may only be performed outside of the OS.

I upgrade software all the time without rebooting. So does anyone else
that uses a lot of software and likes to keep everything up to date. No
way would I reboot because my trillian or ultraedit was just patched --
or my outlook or media player. Not usually, anyway.





-----Original Message-----
From: dotsecure () hushmail com [mailto:dotsecure () hushmail com]
Sent: Tuesday, February 10, 2004 1:21 PM
To: full-disclosure () lists netsys com; 
bugtraq () securityfocus com; 
patchmanagement () listserv patchmanagement org
Subject: Another Low Blow From Microsoft: MBSA Failure!


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another Low Blow from Microsoft.

Within the last few weeks at our company we have been doing testing to
find out total number of patched machines we have against the latest
Messenger Service Vulnerability. After checking few thousand computers
we have found several hundred were still affected even though 
patch has
been applied. We have scanned with Retina, Foundstone and Qualys tools
which they all showed as "VULNERABLE", however when we scanned with
Microsoft Base Security Analyzer it showed as "NOT 
VULNERABLE". This was
at first confusing; one would think an assessment tool released by the
original vendor would actually be accurate. On the flipside it really
didn't make sense to us why would three different commercial scanners
show as vulnerable if they are truly patched. So we decided to do the
ultimate test. We ran messenger service exploit against the machines
that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
vulnerability scanners that showed as "Vulnerable". Results were as
expected, machines were exploited and Microsoft Base Analyzer 
failed to
detect the vulnerable machines properly.

We have concluded that, although the patch was installed on these
machines,  the patch management script failed to reboot those few
hundred systems,  therefore these machines were vulnerable until the
next successful reboot. After a successful reboot all 3rd party tools
showed the machines as not vulnerable and the exploit tool did not
successfully exploit the machines.  3rd Party tool assessments were
accurate the machines were truly vulnerable prior reboot.

Had we trusted Microsoft Base Analyzer we would still be vulnerable.


To prove this, I have captured screen shots and converted them in pdf
format for your viewing pleasure. The screenshots shows exact 
same scan
conducted with  Foundstone tool and MBSA.

Screenshots: http://www.elusiveworld.com/scanshots.pdf


I would love to see if there are any more like us out there who
encountered this problem. If you had similar problems our 
recommendation
to you do not fully depend on MBSA, since the tool is just as buggy as
the company itself.

Questions comments email me at dotsecure () hushamail com
or Aim: Evilkind.


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at 
https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
nj85QSec1HrAe9aYeSMHiOqcI1Zk
=ORo8
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427





Current thread: