RE: RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

["Threlkeld, Richard" <richardt () qualcomm com>]

I don't dispute that there are security concerns there however the tool
in question, the MBSA, was designed for a specific purpose which the
original poster doesn't seem to understand.  The breadth of Windows is
quite large and as such the amount of bugs possible are large being
security related or not.  If you were to classify every DoS as a
security implication that needed to be scanned by the MBSA it would take
hours to scan a single system and compare its patch level against every
hotfix released for an OS.

On top of that though the MBSA does do a good job at scanning for common
security misconfigurations on a Windows system such as weak
Administrator passwords, auditing, and some other general Windows
vulnerabilities.  MS also has some great scripts for the utility located
off of the MBSA homepage which concatenate the data and roll it up into
nice reports.  But to say that any BSOD is a DoS and expecting a tool
such as the MBSA to scan against a database containing every hotfix for
a BSOD is a bit unreasonable IMO.  The MSSECURE.XML is large enough as
it is, I couldn't imagine the size of an update catalog for every hotfix
for BSOD's that MS releases (although I suppose you could do it and have
/HF just scan for MSxx-xxx updates and another switch for scanning
against a different XML file containing every hotfix with the caveat
that the scan would take longer).  If I were to really criticize
anything it would be the performance of the MBSA which is sub par at
best.

This really is just a case of understanding what a specific tool is
designed to do and what it is not designed to do.  And being that it's a
free tool which when it has had detection issues over the past 6 month's
MS has created additional scanning tools to fill in the gaps and not
leave their customers high and dry, I'd find it hard to criticize them
that much.

Best,

Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/



-----Original Message-----
From: Randal, Phil [mailto:prandal () herefordshire gov uk] 
Sent: Tuesday, February 15, 2005 2:09 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: RE: [Full-disclosure] RE: Microsoft Baseline Security Analyzer
not seeing KB887742 and KB886185

KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".

That's a denial of service.  There are security implications there.

KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."

That looks like a major security hole to me.

Cheers,

Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: full-disclosure-bounces () lists netsys com
> [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of 
> Threlkeld, Richard
> Sent: 15 February 2005 00:19
> To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail); 
> Full-Disclosure (E-mail)
> Subject: [Full-disclosure] RE: Microsoft Baseline Security Analyzer 
> not seeing KB887742 and KB886185
>
> These are not security updates.  KB887742 is for a stop error
> (http://support.microsoft.com/kb/887742) and  KB886185 is an update 
> for network scope on the Windows Firewall
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .
>
> The MBSA scans for Security Updates only, not every hotfix ever 
> released.  Note that a "Critical" patch is not necessarily a 
> "Security"
> patch.  You may be thinking of the "Maximum severity" levels of the 
> MS*-xxx security bulletins which are not the same thing.
>
> Best,
>
> Richard Threlkeld
> Microsoft MVP - SMS
> http://myitforum.techtarget.com/blog/rthrelkeld/
>
>
>
> -----Original Message-----
> From: James Lay [mailto:jlay () ameriben com]
> Sent: Monday, February 14, 2005 10:24 AM
> To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
> (E-mail)
> Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
> KB886185
>
> Subject line says it all....just did a fresh install of WinXP 
> SP2....was using MBSAFU to make sure it would patch...which it did.  
> However Windows Update shows still needing KB887742 and KB886185.  
> MBSA shows no critical patches need updated.
> Systeminfo shows that both KB887742 and
> KB886185 are NOT installed.  I'm using latest MBSA.  Anyone else see 
> this?  Kinda sucks :(
>
> James Lay
> Network Manager/Security Officer
> AmeriBen Solutions/IEC Group
> Deo Gloria!!!
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html