> -----Original Message----- > From: Joe DeMarco [mailto:demarcoj@comcast.net] > Sent: Tuesday, February 10, 2004 11:27 AM > To: bugtraq@securityfocus.com > Subject: RE: Another Low Blow From Microsoft: MBSA Failure! > > Maybe it's just me but, I wouldn't consider a patch > successfully applied until the machine is rebooted. Registry > changes usually require this process. Not all patches require a reboot. This has never been the case with this system's upgrades. If the process is inusage, if the dlls and/or executable are in usage -- a reboot is required. If the process is in some other way locked -- a reboot is required. Some low level operations may only be performed outside of the OS. I upgrade software all the time without rebooting. So does anyone else that uses a lot of software and likes to keep everything up to date. No way would I reboot because my trillian or ultraedit was just patched -- or my outlook or media player. Not usually, anyway. > > -----Original Message----- > From: dotsecure@hushmail.com [mailto:dotsecure@hushmail.com] > Sent: Tuesday, February 10, 2004 1:21 PM > To: full-disclosure@lists.netsys.com; > bugtraq@securityfocus.com; > patchmanagement@listserv.patchmanagement.org > Subject: Another Low Blow From Microsoft: MBSA Failure! > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Another Low Blow from Microsoft. > > Within the last few weeks at our company we have been doing testing to > find out total number of patched machines we have against the latest > Messenger Service Vulnerability. After checking few thousand computers > we have found several hundred were still affected even though > patch has > been applied. We have scanned with Retina, Foundstone and Qualys tools > which they all showed as "VULNERABLE", however when we scanned with > Microsoft Base Security Analyzer it showed as "NOT > VULNERABLE". This was > at first confusing; one would think an assessment tool released by the > original vendor would actually be accurate. On the flipside it really > didn't make sense to us why would three different commercial scanners > show as vulnerable if they are truly patched. So we decided to do the > ultimate test. We ran messenger service exploit against the machines > that MS Base Analyzer showed as "Not Vulnerable" and 3rd party > vulnerability scanners that showed as "Vulnerable". Results were as > expected, machines were exploited and Microsoft Base Analyzer > failed to > detect the vulnerable machines properly. > > We have concluded that, although the patch was installed on these > machines, the patch management script failed to reboot those few > hundred systems, therefore these machines were vulnerable until the > next successful reboot. After a successful reboot all 3rd party tools > showed the machines as not vulnerable and the exploit tool did not > successfully exploit the machines. 3rd Party tool assessments were > accurate the machines were truly vulnerable prior reboot. > > Had we trusted Microsoft Base Analyzer we would still be vulnerable. > > > To prove this, I have captured screen shots and converted them in pdf > format for your viewing pleasure. The screenshots shows exact > same scan > conducted with Foundstone tool and MBSA. > > Screenshots: http://www.elusiveworld.com/scanshots.pdf > > > I would love to see if there are any more like us out there who > encountered this problem. If you had similar problems our > recommendation > to you do not fully depend on MBSA, since the tool is just as buggy as > the company itself. > > Questions comments email me at dotsecure@hushamail.com > or Aim: Evilkind. > > > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at > https://www.hushtools.com/verify > Version: Hush 2.3 > > wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA > nj85QSec1HrAe9aYeSMHiOqcI1Zk > =ORo8 > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > https://www.hushmail.com/services.php?subloc=messenger&l=434 > > Promote security and make money with the Hushmail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > > >
