MBSA detects Patches that have been applied. You installed the patch, MBSA said the patch was there. Sounds relatively logical to me. I don't see the failure there. "The patch management script failed to reboot those few hundred systems" This is your problem, not MBSA. Eric C. McCarty Systems Administrator Internet Security Officer -----Original Message----- From: dotsecure@hushmail.com [mailto:dotsecure@hushmail.com] Sent: Tuesday, February 10, 2004 10:21 AM To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com; patchmanagement@listserv.patchmanagement.org Subject: Another Low Blow From Microsoft: MBSA Failure! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another Low Blow from Microsoft. Within the last few weeks at our company we have been doing testing to find out total number of patched machines we have against the latest Messenger Service Vulnerability. After checking few thousand computers we have found several hundred were still affected even though patch has been applied. We have scanned with Retina, Foundstone and Qualys tools which they all showed as "VULNERABLE", however when we scanned with Microsoft Base Security Analyzer it showed as "NOT VULNERABLE". This was at first confusing; one would think an assessment tool released by the original vendor would actually be accurate. On the flipside it really didn't make sense to us why would three different commercial scanners show as vulnerable if they are truly patched. So we decided to do the ultimate test. We ran messenger service exploit against the machines that MS Base Analyzer showed as "Not Vulnerable" and 3rd party vulnerability scanners that showed as "Vulnerable". Results were as expected, machines were exploited and Microsoft Base Analyzer failed to detect the vulnerable machines properly. We have concluded that, although the patch was installed on these machines, the patch management script failed to reboot those few hundred systems, therefore these machines were vulnerable until the next successful reboot. After a successful reboot all 3rd party tools showed the machines as not vulnerable and the exploit tool did not successfully exploit the machines. 3rd Party tool assessments were accurate the machines were truly vulnerable prior reboot. Had we trusted Microsoft Base Analyzer we would still be vulnerable. To prove this, I have captured screen shots and converted them in pdf format for your viewing pleasure. The screenshots shows exact same scan conducted with Foundstone tool and MBSA. Screenshots: http://www.elusiveworld.com/scanshots.pdf I would love to see if there are any more like us out there who encountered this problem. If you had similar problems our recommendation to you do not fully depend on MBSA, since the tool is just as buggy as the company itself. Questions comments email me at dotsecure@hushamail.com or Aim: Evilkind. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA nj85QSec1HrAe9aYeSMHiOqcI1Zk =ORo8 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
