RE: Another Low Blow From Microsoft: MBSA Failure!

To: "Joe DeMarco" <demarcoj@xxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Tue, 10 Feb 2004 16:00:34 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcPwMSpdFZz8fZjGQR+V7QBXfXSW0gACEYcQ
Thread-topic: Another Low Blow From Microsoft: MBSA Failure!

 

> -----Original Message-----
> From: Joe DeMarco [mailto:demarcoj@xxxxxxxxxxx] 
> Sent: Tuesday, February 10, 2004 11:27 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
> 
> Maybe it's just me but, I wouldn't consider a patch 
> successfully applied until the machine is rebooted. Registry 
> changes usually require this process.

Not all patches require a reboot. This has never been the case with this
system's upgrades. 

If the process is inusage, if the dlls and/or executable are in usage --
a reboot is required.

If the process is in some other way locked -- a reboot is required.

Some low level operations may only be performed outside of the OS.

I upgrade software all the time without rebooting. So does anyone else
that uses a lot of software and likes to keep everything up to date. No
way would I reboot because my trillian or ultraedit was just patched --
or my outlook or media player. Not usually, anyway.




> 
> -----Original Message-----
> From: dotsecure@xxxxxxxxxxxx [mailto:dotsecure@xxxxxxxxxxxx]
> Sent: Tuesday, February 10, 2004 1:21 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx; 
> patchmanagement@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Subject: Another Low Blow From Microsoft: MBSA Failure!
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Another Low Blow from Microsoft.
> 
> Within the last few weeks at our company we have been doing testing to
> find out total number of patched machines we have against the latest
> Messenger Service Vulnerability. After checking few thousand computers
> we have found several hundred were still affected even though 
> patch has
> been applied. We have scanned with Retina, Foundstone and Qualys tools
> which they all showed as "VULNERABLE", however when we scanned with
> Microsoft Base Security Analyzer it showed as "NOT 
> VULNERABLE". This was
> at first confusing; one would think an assessment tool released by the
> original vendor would actually be accurate. On the flipside it really
> didn't make sense to us why would three different commercial scanners
> show as vulnerable if they are truly patched. So we decided to do the
> ultimate test. We ran messenger service exploit against the machines
> that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
> vulnerability scanners that showed as "Vulnerable". Results were as
> expected, machines were exploited and Microsoft Base Analyzer 
> failed to
> detect the vulnerable machines properly.
> 
> We have concluded that, although the patch was installed on these
> machines,  the patch management script failed to reboot those few
> hundred systems,  therefore these machines were vulnerable until the
> next successful reboot. After a successful reboot all 3rd party tools
> showed the machines as not vulnerable and the exploit tool did not
> successfully exploit the machines.  3rd Party tool assessments were
> accurate the machines were truly vulnerable prior reboot.
> 
> Had we trusted Microsoft Base Analyzer we would still be vulnerable.
> 
> 
> To prove this, I have captured screen shots and converted them in pdf
> format for your viewing pleasure. The screenshots shows exact 
> same scan
> conducted with  Foundstone tool and MBSA.
> 
> Screenshots: http://www.elusiveworld.com/scanshots.pdf
> 
> 
> I would love to see if there are any more like us out there who
> encountered this problem. If you had similar problems our 
> recommendation
> to you do not fully depend on MBSA, since the tool is just as buggy as
> the company itself.
> 
> Questions comments email me at dotsecure@xxxxxxxxxxxxx
> or Aim: Evilkind.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at 
> https://www.hushtools.com/verify
> Version: Hush 2.3
> 
> wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
> nj85QSec1HrAe9aYeSMHiOqcI1Zk
> =ORo8
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
> 
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
> 
> Promote security and make money with the Hushmail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
> 
> 
>

Prev by Date: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer
Next by Date: RE: Hysterical first technical alert from US-CERT
Previous by thread: RE: Another Low Blow From Microsoft: MBSA Failure!
Next by thread: RE: Another Low Blow From Microsoft: MBSA Failure!
Index(es):
- Date
- Thread