[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1076467670.4535.27.camel@Stargate>
Date: 10 Feb 2004 21:47:50 -0500
From: Byron Copeland <nodialtone@...cast.net>
To: dotsecure@...hmail.com
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
patchmanagement@...tserv.patchmanagement.org
Subject: Re: Another Low Blow From Microsoft: MBSA
Failure!
Thank you! .secure
I have proved in the past myself that some patches were ineffective with
other vulnerabilities to some I USED to work for. Thanks,
-b
On Tue, 2004-02-10 at 13:21, dotsecure@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another Low Blow from Microsoft.
>
> Within the last few weeks at our company we have been doing testing to
> find out total number of patched machines we have against the latest
> Messenger Service Vulnerability. After checking few thousand computers
> we have found several hundred were still affected even though patch has
> been applied. We have scanned with Retina, Foundstone and Qualys tools
> which they all showed as VULNERABLE, however when we scanned with Microsoft
> Base Security Analyzer it showed as NOT VULNERABLE. This was at first
> confusing; one would think an assessment tool released by the original
> vendor would actually be accurate. On the flipside it really didnt make
> sense to us why would three different commercial scanners show as vulnerable
> if they are truly patched. So we decided to do the ultimate test. We
> ran messenger service exploit against the machines that MS Base Analyzer
> showed as Not Vulnerable and 3rd party vulnerability scanners that
> showed as Vulnerable. Results were as expected, machines were exploited
> and Microsoft Base Analyzer failed to detect the vulnerable machines
> properly.
>
> We have concluded that, although the patch was installed on these machines,
> the patch management script failed to reboot those few hundred systems,
> therefore these machines were vulnerable until the next successful reboot.
> After a successful reboot all 3rd party tools showed the machines as
> not vulnerable and the exploit tool did not successfully exploit the
> machines. 3rd Party tool assessments were accurate the machines were
> truly vulnerable prior reboot.
>
> Had we trusted Microsoft Base Analyzer we would still be vulnerable.
>
>
> To prove this, I have captured screen shots and converted them in pdf
> format for your viewing pleasure. The screenshots shows exact same scan
> conducted with Foundstone tool and MBSA.
>
> Screenshots: http://www.elusiveworld.com/scanshots.pdf
>
>
> I would love to see if there are any more like us out there who encountered
> this problem. If you had similar problems our recommendation to you do
> not fully depend on MBSA, since the tool is just as buggy as the company
> itself.
>
> Questions comments email me at dotsecure@...hamail.com
> or Aim: Evilkind.
>
>
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.3
>
> wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
> nj85QSec1HrAe9aYeSMHiOqcI1Zk
> =ORo8
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists