[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD96CEE1@hermes.eCompany.gov>
Date: Tue, 10 Feb 2004 16:00:34 -0800
From: "Drew Copley" <dcopley@...e.com>
To: "Joe DeMarco" <demarcoj@...cast.net>, <bugtraq@...urityfocus.com>
Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
> -----Original Message-----
> From: Joe DeMarco [mailto:demarcoj@...cast.net]
> Sent: Tuesday, February 10, 2004 11:27 AM
> To: bugtraq@...urityfocus.com
> Subject: RE: Another Low Blow From Microsoft: MBSA Failure!
>
> Maybe it's just me but, I wouldn't consider a patch
> successfully applied until the machine is rebooted. Registry
> changes usually require this process.
Not all patches require a reboot. This has never been the case with this
system's upgrades.
If the process is inusage, if the dlls and/or executable are in usage --
a reboot is required.
If the process is in some other way locked -- a reboot is required.
Some low level operations may only be performed outside of the OS.
I upgrade software all the time without rebooting. So does anyone else
that uses a lot of software and likes to keep everything up to date. No
way would I reboot because my trillian or ultraedit was just patched --
or my outlook or media player. Not usually, anyway.
>
> -----Original Message-----
> From: dotsecure@...hmail.com [mailto:dotsecure@...hmail.com]
> Sent: Tuesday, February 10, 2004 1:21 PM
> To: full-disclosure@...ts.netsys.com;
> bugtraq@...urityfocus.com;
> patchmanagement@...tserv.patchmanagement.org
> Subject: Another Low Blow From Microsoft: MBSA Failure!
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another Low Blow from Microsoft.
>
> Within the last few weeks at our company we have been doing testing to
> find out total number of patched machines we have against the latest
> Messenger Service Vulnerability. After checking few thousand computers
> we have found several hundred were still affected even though
> patch has
> been applied. We have scanned with Retina, Foundstone and Qualys tools
> which they all showed as "VULNERABLE", however when we scanned with
> Microsoft Base Security Analyzer it showed as "NOT
> VULNERABLE". This was
> at first confusing; one would think an assessment tool released by the
> original vendor would actually be accurate. On the flipside it really
> didn't make sense to us why would three different commercial scanners
> show as vulnerable if they are truly patched. So we decided to do the
> ultimate test. We ran messenger service exploit against the machines
> that MS Base Analyzer showed as "Not Vulnerable" and 3rd party
> vulnerability scanners that showed as "Vulnerable". Results were as
> expected, machines were exploited and Microsoft Base Analyzer
> failed to
> detect the vulnerable machines properly.
>
> We have concluded that, although the patch was installed on these
> machines, the patch management script failed to reboot those few
> hundred systems, therefore these machines were vulnerable until the
> next successful reboot. After a successful reboot all 3rd party tools
> showed the machines as not vulnerable and the exploit tool did not
> successfully exploit the machines. 3rd Party tool assessments were
> accurate the machines were truly vulnerable prior reboot.
>
> Had we trusted Microsoft Base Analyzer we would still be vulnerable.
>
>
> To prove this, I have captured screen shots and converted them in pdf
> format for your viewing pleasure. The screenshots shows exact
> same scan
> conducted with Foundstone tool and MBSA.
>
> Screenshots: http://www.elusiveworld.com/scanshots.pdf
>
>
> I would love to see if there are any more like us out there who
> encountered this problem. If you had similar problems our
> recommendation
> to you do not fully depend on MBSA, since the tool is just as buggy as
> the company itself.
>
> Questions comments email me at dotsecure@...hamail.com
> or Aim: Evilkind.
>
>
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> https://www.hushtools.com/verify
> Version: Hush 2.3
>
> wkYEARECAAYFAkApIjwACgkQHxPzbxnt5HTNtQCfd6xpi2VasnZ33/6saPNfqyMgukMA
> nj85QSec1HrAe9aYeSMHiOqcI1Zk
> =ORo8
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
>
>
Powered by blists - more mailing lists