Patch me up, Scotty

One of the most serious concerns about MBSA (Microsoft Baseline Security Analyzer) is that it might open a security hole. Reader Kevin Hobbs points out that Beyond Security, a consulting service, has posted such a criticism.

For the past two weeks I've described MBSA (Microsoft Baseline Security Analyzer), a free utility, available here, and several competing products.

This week I report on your experiences with the freebie. Next week, we'll see what you can reveal about the alternatives.

One of the most serious concerns about MBSA is that it might open a security hole. Reader Kevin Hobbs points out that Beyond Security, a consulting service, has posted such a criticism.

MBSA writes a list of all the security patches you need into a plain text file at a known location that the user can't change. "This means that active content (executables, scripts, ActiveX, Java, etc) has the ability to generate a list of vulnerabilities or read a previously created list and can then utilise these vulnerabilities to its advantage," the consultants write. (See here for details.)

Microsoft has an official response to this. "It's only when a user chooses to run code from an untrusted source and proceed despite the security warnings provided that this attack could succeed," says Microsoft's Security Response Centre. "While it is true that MBSA stores its information in a known location ... even if the MBSA information were not present on the system, code running as the user would be able to determine the presence or absence of patches simply by consulting the time/date information contained in the publicly available MSSecure XML database."

To be on the safe side, when you run MBSA, print out a copy of the text file and then delete it.

Many other readers ran into problems, not with the security theory of MBSA, but with its behaviour.

"When I ran MBSA it reported that 'Some potentially unnecessary services are installed'," says reader Chuck Davis. "The two services that MBSA had recommended disabling were Remote Access Connection Manager (which sounded like a server process) and Telnet." He carried out the instructions. But when he later tried to dial an ISP, not only would dialling not work, but all his dialling entries were missing and new dial-up connections could not be created. Fortunately, he was able to find an old MBSA report which reminded him what he'd done. Re-enabling the service and rebooting made all his entries reappear and work.

Mark Trotter notes that MBSA wrongly flags as "missing" a few updates that are properly installed, as I reported previously. "What I found more annoying was a warning about the guest log-in within XP Pro," he says. "I had it disabled already, but the Security Advisor seemed to indicate it should be eliminated, which XP Pro wouldn't let me do -- disabled or enabled. I was prevented from even assigning a password to guest."

We'll continue with your comments next week.

Send tips to brian@brianlivingston.com. He regrets that he cannot answer individual questions.

Join the newsletter!

Error: Please check your email address.

Tags MBSA

More about Beyond SecurityMBSAMicrosoftTelnet

Show Comments
[]