Microsoft patch managment – missing key items

I noticed this article in eweek with summary of “Opinion: Old and insecure third-party applications are the vector in more and more compromised systems. Here are some radical ideas for addressing the problem. ” and I thought great; people are realizing the security risks in using WSUS as your only patching solution.

Then I read the “radical” (in the fingers of the writer only) posed question of “What if third-party application vendors could design their applications to update through Windows Update?” and I immediately thought of how out of touch the writer is with the industry because building a security system that depends on vendors adding their own patches to a 3rd party system such as WSUS on their own is never going to happen.

There are far too many patches coming from too many vendors to depend on such a system, if just a few vendors do not add in their patches we do not gain anything in the way of security as the bad guys will just keep looking for the missing patches not provided.  Instead, the industry needs an active 3rd party ISV community like those from us and other companies like us.  We search out for and support patches from vendors, some of which are placed deeply on product support sites where they are hard to find, then our customers just push a button and they get the patches installed on a regular basis, much like AV and Spyware vendors update signatures on a frequent basis.  We do not need “radical” ideas, we just need writers to look a little bit beyond Microsoft to let their readers know they have options that are widely available today.

At least the article’s point of “That’s why it’s increasingly likely these days that successful attacks happen through old third-party applications with old vulnerabilities in them.” was presented and its great to see more writers creating awareness around this issue.  Now if we can just get them to talk about solutions available today.

MBSA 1.2.1 is now dead

As of this patch day (Nov 2007) the agent-less security patch scanner, basically hfnetchk under the name of MBSA 1.2.1 is now dead and there is no direct replacement fromMicrosoft, They do recommend one of our products to help out but its not a full solution by itself.  MBSA 1.2.1 was the most widely used agent-less patch scanner ever released, and for good reason – it quickly helped people secure networks.

(As a disclosure or marketing notification, depending on your perspective: Shavlik Tech continues to provide a state-of-the-art agent-less security patch command line scanner based on hfnetchk and mbsa 1.2.1, we wrote both of them with and for Microsoft. Be aware that this is the only one available in the security markets with current patch support and true agent-less support, many vendors are using the word agent-less when they require agents, or they only run locally meaning they cannot be used to scan networks — possibly a slight failure in truth in advertising but that is for you to decide. More info is at http://www.shavlik.com/netchk_analyzer.aspx).

What does this mean? first – you need to stop using MBSA 1.2.1 at once, its dead, pull it from your scripts, remove it from your tool kits.  Use our products or other products but do not use MBSA 1.2.1.  If you go with just the free WSUS be aware that it does not even support all of Microsoft’s products, much-less other products like itunes, real-player etc that have security patches, and WSUS only works on computers that are running WSUS, there is no more agent-less scanning from Microsoft unless you use the product Microsoft recommends, which is of course our product to close the gap.  You may be happy knowing WSUS says you are secure, but the bad guys are even more happy because they will use agent-less scanners to find the missing patches on your network, and finding a machine w/o a WSUS agent is easy to do, and finding one with a WSUS agent that is not doing full patching is also easy to do.

As a short history we wrote MBSA for Microsoft so many years ago now, with a core value of agent-less and deep, full product scanning, something now missing in the free products from Microsoft.  1000s of companies use (or used it) MBSA 1.2.1 to secure millions of computers. They did this because agent-less scanners find all the computers on your networks then do deep scans looking for all products, not just a few.

Why do I care so much about an old, somewhat out dated free product?  Of course my preference is people buy our products and the death of MBSA 1.2.1 helps us there, but for those that do not buy from us, or someone else, it was nice knowing MBSA 1.2.1 was out there working away. Another concern I have is that no one seems to realize what the death of MBSA 1.2.1 means, yes, you can buy our products and others, but it also means there is no more free agent-less patch scanners from Microsoft, a big reason companies are now able to patch, and to double check they are doing a good job at it.  It also may mean people will become less patched, and less secure and not know it because they do not have a way to double check things in a reliably way, and worse they will run MBSA 2.0 and get less information than MBSA 1.2.1 + MBSA 2.0  + Enterprise Update Scan Tool (the old way) gave.

MBSA 1.2.1 Obit examples: there are more examples, these are just two I quickly copied into this post

(http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx)

MBSA 1.2.1 does not support detection for this security update. The Enterprise Update Scan Tool does (MARK: I do not think this scans beyond the machine its running on so be ware), and is what customers can use instead of MBSA 1.2.1. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should also see the heading, Systems Management Server, for more information about SMS and EST.

The following table provides the MBSA and EST detection summary for this security update.

Software MBSA 1.2.1 EST MBSA 2.0.1
Microsoft Virtual PC 2004 No Yes Yes
Microsoft Virtual Server 2005 No Yes Yes
Microsoft Virtual Server 2005 R2 No Yes Yes
Microsoft Virtual PC for Mac Version 6.1 No No No
Microsoft Virtual PC for Mac Version 7 No No No

icrosoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visitMicrosoft Baseline Security Analyzer.

The following table provides the MBSA (MARK: no MBSA 1.2.1 support)detection summary for this security update.

Software MBSA 2.0.1
Windows XP Service Pack 2 Yes
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 Yes
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 Yes
Windows Server 2003 x64 Edition and Windows 2003 Server x64 Edition Service Pack 2 Yes
Windows Server 2003 with SP1 for Itanium based systems and Windows Server 2003 with SP2 for Itanium based systems Yes

thanks for the props to Doug Barney

http://redmondmag.com/reports/article.asp?EditorialsID=605

An Almost Patch-Free Patch Tuesday
Last week, a computer luminary (let’s call him Mark Shavlik) asked me over a lunch of chowder and butterfish (we live well here at Redmondmagazine) what was going on with security. I dabbed the cream and clam juice from my beard, which gave me time to think (I was stalling).

I know security is the biggest issue but, like with the 9/11 attackers, we just aren’t afraid anymore. On the Microsoft side, the older products are becoming legacy and have been patched so many times they look like a Three Stooges car tire. The newer products, so far as I can see, are more secure out of the box.

short sample of what MBSA 1.2.1's death leaves behind

From Eric Schultze (aka mr. patch), below is just a short list of security patches not supported by people still using the now dead MBSA 1.2.1, we only went back a few patch days.  The complete list is much larger, so as I noted in a blog from an hour a so ago, do not use mbsa 1.2.1 any more.

MS07-061 is the Critical patch released today by Microsoft for the URI issue.  It is not supported by MBSA 1.2.1  (not supported because the mssecure.xml file is no longer being updated)

Other recent bulletins not supported by MBSA 1.2:

Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017):MS07-059

Security Update for Outlook Express and Windows Mail (941202)MS07-056

Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)MS07-054

Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778)MS07-053

Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522)MS07-052

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)MS07-049

Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)MS07-048

Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)MS07-047 (for WMP 10+11)

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)MS07-042

Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)MS07-040

Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)MS07-038

For Internet Explorer patches, MBSA 1.2 only does Win2K and XP (not WS03 or Vista or IE7 flavors of IE)