doug neal [msft]

MBSA does not support either of these patches for patch detection, so SMS
will not be able to detect any case except for caes where the Office
Detection Engine will identify some of these issues. Cross-posting to SMS
Tools newsgroup for a more exact answer regarding the SMS case and SMS
support...

From the MSSECURE.XML Announcement mail sent out yesterday:

a.. MS04-027 (WordPerfect Converter) - 884933. This bulletin is not
supported for detection in MBSA. See KB306460 for more details on supported
products.
b.. MS04-028 (GDI+) - 833987. This bulletin will generate a Note message
on the applicable platforms indicated in the MS04-028 bulletin. This is
critical to understand since even though some operating systems may be
affected by having a vulnerable Microsoft product installed on an otherwise
unaffected operating system, the only platforms that will show a Note
message are the Affected Operating Systems (Windows Server 2003 and Windows
XP RTM and SP1) and Affected Components (Internet Explorer 6 SP1) as called
out in the MSRC bulletin. See KB306460 for more details on supported
products.

--


Doug Neal [MSFT]
dugn@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for the Microsoft Baseline
Security ****yzer (MBSA) at the following link:
http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer20a

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.

gerry hickman

Hi Doug,

I have to say I find this REALLY disappointing. The whole point of a
tool like MBSA is to be able to check file versions against installed
products, NOT just say to people "you may need a patch, but we don't
really know".

This "note" message is no more use than going to the Microsoft security
site. It does not tell you if a machine needs patched or not. What if
you have reinstall one of the many vulnerable products - the tool won't
tell you you're open to attack again...

It's also disappointing that this newer release 1.2.1 still cannot test
missing Microsoft Office patches, unless you install it on 1000+
machines and run it locally? Conversely Shavlik's product does this
without any problem.

I realise MBSA is free, but it's supposed to be part of Microsoft's
drive towards secure computing, and these limitations relate to thier
OWN flagship products (Windows and Office)!

--
Gerry Hickman (London UK)

doug neal [msft]

Gerry - Your point is well taken. We're doing our best to provide the best
detection through MBSA as we work on our next major version which is still
quite a way off (no public ETA).

As much as we'd like to avoid it, when MBSA cannot authoritatively and
exhaustively indicate the patch status for a particular patch, we're forced
to create a Note message. For MS04-028, there are 26 various patches
depending on which of 45+ operating systems, IE versions and Microsoft
products are present on a machine. As significant as this GDI+
vulnerability is, there was simply no way MBSA could authoritatively cover
all possible cases and provide the correct patch status for every case.

As a company, we created the GDI+ Detection tool (available for download and
through Windows Update) to help centralize the detection effort across
products MBSA doesn't support (see the full list at KB306460).

It's true that MBSA will not be able to detect the patch status except for
local scans of Microsoft Office products (6 of the 26 potential affected
platforms/products), but we're directing users to the GDI+ Detection tool as
a method to identify all cases and apply the appropriate patch separate from
the limited guidance MBSA can provide in this case. The additional
technical information in the MSRC bulletin (MS04-028) provides enough detail
for the technically minded to create other solutions/use other methods that
may be more appropriate for their environment to identify and patch all
cases of the vulnerable GDI+ instances.

With a good understanding of the security requirements of our customers,
we're working to ensure even better vulnerability assessment in the future.
I hope that helps...

--


Doug Neal [MSFT]
dugn@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for the Microsoft Baseline
Security ****yzer (MBSA) at the following link:
http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer20a

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.

stefan kanthak

Fup2 microsoft.public.security.baseline_****yzer set!

[MBSA can't detect everything]

Are you sure?
The GDI+ detection tool does NOT detect Visio Viewer, a Microsoft "product".
It also doesn't detect third party software which redistributes GDIPLUS.DLL.

The security bulletin and the MSKB articles don't even mention Visio Viewer
(I suspect there may be more MSFT products missing) nor give a hint that
third party products incorporating GDIPLUS.DLL should be checked too!

I still don't see that "trustworthy computing" MSFT has announced comes real!


Not yet, not completely! Stefan

kim oppalfens¢˜êijwÞžÇb±Ë¬²*²hœ®‹(~×(

Where can we download this?

Kim Oppalfens

kim oppalfens

Will the office scanning tools help?
Do they support visio & project?

Kim Oppalfens
In article <#awcu$zmEHA.2340@TK2MSFTNGP11.phx.gbl>,
dugn@online.microsoft.com says...


--
Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default
..mspx

mike chan [msft]

MBSA only has local detection capability for those 6 office products through its
use of the Office Detection Tool - Visio and Project are supported through that
tool. You would go to office updates to get the patches if you are vulnerable.

--
Mike Chan
Technical Product Manager (MBSA)
Security Business Unit
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
--

matt johnson1«m&ˆg²‰ÝŠÇ.²È¨žÉ¢rº,¡û\¢

I've only just started investigating this patch, so excuse me if I ask a
couple of stupid questions, but;

Windows XP and Windows 2003 Server ARE vulnerable by default, correct? So
why exactly can't MBSA detect the requirement for the patch on these
platforms?

There is a section in the latest mssecure.xml file containing detection
information for XP, 2003 and IE6sp1. What is this doing there if MBSA can't
detect whether a machine needs it or not?

In the FAQ for the update, it specifically says "Can I use the Microsoft
Baseline Security ****yzer (MBSA) to determine if this update is required?
Yes. MBSA does detect if the update for this vulnerability is required for
Office XP, Office 2003, Project 2002, Project 2003, Visio 2002, and Visio
2003. However, MBSA does not currently support the detection of several of
the programs that are listed in the Affected Software and Affected Components
section of this security bulletin. "

What about Windows XP and Windows 2003 Server? These are OS vulnerabilities
(by default) so should be able to be detected?

I understand the problem with various applications etc, but we are more
interested in OS patches.

As far as I can see, the GDI+ detection tool can only be run locally. What
exactly is the point of this?

If the tool contains the functionality to detect applications on the local
system which require patching, why can't this be done remotely? Why can't
this functionality be incorporated into MBSA? Surely all it is doing is
checking file versions and/or registry entries?

At the moment, I don't see any way of effectively distributing this to my
2000+ desktops. We went to a great deal of trouble to implement SUSfp, and
now it appears next best to useless.

Seems that buying the operating system is actually the cheap part. Keeping
it patched up and secure is infinitely more expensive.

Microsoft - please provide some workable solutions for detecting and
distributing patches. Otherwise people will have to abandon your products.
We can't keep screwing around with solutions like this that have been thought
halfway through, and create more problems than they fix.

Thanks

doug neal [msft]

In reply...

Windows XP (RTM and SP1 - not SP2) and Windows Server 2003 are vulnerable by
default, but since the vulnerable files can be in various locations, MBSA
cannot authoritatively determine the patch status. Instead of reporting a
potentially incorrect status, we provide a Note message instead. Although
this requires you to manually check the state of the patch, this was deemed
better than providing a potentially incorrect patch status result.


MBSA follows the exact guidance as detailed in the MSRC (Microsoft Security
Response Center) bulletin for MS04-028. MBSA will generate a Note message
for the platforms that MBSA supports (in this case, both the OS versions and
the IE versions affected by this issue are supported by MBSA - but the bulk
of the remaining applications listed in the bulletin are not). The entries
in the XML are to match the MBSA-supported paltofmrs called out in the
bulletin.

You may want to post this on the microsoft.public.security newsgroup since I
can provide the best answers for MBSA - the detection tool - not necessarily
the GDI+ detection tool.


The MBSA tool is static and has already shipped publicly. It isn't possible
to add functionality to the tool once it has shipped. Although the XML file
is updated with each security release, MBSA cannot add additional scanning
methods to the tool without re-releasing it.
--


Doug Neal [MSFT]
dugn@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for the Microsoft Baseline
Security ****yzer (MBSA) at the following link:
http://support.microsoft.com/default.aspx?scid=fh;en-us;Prodoffer20a

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.

tom alverson

You CAN detect the lack of the IE patch (which shavlik does with
hfnetchk4pro.exe) just as they do by looking at

c:\program files\common files\microsoft shared\vgx\vgx.dll to see if it is
bad (6.0.2800.1106) or good (6.0.2800.1411)

This would be like my doctor finding out that I had lung cancer and just
telling me "NOTE: you might have cancer" instead of "DANGER: you have lung
cancer" just because he is not sure if I also have any other cancerous
organs.

Why doesn't mbsacli /hf do this check?

Tom