Microsoft defends Baseline Security Analyzer tool

Responding to escalating criticism that its new Microsoft Baseline Security Analyzer (MBSA) vulnerability file scanning product is not up to snuff, Microsoft Corp. says users finding difficulty with the new software tool may be misinterpreting the results of the freeware product’s findings.

Released last week by the Redmond, Wash.-based software giant, MBSA, a more user friendly version of HFNetChk built around a new user interface, has come under attack by some users claiming that the tool uncovers holes that may have already been discovered and corrected by HFNetChk.

Although both tools use the same XML database of patches and patch attributes to pool fixes from, users should be aware that differences occur in the manner notes — an advisory indicating no patch is present — and warnings are posted by each, said Steve Lipner, director of security assurance at Microsoft.

“MBSA displays everything it sees, but it attempts to color code to give [a user] an indication of what’s happening, where HFNetcheck allows you to suppress some of the warnings,” Lipner said. “[MBSA] warns you there was this [security] bulletin, you ought to have applied it, [Microsoft] ought to remind you. People may be missing that, saying it’s a warning they already got.”

Lipner said hotfixes could also lead to MBSA misinterpretation. If a hotfix was applied to plug a code exploit that did not come directly from a Microsoft security bulletin, MBSA will “guess” a system update has occurred since the new patch was released and offer an end-user a standard warning, he added.

Available for free download, MBSA is designed to unearth Microsoft product holes and provide simplified controls for correction in the form of a Web-based XML file containing a list of up-to-date security bulletins with corresponding registry key version number. Lipner said once a patch is installed and the system is scanned again immediately thereafter, MBSA vulnerability results should change.

He said the XML file on the Web, employed by both MBSA and HFNetChk, is usually updated in hours from the time a new security bulletin is released by Microsoft.

The tedious task of standing vigil over the rash of Microsoft security bulletins raining down to patch up Microsoft product holes has become frustrating for many users, such as Jason Painter, Webmaster of laser developer and optics manufacturer Coherent Inc., in Santa Clara, Calif.

“It’s getting to the point where we need one person to watch Microsoft’s Web site to wait for the latest patch to come out,” said Painter, a customer of security vendor Sanctum and running on Windows 95, 2000, and NT systems. “It’s getting ridiculous. I would argue if [Microsoft] spent more time fixing things before worrying about getting it on the shelf, it would make everybody’s job easier.”

In many cases, Microsoft’s tarnished security image has impeded its cause to make users feel at ease about the functionality or merit of new solutions, even those designed to pinpoint holes within its own product set, said Pete Lindstrom, a security analyst at Framingham, Mass.-based Hurwitz Group Inc.

“Microsoft has dug themselves a hole. It’s related to their core products, not their utilities, but they’re trying to dig themselves out with their utilities. People are just not going to be satisfied with that,” Lindstrom said. “What people really want is secure development process over their core products. Anything over and above that is just window dressing.”

Unlike HFNetChk, MBSA performs additional checks for common misconfigurations of passwords and account permissions for Microsoft Windows components, as well as Microsoft SQL and other Microsoft office products. The tool scans Windows NT, 2000, and XP systems, but can only be installed on either 2000 or XP platforms.

Lipner encourages users finding any types of incongruities or faults within MBSA to offer feedback to Microsoft at