Flaws in Microsoft Tool Mount

Reports of problems with Microsoft Corp.s vulnerability-scanning tool continued to mount Monday as more and more users say the free program finds phantom vulnerabilities and misses patches that have been applied. The problems do not seem to be isolated to any one version of Windows or any particular brand of computer.

Known as the Microsoft Baseline Security Analyzer, the tool scans various Microsoft products for known vulnerabilities and can also alert the user to missing or misapplied patches and hotfixes. However, some users say the tool is a bit overzealous in its efforts and often reports missing patches minutes after they have been applied.

The MBSA is based on Microsofts HFNetChk command-line tool and is meant to be more user-friendly than its predecessor. However, the usability advances might be pushed aside by the technical problems.

“I installed the security tool on a couple of different Windows 2000 systems and had the exact problem [described above],” said Jerry Jones, of ExcelTech Inc. in McMinnville, Ore. “It was very frustrating to have a tool that worked somewhat. Who knows for sure what is really applied and what isnt on these machines?”

Other users have reported similar problems on machines running Windows XP Professional.

“The reports repeatedly indicate serious security flaws after patches are applied,” said Shannon Brown, an independent Internet technologies architect based in Manheim, Pa. “I was shocked the first time I ran a report to see several missing patches even though HFNetChk did not show these vulnerabilities. Even after reapplying the patches just to be sure, the new tool still reports unnecessary errors.”

MBSA can identify vulnerabilities and missing hotfixes in Windows NT 4.0, Windows 2000, Windows XP, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer 5.01 and later, and Office 2000 and XP.

A Microsoft spokeswoman said the company is researching the issue but is not aware of any widespread problems with the tool.