Microsoft Tool Scans for Flaws, Missing Patches

Microsoft Corp. on Monday released a free tool designed to scan for vulnerabilities and missing patches in many of its most popular enterprise products, including Windows 2000 and Windows NT and Internet Information Services.

Known as the Microsoft Baseline Security Analyzer, the tool, which can be downloaded at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp, runs on Windows 2000 and XP systems and uses a version of the companys HFNetChk program to look for missing patches and service packs in Windows, IIS and SQL Server. It can also identify vulnerabilities and missing hotfixes in NT 4.0, Windows 2000, XP, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer 5.01 and later, and Office 2000 and XP.

The release of MBSA is the latest in a series of security-related moves from Microsoft. The Redmond, Wash., company recently has been on a security kick and has set up a separate business unit to handle the development and marketing of security tools and products.

MBSA, which is a free download, is Microsofts attempt to get into a market that has made some other companies quite a bit of money: finding vulnerabilities in Microsoft products. Companies such as Internet Security Systems Inc. and eEye Digital Security Inc. have been very successful at finding and/or fixing vulnerabilities in products such as IIS and Windows.

After it performs a scan, MBSA will generate an XML-based security report for each machine that it scans. The report is then displayed in the tools HTML user interface.

Related stories:

• Microsoft Takes Security Defense
• Microsoft: Fix Privacy at All Costs
• At Microsoft, Security Trumps App Compatibility
• Trusting in Microsoft
• Gates: Security Over Features