Microsofts Flaw-Finding Tool Has Its Own Flaw

Users claim the new Microsoft Baseline Security Analyzer often reports missing patches even after they've been applied.

Just days after its release, users are reporting a raft of problems with Microsoft Corp.s new vulnerability scanning tool.

Known as the Microsoft Baseline Security Analyzer, the tool scans various Microsoft products for known vulnerabilities and can also alert the user to missing or misapplied patches and hotfixes. However, some users say the tool is a bit overzealous in its efforts and often reports missing patches minutes after they have been applied.

The MBSA is based on Microsofts HFNetChk command-line tool and is meant to be more user-friendly than its predecessor. However, the usability advances might be pushed aside by the technical problems.

"The reports repeatedly indicate serious security flaws after patches are applied," said Shannon Brown, an independent Internet technologies architect based in Manheim, Pa. "I was shocked the first time I ran a report to see several missing patches even though HFNetChk did not show these vulnerabilities. Even after reapplying the patches just to be sure, the new tool still reports unnecessary errors."

MBSA can identify vulnerabilities and missing hotfixes in Windows NT 4.0, Windows 2000, Windows XP, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer 5.01 and later, and Office 2000 and XP.

Microsoft did not return a call seeking comment.

Related stories:

  • Microsoft Warns of 10 IIS Flaws
  • Microsoft Takes Security Defense
  • Microsoft: Fix Privacy at All Costs
  • Trusting in Microsoft
  • Gates: Security Over Features