Security

Botnets: Keep computers up to date or else

Getting rooted by a drive-by dropper is fast becoming the predominate method of involuntarily joining a botnet. The simplest way to avoid this is to keep your computers up to date. Easier said than done? Well, it doesn't have to be.

I made mention in my article "Botnets: How to Get Rooted in One Easy Lesson" that most computers become rooted and part of a botnet due to an operating system or application vulnerability that could have been patched, but wasn't. What I didn't expect was to have several current real-world examples to back up my statement.

Case in point, Microsoft released a critical and atypical out-of-band patch on Thursday October 23. MS08-067 was developed to repair a vulnerability in server service that could allow remote code execution. Only five days later, the exploit code for this vulnerability was publicly released.

67.exe and KernelBot

Currently there are several trojan worms in the wild that are exploiting the MS08-067 vulnerability, one is ironically called 67.exe (dropper) and the bot code is 6767.exe (rootkit). Experts are already familiar with the botnet as the new malware is similar to the KernelBot, which is mainly used for denial-of-service attacks.

The dropper also installs the eMule peer-to-peer program. If the eMule client is successfully installed, the worm tries to spread across P2P networks by advertising an X-rated movie file, which in reality is the worm code. There aren't any infection statistics yet, but experts are saying it could get significant. You can keep track at this Arbor Networks activity Web page.

My second example is a hot-off-of-the-press article by Robert Vamosi of CNET "Security Expert Talks Russian Gangs, Botnets" and it's another example of a drive-by dropper exploit, but with some very insidious implications. This article is a must-read for everyone, because it discusses a real-life example of how a person's financial information was stolen and used to transfer a great deal of money to a foreign bank. Please take the time to watch the videos; it's that important. It certainly reaffirms my commitment to provide as much information about rootkits and botnets as I can.

Who's vulnerable?

These exploits are just two of the most current examples of how easily botnets can form by leveraging unpatched vulnerabilities. Why is it so hard to keep everything up to date? It usually isn't for SMB and enterprise networks. They are mothered by system administrators and typically have automated systems in place that roll out the patches when everyone is sure the patches won't break anything.

Most individuals with home or SOHO computer networks don't have dedicated IT personnel, the time, or inclination to keep computers current on every operating system or application update. This is a real problem as evidenced by the number of home or SOHO computers that belong to botnets.

Why focus on Microsoft?

I, like many other individuals and business entities, use Microsoft operating systems/applications for a variety of reasons. It's this popularity that makes Microsoft products a target-rich environment for bot-creating drive-by dropper attacks. To recap, there are a lot of Microsoft-based operating systems associated with home and SOHO networks that aren't getting the required updates.

Vulnerability analyzers

To help in this regard, I'd like to discuss two vulnerability analyzers that are specifically formulated to keep Microsoft operating systems and applications up to date. The programs I want to talk about aren't new, but still very much underused. In that regard, I'm hopeful the information in this article may help change that trend.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a very simple and thorough way to make sure any MS-based computer is up to date and configured according to Microsoft best practices. This distinction is important, because many people get confused as to why MBSA is needed. Doesn't Microsoft or Windows Update do the same thing? According to Microsoft:

"Microsoft Baseline Security Analyzer (MBSA) is an easy to use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems."

So it does more than just make sure the computer being scanned has all the latest updates, and that's important, especially to those who aren't totally up to speed with current best practices. The following diagram is a screen shot from MBSA showing the options MBSA is capable of checking:

mbsa1.JPG

My suggestion is to run MBSA after the second Tuesday of the month update from Microsoft or after any MS-mandated configuration change. The following diagram depicts typical scan results:

mbsa2.JPG

Notice the severe risk flag? If I'd have included the entire report you would have seen the severe risk flag was set due to the Windows Firewall being disabled. I also wanted to mention that MBSA is capable of scanning more than one computer. All that's required is to key in the domain name or subnet range.

Secunia Vulnerability Scanners

Scanner applications developed by Secunia are the ideal complement to MBSA. MBSA deals almost exclusively with operating systems, whereas Secunia inspects Microsoft applications as well as over 7,000 third-party programs. Depending on your needs, Secunia offers several scanner options as well as what Secunia calls Vulnerability Intelligence on their Web site. As an example, I've included the following diagram depicting the scan tab from the PSI scanner application:

secunia1.JPG

The next diagram depicts the results of a scan that flagged some problems with third-party applications. It just so happens that I have an older version of WinZip on the scanned computer, and Secunia PSI determined that and pointed out two other End-of-Life applications:

secunia2.JPG

I normally try to remain neutral about vendor applications, but I must admit that I'd be in a very difficult place without the NSI and PSI scanners by Secunia. I also wanted to mention that TechRepublic writer Tom Ozlak has written an in-depth article "Free Security Tools: Secunia Personal Software Inspector" about the Secunia PSI scanner.

Is this really necessary?

I say yes emphatically. While doing research for this rootkit/botnet series, I've had the good fortune to converse with several world-renowned experts. Guess what they say? Exactly, the primary reason a computer becomes rooted or part of a botnet is due to an unpatched existing vulnerability on that computer.

Final thoughts

I initially asked the members what concerned them the most about rootkits and botnets. Not surprisingly the responses focused on methods of prevention. Only problem, there isn't a sure-fire answer, but keeping your computers up to date will really help.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

141 comments
Jacky Howe
Jacky Howe

It is here when I use a linux box. Looks like IE problems again. Weird! < edit can't spell >

Michael Jay
Michael Jay

keeping me busy last night and this morning, had quite a bunch of holes in my system that I had not even been thinking about. One gets rather complacent working in a corporate environment where everything is patched automatically and then forgets at home to be more diligent about security issues. Thanks for reminding me.

Dumphrey
Dumphrey

but I think I may have to set up a monthly reminder in Outlook. I love Secunia as well, and wish management could see the need to spend the $$ on NIS. My biggest complaint about MBSA is the lack of an auto update. Its nice you get a "clean" install each month, but it should automate the download of the new version not just give you a link to the page. Just my 2 cents.

d_g_l_s
d_g_l_s

Tried to go to the Arbor Networks link and noticed it was http://http//atlas.arbor.net/vuln/CVE-2008-4250 which led to erroneous page location. Thanks again for keeping on top of these security issues. I'm to do a presentation at a small business luncheon (network group) on Tuesday and plan to give some practical guidance on security.

Michael Kassner
Michael Kassner

The number one reason for becoming part of a botnet is having a vulnerability exploited. MBSA and Secunia scanners go a long way to prevent that and are easy to use. What are your experiences with them? Are there any other similar programs available?

Michael Jay
Michael Jay

Just tried IE7, don't usually use it and it does what you say. IE7 issue for sure.

Michael Kassner
Michael Kassner

Would you have a chance to run MBSA and PSI at work? I'd like to see what it found. also what patching application do you use? I use WSUS at most clients and it's coordinated with MBSA.

boxfiddler
boxfiddler

One reason I hate auto updating. It reinforces a tendency to procrastinate. I use a little program called 'Stickies' to pop an electronic post-it up once a week to remind me. When I'm bad, I close it without doing what it reminds me to do. tsk, tsk. etu

The Scummy One
The Scummy One

thats my excuse too :D As noted earlier, I sometimes get amazed at how lazy I can get with things like this.

Michael Kassner
Michael Kassner

Thank you for pointing that out. I simply goofed on the link. Dahh. I forgot to mention good luck on the talk. If I can be of any help, please let me know.

seanferd
seanferd

Very good article, I think. I've tried Secunia's product before, but not MBSA. I generally don't use things like this as I only update manually, but I do so regularly. I am less inclined to try MBSA, as I don't know if there is anything it might change automatically. I don't want to have to replace any files which I've hacked to change resources any more than I have to, for a dumb example.

Jacky Howe
Jacky Howe

there seems to be a problem for me with your original link. There is nowhere to post to it in my view that is displayed. I thought that MBSA was only for a file server. I have just downloaded both and will be having a play with them. Thank you for the information a nd the links. Rob

-Q-240248
-Q-240248

Close all unused ports and services. Allow nothing to enter unless you specifically requested it. I have never been owned by anything and I have no AV or Anti-spyware.

The Scummy One
The Scummy One

as I dont want to run cr@p at home if I dont have to. For starters, MS didnt make it as easy as it could have been to even get it. 8 download options that would be cryptic for the masses. If this was truly for people to help harden their system(s), it could have been done better. After download though, it seems to work pretty well. So far the util itself was easy to figure out. My first scan is well on its way right now. Wow -- our patch management system isnt as good as I thought at work. I know I am always being hounded to install or update stuff here. After running this, it states I am missing lots of critical patches for Office 07. None are marked as not to install from administrators standpoint. hmmm, most other items show well, but I wish there was a rating system in it. honestly, I think MS could have done a better job with it, and it should be in auto-updates and sent to the masses. But that is my opinion.

d_g_l_s
d_g_l_s

and love it. Have noticed, though, that it keeps catching my cached programs that I store for test and sharing purposes on another drive (non-installed programs). But then again this is also a good thing as it helps me keep those programs up-to-date so I'm not caught flat-footed with clients. Good to share such experiences as it makes one think carefully and the consequences of where one is going and where actions or inaction can take one.

The Scummy One
The Scummy One

and since I have a few issues already with the system. I used PC Doctor, CCleaner, Ad-Aware/Spybot, and checked my AV scan logs. pretty clean system already. Ccleaner found the most cr@p, however it appeared mostly insignificant (I run it weekly anyway). Ad-Aware found a whopping 22 tracking cookies Spybot found nothing. AV logs looked good. AVG runs all the time, and performs a full scan 2x a week. AVG runs a full scan every week. PC Doctor is a HW and driver utility, but everything on the system board and HDD's pass well. I hadnt run it in a few months, so I also decided it was time for a new recovery cd -- cleanup time -- dont y'all love it? ran rootkit revealer last week, so not worried there. removed half a dozen programs that I havent used in a while -- if I need them again, I can get newer versions. And ran the Secunia 2 times, to make sure it was all clear after updates. More to do, but well into a good start.

Jacky Howe
Jacky Howe

as I have tried it on a couple of PC's. I might update to IE8 and see if it will make a difference. Thanks for that bit of info. < add a bit >

Photogenic Memory
Photogenic Memory

Thanks again Micheal! I'm thinking of maybe writing some articles myself for TR. Your an inspiration. Thank you.

Michael Jay
Michael Jay

in the actual patching infrastructure, but they use Tivoli, WSUS and one other that escapes me right now, when I get back in the office I will check out MBSA and PSI.

Michael Kassner
Michael Kassner

I've quizzed both developers about the possibility of a scheduler and haven't heard back yet. Secunia seems to feel that it's important to leave the application running constantly, but I'm not a fan of that.

The Scummy One
The Scummy One

it pissed me off after a few weeks and I uninstalled it. Nothing like telling me to do something when I am a hunting targets to shoot or dodging being shot.....

Michael Jay
Michael Jay

the plumber and see his sink dripping..

Michael Kassner
Michael Kassner

I use it more for configuration information than anything as Secunia gets the rest. It just helps to know what MS would like to see for certain setups.

Jacky Howe
Jacky Howe

The actual article is readable but there are no comments whatsoever and no facility to post a comment. I ran Linux from a CD and it was all there. I also tried updating from IE7 to IE8 but it didn't make a difference. Michael Jay and Scummy have also noticed the problem. I do seem to remember the site previously having problems with IE but I thought that it had been fixed. I had better keep my copy of DamnSmallLinux handy.

Michael Kassner
Michael Kassner

Hello, Jacky Can you explain what's wrong, please is it the MBSA link? Just let me know and I'll try to fix it.

Michael Kassner
Michael Kassner

How would you help someone with less knowledge than yourself to keep from losing personal information? Also, some HTML rootkit droppers could conceivably get past your defenses.

jon
jon

What are people using to keep their patch levels up to date ? We have WSUS here at work, but are not allowed to use it on the servers (stupid change management system) and when people see the "install updates and shutdown" option, they just power the machines off.

rbees
rbees

For starters, MS didnt make it as easy as it could have been to even get it. 8 download options that would be cryptic for the masses./quote I tried to download it on my linux box as I am making a cd with all the security apps I use. The MS website dosen't play nice with opera on linux. Can't hardly scroll and lots of page-not-found errors. The website even managed to corrupt the browser somehow and force me to restart it. I guess MS really dosen't like any non-ms progorams, and it sure seams they really hate linux. I have noticed this before when I tried to run auto-update form a non-MS browser.

d_g_l_s
d_g_l_s

by everyone on this forum? Is MBSA or Secunia better? Or are they each stronger in one/two specific areas according to what you see? I'm currently using only Secunia and am finding it at least prompts me to keep on top of my security and updates. I still make all the decisions as I think it best to outthink the machine. It does provide me with some unique scenarios of where one could be weak and not watching it! Michael is there a way to setup a simple rating system for us to select options and weaknesses of the two programs? Maybe this would not be a good approach but I'm asking as a way to provoke thot and possible ideas and some actions which would help us all.

The Scummy One
The Scummy One

MBSA tells me I have some accounts with weak passwords. There are 3 of them. 2 are disabled system accounts, one has a 12 character alphanumeric password that stands up to the company policy (and I wouldt say it would be near the top of the list for guessing).

Michael Kassner
Michael Kassner

Do you leave the Secunia scanner enabled at all times? I was just curious, it seems a bit too noisy for my taste. Also do you use MBSA?

santeewelding
santeewelding

Revert to semaphore. Or, give them nothing to start with.

Michael Kassner
Michael Kassner

Do you use either of the scanners? How do you like them if you do? Have you ever seen any discrepancy between the two when they were dealing with specific Microsoft applications? Sorry for all the questions. I'm deep into research and would love to hear your thoughts.

Michael Kassner
Michael Kassner

Learning what you thought about it as I value your opinion. I wish it had a scheduler as I don't like to leave it on all the time.

Michael Kassner
Michael Kassner

My editor Selena Frye is an HTML wizard and got it fixed.

Michael Jay
Michael Jay

It seems that the problem is resolved, this blog now works correctly in IE7.

Jacky Howe
Jacky Howe

I don't use the indexing service as it wouldn't work properly anyway. I used to have enough problems without it. The search seems OK now but I doubt if I will use the indexing service as I have no problems finding my material when I remember the keyword.

The Scummy One
The Scummy One

I can see the usefulness of the search, except I needed to find something quickly and everything was changed and screwed up. Not only that, I need to index everything. Woulda been nice to KNOW that it was going to change AND that I have to manually index everything for it to work. The system has spent much idle time for more than 2 days since the updates, and it didnt index a damned thing. But the real problem here is it was a CRITICAL UPDATE that caused this, however it is just a search makeover, and the old search is still there, just buried deeper (again). I personally dont view this as something that would/should be considered a CRITICAL UPDATE

Jacky Howe
Jacky Howe

The XP search feature seems to have improved with SP3 for me. The buttons actually seem to respond now. XP will be around for a long time yet I feel.

Michael Kassner
Michael Kassner

I always check my articles in both FF and IE, but I guess I never thought about looking at the comment section. I will from now on. Thank you again, and I've emailed my editor about the issue.

The Scummy One
The Scummy One

What is up with the new search for XP. I didnt even install SP3, and my search box is all screwed up!!! Now to get to the search I want I have to do an extra click to get to 'search companion' What critical update caused a new search, and still kept the old, but made it harder to use??? Must be MS trying to piss everyone off about XP, so that hey will move to Vista. heck, I think I'd rather trash the system first!

Michael Kassner
Michael Kassner

I was wondering why the comments count has slowed way down.I appreciate the heads up as well as your other comments on the forum. I was curious is the thumbs up working? I can't tell from my browsers.

Jacky Howe
Jacky Howe

That has to prove that it is a site problem. Douggie will be busy monday. :D

Jacky Howe
Jacky Howe

on a few but for me this is the only article.

Jacky Howe
Jacky Howe

for me. Some how I got the idea that you went over all the way. Sorry I can't contribute to your question because what I know about Linux wouldn't fill a postage stamp. I have been meaning to get my head into it but I just haven't got around to it yet. I don't even know anyone that uses it and I have never been asked to look at a linux PC. I do have a lot of documentation for it though. :D

Michael Kassner
Michael Kassner

Is it just this article or are other articles the same way?

Michael Kassner
Michael Kassner

Do you get any comments at all. I just lost the comments in IE 6 now. Come on I need the comments, it's my fix.

Jacky Howe
Jacky Howe

as you may be missing out on comments. It's funny that IE6 is still OK though.

The Scummy One
The Scummy One

at home, my main is XP Media Center. At work, I do about 1/2 XP pro, 1/4 Linux 1/4 Vista At work 2 Linux boxes died recently, and at home my Linux box died and I havent replaced the HDD in it yet. I have an open question on a PCLOS system at work, before I rebuild it. However with the link provided recently, I am thinking of just switching to PCLOS08

Michael Kassner
Michael Kassner

It works on my IE 6 machine, but none of the comments show up on IE7 on my normal computer. I'll pass the information along. I surely don't to miss anyone's comments, good, bad or indifferent.

Jacky Howe
Jacky Howe

I think that something is broke. I thought that you were only using Linux these days. My old PC's are falling over that fast that I can't keep up. To use Linux to test with I downloaded DamnSmallLinux. It takes a little while to bootup but I can see it being a handy utility at only 50MB. I could have used PCLinux but I wanted to have a look at DamnSmallLinux anyway.

The Scummy One
The Scummy One

I didnt realize it was an IE7 thing. I thought it was more random or something. I have had this problem on some (not all) new articles/blogs

The Scummy One
The Scummy One

even though my name aint Michael. You are just one of 'the rest of dem' :^0

boxfiddler
boxfiddler

We're all freaking nuts. Some just expend incredible amounts of time and energy building masks. Scummy, I guess you can start your head count with me! Cracked, and happy to be so. B-)

Michael Jay
Michael Jay

If you are named Michael, you are nuts.

Michael Jay
Michael Jay

it was me, but I am not there yet.. Just kinda warped..

Michael Kassner
Michael Kassner

Oh by the way did you figure out which Michael Santee was referring to? Don't tell him but I'm half way there already.

Michael Jay
Michael Jay

they do a real good job, no infections for quite some time. And we always get lists for any units that failed to update or have unapproved software on board. I will let you know.

Michael Kassner
Michael Kassner

I'm trying to get a feel as to how well corporate networks are doing in keeping up to date.

Michael Kassner
Michael Kassner

I'm an old fart, yet I try really hard to stay young and fresh. Which means not set in my ways. I've been in IT for over 30 years and I doubt that I could have done that without having the attitude that I do. That was a long way around to explain why I like Vista or anything new. Yet I have to fight that predisposition as it normally doesn't jive with business sense.

Jacky Howe
Jacky Howe

with it. It is easy to install. Navigation is a bit different to XP but basically I like it and I am sure that it will be improved in time. It has the best Help available for an M$ OS as yet. We have to learn it to be able to support it and I must admit that I am enjoying the learning curve.

Michael Kassner
Michael Kassner

How do you like Vista? I'm getting used to it and if MS is going to use it as a basis for the next OS, I'm all for that as long as they have choices that make sense. Kind of like Windows Server, I really like that format, simple and intuitive. I'd better be careful here, I might bet into trouble with comments like that.

Jacky Howe
Jacky Howe

One of the features of Vista will allow me to have additional clocks that I have setup. I get into strife if I am not using that PC. Yep there is not much sense presenting a good article and no-one can comment on it. You have probably already missed a few hits. Have a good weekend Michael. Rob

Michael Kassner
Michael Kassner

I am seeing the same thing. I'm glad that you mentioned it, thank you. I'll try and notify someone on Monday. Funny, I was just trying to figure out the time zones. I didn't realize that there were 16-17 hours difference.

Michael Kassner
Michael Kassner

You are sure the actual article is readable and you can't see the comment box at the very bottom of the comments. Because that's the only time I see the comment box.

Michael Kassner
Michael Kassner

I see the box for doing so after the comment section when the original article is open on my browsers. That's the only time the box is available as far as I know.

Jacky Howe
Jacky Howe

5 posts to the original. Something isn't linked properly by the looks of it. ?:|

Jacky Howe
Jacky Howe

I can't post to the original as there is no provision at the bottom to reply to it. You and a few others seeem to be able to but not for me. I click on read the Original Item and when I get to the bottom where you normally post a reply it ends with this. Michael Kassner has been involved with communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer for Orange Business Services and consultant with MKassner Net. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP. Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic?s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

Michael Kassner
Michael Kassner

WSUS is a good approach and seems to work quite well. I also understand why they do that with the servers. Typically you want rebooting the servers under tight controland not randomly when the update is completed. This is especially important for domain controllers, sometime if they both go down at the same time all the other servers have issues.

seanferd
seanferd

Some pages on MS servers work just fine on other browsers and OS, some will not display. I've even seen pages finish loading, display content for half a second, then get a message that IE must be used or that Windows is required. Some of these pages don't even have anything to do with downloads or scans.

rbees
rbees

I didn't figure it was a big deal as I use Lenny almost exclusively. I was just anoyed that I couldn't download the app to my laptop where all the otheres were. And it confirms why I don't us MS. I will try to remember the next time I happen across one of their sites that does that to contact them, didn't realize I could. Should contact Opera too so that they know, maybe they have a fix. Thanks

Michael Kassner
Michael Kassner

I'd be curious to learn what MS would say in this regards. The MS update site has the option to ask questions.

rbees
rbees

It is true that I am running a testing distro but most of the time everything works correctly. And I do have browser issues from time to time requiring a restart of the browser. But every time, no exteptions, I go to the site that hosts the MS files the browser works correctly when I first get there then after scrolling down a little ways somehow it stops responding. The browser acts like a system does when the cpu is running a 98% but the system is running under normal load it is only the browser that acts that way. I can scroll down 6 or 8 lines then there is what seams to be a wait-state that has been introduced then it will scroll again. One time when I had to restart the browser (Opera) I got a error message that there was a failure to load the plugings, or something to that effect, I clicked ok and it reloaded ok. So it may be that the site is calling some plugins that only exist in ms browsers or something. I only know that visiting an MS site with my linux based system always seams to bring on problems. Like you said MS dosen't play nice with anything they don't own or control.

Michael Kassner
Michael Kassner

I guess I consider MBSA and Secunia scanners as just a piece of the puzzle. Due diligence is still far better than relying on any application. Also, I still feel that even though not perfect both scanners are a better than the alternative.

santeewelding
santeewelding

That's why I've held off incorporating it -- browser choices, network factors, etc; the things you guys are mentioning. Now, though, I have my teeny-tiny collection of two systems networked, talking to one another, even -- ahem -- sharing things. I believe I'll risk and try it. Risk includes face. Doesn't take much in all this to lose what little face I have.

The Scummy One
The Scummy One

I mentioned the download options for the masses hassle previously. If you arent techie, it can be confusing. As for playing nice with Linux, yeah, right! Since when does MS play nice with competition :^0 I believe you need IE to use Windows Update, but I may be wrong. It used to give an error if in another browser. But if going to the downloads it would work. As for causing the browser to crash -- I would be suspect that it was purposeful. Likely it was not, and just an error on your browser. If you did the same thing and it didnt crash, I doubt it was meant. It appears the utility is for sysadmins. As it doesnt play well without a domain either. Personally, I think that it should be cleaned up a bit and put out for everyone, however MS wants 'everyone' to use auto-updates -- which is likely why this was not put out for everyone.

Michael Kassner
Michael Kassner

It appears that MS checks the OS of the computer making the request and as you concluded they don't like non-MS products downloading their applications.

Michael Jay
Michael Jay

they were office patches, Windows update does not do office. Silly me, boy is my face red.

Michael Jay
Michael Jay

I even rebooted the PC and Windows update still did not find these patches, loaded them thru MBSA. Perhaps the update site does not have the scan ability of MBSA.

The Scummy One
The Scummy One

That is why when updating, after I finish, I restart the updater.

Michael Kassner
Michael Kassner

It's happened to me with just update. I ran update right after finishing an update and it found more. I wonder if it's because the second patches require the first ones to be in place.

Michael Jay
Michael Jay

rebuild of Windows XP, after hitting the Microsoft update site and downloading what seemed like a billion updates I thought I was done. Loaded MBSA and it pointed me to 10 missed patches, helpful yes. But whats up with the update site if it misses patches?

The Scummy One
The Scummy One

I think you underestimate your opinion. There are many peers here that I value their opinion, including Neon and yourself.

The Scummy One
The Scummy One

What I did not realize, is that it found some Ofice updates that I missed, and that Secunia did not mention. So, yes, it is an addition to keep around. IAlso, at home, since it was not part of a domain, several things were disabled, however there was at least 1 that I thought should not have been. And, it stated that I had more than 1 administrator account, and I passed the PW check, however there is NO PASSWORD on one account :^0 For the patches I think it is fine, for some of the other checked areas, I had issues with it. In one area it told me I had a problem, and how to fix it, however when I tried I was told the feature was only available if joined to a domain??? the program seems a bit inconsistant, but what was I expecting. As a patch finder, I will keep it. The rest of it seems to be -- well -- junk actually

Michael Kassner
Michael Kassner

Thank you, it's important to hear from you. I have my opinion, but that means very little in the grand scheme of things, it's members like you that count.

Neon Samurai
Neon Samurai

I installed it after the discussion (here or another forum?) the other day. A run from usb version would be great to take around the office or run off a network share.

Michael Kassner
Michael Kassner

I was curious if you have have been able to install MBSA and what you thought about it?

The Scummy One
The Scummy One

installing it @ home now, on my cleanup and fix week

Michael Kassner
Michael Kassner

I guess my thoughts are that that they are complimentary. I personally don't use one exclusively. The MBSA is MS talking and in my world they know MS products. Secunia is vendor neutral which makes them unique as well. I just would strongly suggest using both, kind of like doubling up on AV programs. Does that make sense?

The Scummy One
The Scummy One

is Secunia does more than just Windows, but only informs of patches. MBSA tells only about MS patches and covers other system vulnerabilities. I would suggest downloading it and trying it. I dont see that I would need to run it nearly as often as Secunia, however it cant be bad to run. Oh, I didnt mention, I like Secunia's layout better, along with the rating system

d_g_l_s
d_g_l_s

Wow, I thought better of that system but one can never be too sure! Since I teach how to create and maintain security to my clients I am appalled that they let this one slip - a two-letter password! I'll be sharing this with my network lunch on the upcoming Tuesday where I present on security :)

The Scummy One
The Scummy One

but I still have to make fun of it a little :D I didnt see anything really wrong with Secunia, however I only used it 2x now. And yes, you brought the apps some light, and they are in my toolbox now for further use (well soon to be for the MS one).

Michael Jay
Michael Jay

I hope you are talking about the other Michael.

santeewelding
santeewelding

I think you would make a very formidable bad guy. Add insane, and there would be no keeping track of you!

Michael Jay
Michael Jay

do a better job of finding vulnerabilities than myself is well worth the price of admission, and free is not bad.

Michael Kassner
Michael Kassner

I guess, I consider it a success when I get people complaining about an application as that means they are looking at it. MBSA and Secunia are not perfect, far from it. I guess the way I look at it is are they better at it than I am. I also noticed that about the password tester, I really don't even use that. I'm more concerned about best-practices as that's where the bad guys like to play.

Michael Jay
Michael Jay

Sorry, actually it did find some leaky spots, or reported same, and updating the software has shown those weaknesses now closed. But you never know, there is someone out there figuring another way into your system.

The Scummy One
The Scummy One

yeah, I trust this utility already. Making me feel all warm and fuzzy knowing that I am protected :^0

Michael Jay
Michael Jay

my wife uses a 2 letter password and MBSA tells me it is a strong password. Go figure.

Michael Kassner
Michael Kassner

I run MBSA and Secunia PSI after installing the second Tuesday of the month patches. That way I don't have to really remember much, after awhile it becomes intuitive.

d_g_l_s
d_g_l_s

only because I set a few settings so it does not keep reminding me too often! I was at first only testing it but have come to appreciate it as it has caused me to tweak myself into being more thorough in checking on updates both on my system and on stored programs.

boxfiddler
boxfiddler

I will have to purchase an upgrade. Thanks, Michael.

Michael Kassner
Michael Kassner

I guess I trust them to know what's best for their programs. At least they know more than I do. For example, IIS is an especially thorny issue to know what's best practice due to its complexity. It's important though, as IIS is ripe for exploiting. Then with it unknowingly enabled on a huge number of computers it creates a target-rich environment. Can you tell I like Top Gun (sorry for that)

The Scummy One
The Scummy One

got tired of cleanup last night. Maybe tonight. In the meantime -- how much do I actually trust MS? That question needs answering first.

Michael Kassner
Michael Kassner

I was curious to learn if you are running MBSA as well? It would make sure that you are using what MS considered the best and most secure configuration for your particular OS.

boxfiddler
boxfiddler

You reminded me. I'm not going to be able to use Diskeeper 9.0 on Vista, am I?

The Scummy One
The Scummy One

I got too many cans filling up already! however, a little minor maintenance got IE functioning properly again :) Now I am done for the night. I'll be defragging overnight I think, its been a couple of months (actually about 1.5 months, but until tonight there was little change).

The Scummy One
The Scummy One

that they are still showing up (even newer systems) I would bring it to the attention of the Image creation team. Likely they used a basic XP image to start with and just keep adding patches, but never really disabling functions. I dont think SP2 disables it if enabled, I think its default is set to have it disabled on a new install. However an image does not follow the 'new install' settings. If you are running scans on the Internet itself for this, likely the same thing applies, many systems were setup/configured before SP2, and would have had IIS running.

Michael Kassner
Michael Kassner

I'm not that IIS knowledgeable. Still I'm surprised at how many workstations are showing IIS issues when scanned by MBSA.

The Scummy One
The Scummy One

while it was a huge problem, I thought MS did not auto-enable IIS on systems since SP2 for XP. It was part of their 'security' configuration changes. not too worried about IIS at this point in time, but I think I will still scan with this util tonight.

The Scummy One
The Scummy One

but sometimes my laziness amazes me :0 I started scouring the system for other left over programs that I dont use anymore -- just to rid of them. However, the rating it gave me (in the high 90's) was not bad considering Netscape hadnt been patched in like 2+ years, and Acrobat reader (version 7 no less) hasnt been patched in about that time either. It is giving me a Win error as well, but all of the updates except SP3 are installed (critical at least).

Michael Kassner
Michael Kassner

Now realize that you are a very knowledgeable IT person, what chance do people that just want to use computers have? That's my viewpoint. I'll say it again Secunia is a very amazing application to provide this service.

Michael Kassner
Michael Kassner

But if you remember I mentioned that MBSA also checks to see if you have the OS and MS applications setup as per their best practices. Take IIS for instance, it has a huge number of exploits and you may be surprised to find that it's installed on a normal workstation. Therefore it's wide open for exploitation.

The Scummy One
The Scummy One

when I first setup the system, HP had 2 choices, IE 6 or Netscape Navigator. I chose Netscape, I used it long enough to download Firefox and use it for a few hours until I realized I didnt like it as much as FF. I deleted the shortcut, but never removed the program apparently :0 Secunia picked it and Acrobat reader as needing an update (I dont use Acrobat much either...

The Scummy One
The Scummy One

didnt even know there was any for home use, except for things like HP utils (like auto-updates) I also get vulnerability alerts often and look for updates when needed. Of course the alerts only do OS's and browsers. Edit: I should add that at work we have a patch management system. But at home it has been just me. I am now planning on testing each of these a bit and seeing if I would want one. Then I can schedule it to run automatically.

Michael Kassner
Michael Kassner

There are two MS applications that I feel are underused. I lke SFC and the System Information applications. They check an awful lot of things out and can give you a good ideas as to what running.

seanferd
seanferd

and by visiting various places that such programs are installed. How many people ever look at, for instance, the Downloaded Program Files directory, where all that ActiveX junk goes to hide.

boxfiddler
boxfiddler

Now make room on that couch. Oh, I use a lot of paper. It's how I learned to sink a basketball.

santeewelding
santeewelding

You grow more interesting as you crack the door. I have this couch, and a pen, should you like to explain. And move over. Make room for me. Jen. Here. Take the pen.

Michael Kassner
Michael Kassner

If you consider me remotely in the same league, I consider that a major accomplishment. It's sort of like when I embarrass my son. I'm old, so I should be sane. Not quite.

santeewelding
santeewelding

Then you and I both may be hauled before the insanity thread, I to explain also why I press-check.

Michael Kassner
Michael Kassner

I'm glad I mentioned it as the Flash Player exploit based 0n snooping via web cam and microphone is fast moving "out in the wild." Worrying about it may seem simplistic, but one never knows.

santeewelding
santeewelding

I've got three instances of Adobe Flash (9.0.124.0). I need to update and then to vanquish their predecessors. Foxit Reader, too, for which purposes Open Office does just fine. Hadn't caught that post. Did this time. Thank you, again, Michael.

Michael Kassner
Michael Kassner

Please keep me informed if it's not too much trouble. The Secunia alert that really impressed me the most dealt with Flash Player's recent upgrade. Adobe feels that you don't have to remove older versions, but that's not viable. The Clickjacking exploit will effective use the older versions, even if you have updated to the latest version of Flash Player. Secunia caught that on mine and several other members also mentioned that in my article about Clickjacking. I linked it below, just in case, if you have seen it, I apologize. http://techrepublic.com.com/5208-12849-0.html?forumID=102&threadID=276712&messageID=2625549

santeewelding
santeewelding

I opted for the home computer version. Rooting around, I found at that time what you mention. I didn't want it starting at boot, nor overseeing every application called to the fore. So I unchecked the pertinent boxes. First scan picked up a couple of things I thought I had attended to before, and an old version of Thunderbird I only keep at the ready and rarely use. I'll get further into it. I may even drop a suggestion in their box about a facility to liquidate what offends me.