The hoopla about the MSBlaster (LovSan) worm really flowed last week. I received daily reports from security companies around the world about the effects of the latest entrant to leverage the remote procedure call (RPC) security flaw in Microsoft OSs Corporations. Companies with an IT staff have no acceptable excuse for not installing the July 15 security hotfix that eliminates the MSBlaster vulnerability. It’s more difficult, however, to find fault with the millions of small businesses and end users for whom the daily update scenario is at best confusing and at worst, far beyond the technical acumen of less tech-savvy customers. Although I in no way endorse a massive Internet attack as a delivery vehicle, I strongly agree with the MSBlaster worm’s message—that Microsoft, with its unassailable position as the world’s premiere technology provider, must do a better job of producing secure code. For years, I've been stunned by endless security flaws in Microsoft products, outraged by the frequency of bugs in OS components, and frustrated by hotfixes and service packs that introduce yet another round of operational inconsistencies. This endless flow of flawed code, combined with the never-ending battle to put things right, places an impossible and unrealistic burden on Microsoft technology providers, both external to and within the company. As business clients and end consumers, I believe we have been sold a bill of goods. The fact that a small group of black hats can wreak international havoc with a few lines of code speaks volumes about the underlying vulnerability of Microsoft products. With Windows Server 2003 and later, the company has made a serious commitment through its Trustworthy Computing initiative to release software that's “secure by design, secure by default, and secure in deployment.” Given that the RPC flaw affects Windows 2003, the flagship product of Microsoft’s three-pronged security initiative, this beginning is less than auspicious.
MBSA Upgrade Supports Windows Server 2003
While we’re on the subject of security, you should know that Microsoft recently updated the Microsoft Baseline Security Analyzer (MBSA) to run on Windows 2003, as well as on Windows XP and Windows 2000. Shavlik Technologies created the MBSA security tool for Microsoft. (Shavlik has a more powerful commercial version you can purchase directly from the company’s Web site—http://www.shavlik.com.) MBSA analyzes the state of Windows OS components, Microsoft IIS, and Microsoft SQL Server by comparing the installed version of each file against Microsoft’s XML catalog of the most current files and security hotfixes. MBSA can analyze a local system, all domain members, or systems that fall within a specific IP address range (a partial or full subnet). MBSA 1.1 has one other enhancement you can leverage if you run your own Microsoft Software Update Services (SUS) servers: the ability to redirect the download of updates to an internal server, rather than to the Windows Update Web site. MBSA relies on the mssecure.xml catalog (http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab) to produce a current analysis of missing security hotfixes for all supported products. You can run MBSA on a system that's connected to the Internet, and the utility will automatically download the latest version of the catalog. Alternatively, you can download the compressed catalog mssecure.xml separately, expand it, and place it in the MBSA installation directory. I tested MBSA 1.1 on the Microsoft Small Business Server (SBS) 2003 Standard Edition release candidate (RC), which includes Windows 2003, Internet Information Services (IIS) 6.0, Microsoft Exchange Server 6.5, portions of SQL Server Desktop, and Microsoft SharePoint Services 2.0. The utility ran without a hitch and generated the familiar, detailed report outlining missing security hotfixes in the base OS, IIS, and SQL Server (SBS 2003 installs the desktop version of SQL Server to implement monitoring and reporting activities). MBSA did identify missing security hotfixes for the OS, SQL Server, and SharePoint Services and indicated that IIS 6.0, out of the box, required no security hotfixes or modifications. However, MBSA couldn't determine that the SBS 2003 server was running Exchange 6.5 and thus didn't report on missing security updates or recommend other security-related adjustments. I’m not sure if the problem is with SBS or with MBSA, but I suspect that it’s a problem with the analysis tool. If you haven’t updated your version recently, I encourage you to do so. I think you’ll be pleased with the enhancements, and it’s always comforting to confirm that the Windows 2003 platform is, by default, more secure than previous OSs. Visit the following URL to review the FAQ and download the latest version: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp
