Doug Neal [MSFT]
2006-02-17 19:07:55 UTC
To help clarify the number of questions we've received in the last few weeks
regarding the end of life of the MBSA 1.2.1 standalone scan tool, I wanted
to provide this Q & A document to address some of the most common issues.
To define the associated tools up front:
The standalone MBSA 1.2.1 scan tool is based on an older version of HFNetChk
3.x scanning technology licensed from Shavlik (http://www.shavlik.com/) -
the same firm who hosts the PatchManagement.org discussion group and
associated web site. Although MBSA 1.2.1 and the SMS scan engine are both
based on this technology, they are considered separate products. MBSA 1.2.1
is a standalone version of this tool. SMS 2.0 and SMS 2003 have integrated
this technology into SMS feature packs as the 'Security Update Inventory
Tool' (SUIT).
With the release of MBSA 2.0, MBSA is no longer a scan engine technology,
but depends exclusively on WSUS/Microsoft Update catalog data as returned
from each target machine's WU agent. This is a common misunderstanding as
customers believe that SMS 2003 ITMU is based on MBSA 2.0 - which is
incorrect. ITMU (Inventory Tool for Microsoft Update) - like MBSA 2.0 - is
a consumer of the underlying WSUS/Microsoft Update technology, not a scan
engine as MBSA 1.2.1 was. The scanning technologies used by ITMU and MBSA
2.0 are actually WSUS and Microsoft Update.
Microsoft has made this change to unify our patch detection technologies.
This corporate direction is not a reflection of the quality of work Shavlik
provided Microsoft with the MBSA 1.2.1 and HFNetChk tools.
-----------------------
Since the release of MBSA 2.0 July 1, 2005, Microsoft announced the end of
life for the MBSA 1.2.1 scan tool effective "Q1 2005". We have recently
updated our public-facing documents (the MBSA Home page, the MBSA 1.2 FAQ
page and will update KB 306460 shortly) to the explicit March 31, 2006 date.
We have also published a new KB 914791 describing how this affects MBSA,
consumers of the MSSecure.XML file and SMS 2.0 / SMS 2003 RTM (not SP1)
customers who use the underlying MBSA 1.2.1 (Shavlik-based) scan
technologies.
It is important to note that the MBSA 1.2.1 standalone tool is being
decommissioned, not the MBSA 1.2.1 scan engine integrated into the SMS 2.0
and SMS 2003 SUIT feature packs although they are based on the same
technology.
What will happen to the MBSA 1.2.1 standalone tool?
Formal support for MBSA 1.2.1 will end and the MSSecure.XML file consumed by
the standalone MBSA 1.2.1 tool will no longer be updated after March 31,
2006. Because of the value MBSA 1.2.1 scan results may still provide to
some customers - and because MBSA 1.2.1 provides support for older products
and patches that may not be available in the WSUS-based technologies (like
Microsoft Update, WSUS Server, MBSA 2.0, SMS 2003 SP1 with ITMU), the MBSA
1.2.1 catalog and tool will not be removed from the web. This means that
MBSA 1.2.1 can still be used to scan for all security patches released since
1998 for NT 4.0, Windows 2000, Windows XP and Windows Server 2003 products
(and all other products supported by MBSA 1.2.1) - but only for MBSA
1.2.1-supported patches released through March 31, 2006 when updates to this
catalog will end.
What will happen to SMS 2.0 and SMS 2003 SUIT (Security Update Inventory
Tool) customers who haven't migrated to SMS 2003 ITMU?
Nothing. The MSSecure.XML file consumed by SMS 2.0 and 2003 SUIT feature
pack will continue to be updated so SMS customers will continue to get
support for MBSA 1.2.1-supported products (see KB 306460 for a list of
products MBSA 1.2.1 supports).
Combined with the Extended Security Update Inventory Tool scan type
integrated into SMS, customers in SMS managed environments will continue to
receive complete and comprehensive security bulletin detection and
deployment support just as they do today.
Does this mean that the MBSA catalog (MSSecure.XML) will no longer be
updated, but the SMS catalog will be?
Yes. MBSA 1.2.1 and SMS are separate products with distinct support
lifecycles. Although customers are encouraged to upgrade to the latest ITMU
offering available for SMS 2003 SP1 and shipping with SMS 2003 SP2, support
for the existing scan engine used with SMS will continue for the life of the
SMS product. For more information about the SMS product lifecycles and
support - including customer migration and guidance - feel free to post to
the public SMS software updates newsgroup:
Microsoft.public.sms.software_updates
Wouldn't it be possible to simply use the SMS catalog with MBSA 1.2.1?
Although some customers may consider using the SMS-based XML to extend the
life of the standalone MBSA 1.2.1 tool which is now outdated, this poses a
significant security risk since not all Microsoft patches are supported by
the XML and MBSA 1.2.1. Please again note that this does not mean Shavlik's
products have a security risk as they have also updated their products as
noted above.
MBSA 1.2.1 supports only a limited set of products (see KB 306460) which
does not ensure complete detection for all MSRC Security Bulletins
(http://www.microsoft.com/technet/security/current.aspx). Because of
Microsoft's commitment to security, with the release of the MS04-028 (GDI+)
patch in September 2004, Microsoft provided the add-on Enterprise Scan Tool
(EST) - integrated into SMS as the 'Extended Security Update Inventory Tool'
(ESUIT) - to make up for shortcomings in the MBSA 1.2.1 tool. A separate
monthly edition of the EST tool is provided by Microsoft to make up for this
gap in MBSA 1.2.1 detection any month where MBSA 1.2.1 cannot provide
complete detection for that month's patches.
For example, in June 2005, Microsoft released 10 security bulletins, 7 of
which MBSA 1.2.1 provided detection support. The remaining 3 bulletins
required the June EST tool (for standalone customers) or ESUIT (for SMS
customers) to ensure complete patch detection and deployment for all 10
security bulletins - see KB 895660 (http://support.microsoft.com/kb/895660)
for a comparison of MBSA 2.0 and MBSA 1.2.1 + EST support. In this case,
MBSA 1.2.1 customers had to run a second tool (EST) on each affected machine
(since EST can only perform local scans) to determine complete patch
compliance.
As more products and components are released that MBSA 1.2.1 cannot support
(like MSN Messenger, Windows Media Player 10, DirectX, .Net Framework,
Outlook Express, ISA Server, Internet Explorer 7, SQL Server 2005, 64-bit
versions of Windows, Microsoft Vista), the MBSA 1.2.1 tool would provide
security detection (and protection) for fewer and fewer products potentially
putting the enterprise at risk by providing only partial (or no) support for
the affected products/components.
Do these limitations affect SMS 2.0 and SMS 2003 RTM customers?
No - SMS customers do not have this limitation. SMS customers benefit from
the combination of MBSA 1.2.1 plus EST scan types, which - when combined as
they are in SMS - provide complete detection and enable deployment for all
publicly-released security bulletins. SMS customers benefit from the
comprehensive MBSA 1.2.1 + EST results automatically as a feature of SMS.
Why are you decommissioning MBSA 1.2.1 instead of simply continuing to
update the catalog (MSSecure.XML)?
For customers to get comprehensive patch status, current MBSA 1.2.1
customers must augment their MBSA results with results from each monthly
release of the add-on Enterprise Scan Tool (EST). This is a cumbersome
solution - not only because EST is not cumulative (and only released in
months where it is needed) - but also because EST supports only local scans,
not remote IP and domain-based scans like MBSA. Additionally, MBSA 1.2.1
will become less useful with time since the number of products it can
support cannot grow. Microsoft is dedicated to not only providing a single
comprehensive solution - but one that is consistent across all Microsoft
technologies. For a standalone tool, MBSA 2.0 is that solution.
MBSA 2.0 is a free local and remote scan tool that provides complete results
for all products supported by WSUS and Microsoft Update in a single tool.
Since MBSA 2.0 is based on Microsoft Update and WSUS technologies, it
provides consistent results with all other Microsoft detection mechanisms.
Also, MBSA 2.0 is dynamic enough to support any additional products and
components without the limits of MBSA 1.2.1.
How does this affect 3rd-party consumers of the MSSecure.XML file?
Any non-Microsoft tool that downloads and consumes the Microsoft-hosted
MSSecure.XML file downloaded from the Microsoft.com web site is already
unsupported per the MBSA 1.2.1 FAQ which states "Use of the catalog
(mssecure.xml) outside MBSA is not supported."
Not only will the Microsoft-hosted MSSecure.XML file catalog no longer
receive updates, but there are significant risks for tools that use the
MSSecure.XML file as the primary catalog for determining patch state. These
risks are due to the limitations of the XML content mentioned above (see KB
895660 and 306460 for a complete list - which includes all Office patches
and additional products including MSN Messenger, Windows Media Player 10,
DirectX, .Net Framework, Outlook Express, ISA Server, SQL Server 2005, and
any 64-bit versions of Windows).
It is important to check with your specific vendor to determine whether or
not they use the Microsoft-hosted MSSecure.XML file, and if so, whether
their tool contains enhancements to provide detection for products and
security updates not contained in the MSSecure.XML file.
Once again, this does not mean Shavlik's products have a security risk as
they have also updated their products and catalogs to support more products
than the Microsoft-hosted MSSecure.XML file and MBSA 1.2.1 tool.
My 3rd-party tool uses a file called MSSecure.XML. How do I know if this is
the Microsoft-hosted MSSecure.XML file?
Other firms have created their own versions of the catalog file named
MSSecure.XML. The MSSecure.CAB file can be identified by its digital
signature from "Microsoft Corporation." The Microsoft MSSecure.XML (once
expanded from the signed CAB file) file will contain the following comment
in the 3rd line of the XML:
<!--Built by Microsoft Corp. for Microsoft Baseline Security Analyzer. On
the web at: http://www.microsoft.com/mbsa-->
If the CAB file is digitally signed by Microsoft and the XML contains the
comment line above, this catalog is not supported for use by 3rd-party tools
as mentioned above.
Can I continue to use MBSA 1.2.1 for Microsoft Office 2000 product updates
since MBSA 2.0 doesn't support Office 2000 products?
MBSA 1.2.1 provides Microsoft Office product support by using an integrated
version of the publicly-available Office Detection Tool (ODT) which will to
continue to function even after the MSSecure.XML catalog is no longer
updated. As mentioned above, MBSA 1.2.1 can also continue to be used for
previously-released Windows security updates since the catalog will not be
removed.
Although MBSA 1.2.1 can still be used to determine Microsoft Office updates,
the standalone version of ODT or the online Office Update web site are the
preferred methods. The Office Update web site and standalone ODT tool will
continue to support all Microsoft Office 2000 SR-1a and higher products as
detailed in the links below:
Office Update web site:
http://office.microsoft.com/search/redir.aspx?AssetID=ES790020041033&Origin=HH101045631033&CTT=5
Office Detection Tool downloads and information:
http://office.microsoft.com/en-us/assistance/HA011402491033.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=9a7223f0-a7f7-452a-816d-ccc2e38d195c)
http://office.microsoft.com/OfficeUpdate/catalog/inventory/InventoryCatalog.html
Although MBSA 1.2.1 is being decommissioned, this does not affect the Office
Update web site, the standalone Office Detection Tool or the integrated
version of ODT used by the SMS Software Update Inventory Tool.
---------------------------
For more information, please consider the following links:
MBSA Home page: www.microsoft.com/mbsa
Products supported by MBSA 1.2.1: http://support.microsoft.com/kb/306460
MBSA 2.0 and MBSA 1.2, EST comparison:
http://support.microsoft.com/kb/895660
For more information about SMS 2003:
http://www.microsoft.com/smserver/downloads/2003/default.asp
For more information about SMS 2.0:
http://www.microsoft.com/smserver/downloads/previous/default.asp
--
Doug Neal [MSFT]
***@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline
Security Analyzer (MBSA). Information is available at the following link:
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
regarding the end of life of the MBSA 1.2.1 standalone scan tool, I wanted
to provide this Q & A document to address some of the most common issues.
To define the associated tools up front:
The standalone MBSA 1.2.1 scan tool is based on an older version of HFNetChk
3.x scanning technology licensed from Shavlik (http://www.shavlik.com/) -
the same firm who hosts the PatchManagement.org discussion group and
associated web site. Although MBSA 1.2.1 and the SMS scan engine are both
based on this technology, they are considered separate products. MBSA 1.2.1
is a standalone version of this tool. SMS 2.0 and SMS 2003 have integrated
this technology into SMS feature packs as the 'Security Update Inventory
Tool' (SUIT).
With the release of MBSA 2.0, MBSA is no longer a scan engine technology,
but depends exclusively on WSUS/Microsoft Update catalog data as returned
from each target machine's WU agent. This is a common misunderstanding as
customers believe that SMS 2003 ITMU is based on MBSA 2.0 - which is
incorrect. ITMU (Inventory Tool for Microsoft Update) - like MBSA 2.0 - is
a consumer of the underlying WSUS/Microsoft Update technology, not a scan
engine as MBSA 1.2.1 was. The scanning technologies used by ITMU and MBSA
2.0 are actually WSUS and Microsoft Update.
Microsoft has made this change to unify our patch detection technologies.
This corporate direction is not a reflection of the quality of work Shavlik
provided Microsoft with the MBSA 1.2.1 and HFNetChk tools.
-----------------------
Since the release of MBSA 2.0 July 1, 2005, Microsoft announced the end of
life for the MBSA 1.2.1 scan tool effective "Q1 2005". We have recently
updated our public-facing documents (the MBSA Home page, the MBSA 1.2 FAQ
page and will update KB 306460 shortly) to the explicit March 31, 2006 date.
We have also published a new KB 914791 describing how this affects MBSA,
consumers of the MSSecure.XML file and SMS 2.0 / SMS 2003 RTM (not SP1)
customers who use the underlying MBSA 1.2.1 (Shavlik-based) scan
technologies.
It is important to note that the MBSA 1.2.1 standalone tool is being
decommissioned, not the MBSA 1.2.1 scan engine integrated into the SMS 2.0
and SMS 2003 SUIT feature packs although they are based on the same
technology.
What will happen to the MBSA 1.2.1 standalone tool?
Formal support for MBSA 1.2.1 will end and the MSSecure.XML file consumed by
the standalone MBSA 1.2.1 tool will no longer be updated after March 31,
2006. Because of the value MBSA 1.2.1 scan results may still provide to
some customers - and because MBSA 1.2.1 provides support for older products
and patches that may not be available in the WSUS-based technologies (like
Microsoft Update, WSUS Server, MBSA 2.0, SMS 2003 SP1 with ITMU), the MBSA
1.2.1 catalog and tool will not be removed from the web. This means that
MBSA 1.2.1 can still be used to scan for all security patches released since
1998 for NT 4.0, Windows 2000, Windows XP and Windows Server 2003 products
(and all other products supported by MBSA 1.2.1) - but only for MBSA
1.2.1-supported patches released through March 31, 2006 when updates to this
catalog will end.
What will happen to SMS 2.0 and SMS 2003 SUIT (Security Update Inventory
Tool) customers who haven't migrated to SMS 2003 ITMU?
Nothing. The MSSecure.XML file consumed by SMS 2.0 and 2003 SUIT feature
pack will continue to be updated so SMS customers will continue to get
support for MBSA 1.2.1-supported products (see KB 306460 for a list of
products MBSA 1.2.1 supports).
Combined with the Extended Security Update Inventory Tool scan type
integrated into SMS, customers in SMS managed environments will continue to
receive complete and comprehensive security bulletin detection and
deployment support just as they do today.
Does this mean that the MBSA catalog (MSSecure.XML) will no longer be
updated, but the SMS catalog will be?
Yes. MBSA 1.2.1 and SMS are separate products with distinct support
lifecycles. Although customers are encouraged to upgrade to the latest ITMU
offering available for SMS 2003 SP1 and shipping with SMS 2003 SP2, support
for the existing scan engine used with SMS will continue for the life of the
SMS product. For more information about the SMS product lifecycles and
support - including customer migration and guidance - feel free to post to
the public SMS software updates newsgroup:
Microsoft.public.sms.software_updates
Wouldn't it be possible to simply use the SMS catalog with MBSA 1.2.1?
Although some customers may consider using the SMS-based XML to extend the
life of the standalone MBSA 1.2.1 tool which is now outdated, this poses a
significant security risk since not all Microsoft patches are supported by
the XML and MBSA 1.2.1. Please again note that this does not mean Shavlik's
products have a security risk as they have also updated their products as
noted above.
MBSA 1.2.1 supports only a limited set of products (see KB 306460) which
does not ensure complete detection for all MSRC Security Bulletins
(http://www.microsoft.com/technet/security/current.aspx). Because of
Microsoft's commitment to security, with the release of the MS04-028 (GDI+)
patch in September 2004, Microsoft provided the add-on Enterprise Scan Tool
(EST) - integrated into SMS as the 'Extended Security Update Inventory Tool'
(ESUIT) - to make up for shortcomings in the MBSA 1.2.1 tool. A separate
monthly edition of the EST tool is provided by Microsoft to make up for this
gap in MBSA 1.2.1 detection any month where MBSA 1.2.1 cannot provide
complete detection for that month's patches.
For example, in June 2005, Microsoft released 10 security bulletins, 7 of
which MBSA 1.2.1 provided detection support. The remaining 3 bulletins
required the June EST tool (for standalone customers) or ESUIT (for SMS
customers) to ensure complete patch detection and deployment for all 10
security bulletins - see KB 895660 (http://support.microsoft.com/kb/895660)
for a comparison of MBSA 2.0 and MBSA 1.2.1 + EST support. In this case,
MBSA 1.2.1 customers had to run a second tool (EST) on each affected machine
(since EST can only perform local scans) to determine complete patch
compliance.
As more products and components are released that MBSA 1.2.1 cannot support
(like MSN Messenger, Windows Media Player 10, DirectX, .Net Framework,
Outlook Express, ISA Server, Internet Explorer 7, SQL Server 2005, 64-bit
versions of Windows, Microsoft Vista), the MBSA 1.2.1 tool would provide
security detection (and protection) for fewer and fewer products potentially
putting the enterprise at risk by providing only partial (or no) support for
the affected products/components.
Do these limitations affect SMS 2.0 and SMS 2003 RTM customers?
No - SMS customers do not have this limitation. SMS customers benefit from
the combination of MBSA 1.2.1 plus EST scan types, which - when combined as
they are in SMS - provide complete detection and enable deployment for all
publicly-released security bulletins. SMS customers benefit from the
comprehensive MBSA 1.2.1 + EST results automatically as a feature of SMS.
Why are you decommissioning MBSA 1.2.1 instead of simply continuing to
update the catalog (MSSecure.XML)?
For customers to get comprehensive patch status, current MBSA 1.2.1
customers must augment their MBSA results with results from each monthly
release of the add-on Enterprise Scan Tool (EST). This is a cumbersome
solution - not only because EST is not cumulative (and only released in
months where it is needed) - but also because EST supports only local scans,
not remote IP and domain-based scans like MBSA. Additionally, MBSA 1.2.1
will become less useful with time since the number of products it can
support cannot grow. Microsoft is dedicated to not only providing a single
comprehensive solution - but one that is consistent across all Microsoft
technologies. For a standalone tool, MBSA 2.0 is that solution.
MBSA 2.0 is a free local and remote scan tool that provides complete results
for all products supported by WSUS and Microsoft Update in a single tool.
Since MBSA 2.0 is based on Microsoft Update and WSUS technologies, it
provides consistent results with all other Microsoft detection mechanisms.
Also, MBSA 2.0 is dynamic enough to support any additional products and
components without the limits of MBSA 1.2.1.
How does this affect 3rd-party consumers of the MSSecure.XML file?
Any non-Microsoft tool that downloads and consumes the Microsoft-hosted
MSSecure.XML file downloaded from the Microsoft.com web site is already
unsupported per the MBSA 1.2.1 FAQ which states "Use of the catalog
(mssecure.xml) outside MBSA is not supported."
Not only will the Microsoft-hosted MSSecure.XML file catalog no longer
receive updates, but there are significant risks for tools that use the
MSSecure.XML file as the primary catalog for determining patch state. These
risks are due to the limitations of the XML content mentioned above (see KB
895660 and 306460 for a complete list - which includes all Office patches
and additional products including MSN Messenger, Windows Media Player 10,
DirectX, .Net Framework, Outlook Express, ISA Server, SQL Server 2005, and
any 64-bit versions of Windows).
It is important to check with your specific vendor to determine whether or
not they use the Microsoft-hosted MSSecure.XML file, and if so, whether
their tool contains enhancements to provide detection for products and
security updates not contained in the MSSecure.XML file.
Once again, this does not mean Shavlik's products have a security risk as
they have also updated their products and catalogs to support more products
than the Microsoft-hosted MSSecure.XML file and MBSA 1.2.1 tool.
My 3rd-party tool uses a file called MSSecure.XML. How do I know if this is
the Microsoft-hosted MSSecure.XML file?
Other firms have created their own versions of the catalog file named
MSSecure.XML. The MSSecure.CAB file can be identified by its digital
signature from "Microsoft Corporation." The Microsoft MSSecure.XML (once
expanded from the signed CAB file) file will contain the following comment
in the 3rd line of the XML:
<!--Built by Microsoft Corp. for Microsoft Baseline Security Analyzer. On
the web at: http://www.microsoft.com/mbsa-->
If the CAB file is digitally signed by Microsoft and the XML contains the
comment line above, this catalog is not supported for use by 3rd-party tools
as mentioned above.
Can I continue to use MBSA 1.2.1 for Microsoft Office 2000 product updates
since MBSA 2.0 doesn't support Office 2000 products?
MBSA 1.2.1 provides Microsoft Office product support by using an integrated
version of the publicly-available Office Detection Tool (ODT) which will to
continue to function even after the MSSecure.XML catalog is no longer
updated. As mentioned above, MBSA 1.2.1 can also continue to be used for
previously-released Windows security updates since the catalog will not be
removed.
Although MBSA 1.2.1 can still be used to determine Microsoft Office updates,
the standalone version of ODT or the online Office Update web site are the
preferred methods. The Office Update web site and standalone ODT tool will
continue to support all Microsoft Office 2000 SR-1a and higher products as
detailed in the links below:
Office Update web site:
http://office.microsoft.com/search/redir.aspx?AssetID=ES790020041033&Origin=HH101045631033&CTT=5
Office Detection Tool downloads and information:
http://office.microsoft.com/en-us/assistance/HA011402491033.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=9a7223f0-a7f7-452a-816d-ccc2e38d195c)
http://office.microsoft.com/OfficeUpdate/catalog/inventory/InventoryCatalog.html
Although MBSA 1.2.1 is being decommissioned, this does not affect the Office
Update web site, the standalone Office Detection Tool or the integrated
version of ODT used by the SMS Software Update Inventory Tool.
---------------------------
For more information, please consider the following links:
MBSA Home page: www.microsoft.com/mbsa
Products supported by MBSA 1.2.1: http://support.microsoft.com/kb/306460
MBSA 2.0 and MBSA 1.2, EST comparison:
http://support.microsoft.com/kb/895660
For more information about SMS 2003:
http://www.microsoft.com/smserver/downloads/2003/default.asp
For more information about SMS 2.0:
http://www.microsoft.com/smserver/downloads/previous/default.asp
--
Doug Neal [MSFT]
***@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline
Security Analyzer (MBSA). Information is available at the following link:
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.