• Illustration: MBSA 2.0 Security Report
• Illustration: Unified Scanning Platform

Disparate software patching technologies are coming together into a unified patch-scanning and distribution platform from Microsoft. Specifically, the Windows Update Agent (WUA) provides a common patch-scanning engine, and the Microsoft Update (MU) Web service provides a single point for locating applicable patches. This common platform allows all Microsoft's patch detection tools to provide better and more consistent results. However, the new infrastructure currently supports only a small subset of Microsoft products.

In July 2005, Microsoft updated the Microsoft Baseline Security Analyzer (MBSA) 2.0 to support the new platform, and in Aug. 2005, it released the Systems Management Server (SMS) 2003 Inventory Tool for Microsoft Update (ITMU) to allow SMS to use the new scanning platform.

Unification Key

Previous Microsoft patch-scanning tools, such as Windows Update client, Office Update client, MBSA, and SMS 2003, used their own scanning engines to detect whether critical patches were present on a system. These tools did not always provide complete and consistent results because different Microsoft products used completely different patching technologies (at one time as many as eight separate update engines), and some of these engines did not leave any trace that a file had been patched. In addition, many tools used different patch data files to provide the detection engine with information, such as the latest file version and size, necessary to detect patches. Keeping this patch-detection data accurate across all the tools was difficult. In addition, because it was so hard to update some tools in a timely manner, the Microsoft Security Response Center (MSRC) was forced to release patch-specific Enterprise Update Scan Tools (EST) to detect some critical patches.

To overcome these limitations, Microsoft has standardized on two patching technologies, one for OS components and one for applications. It has also created or updated several components, which now use a new unified update scanning platform based on the WUA patch-scanning client and the MU Web service. The platform is used by the latest versions of Microsoft patch-scanning and distribution offerings, such as SMS 2003 and Windows Server Update Services (WSUS), as well as the MBSA 2.0. (To understand how these technologies work together, see the illustration "Unified Scanning Platform".)

Using the unified scanning platform and the Microsoft tools built on that platform, administrators can scan computers for missing security updates for the following:

• Windows, including Windows 2000 SP4, Windows XP, and Windows Server 2003
• Windows components, such as Internet Explorer 5.0 and later, Internet Information Services 5.01 and later, and Windows Media Player 6.4 and later
• Windows APIs and class libraries, such as DirectX and the .NET Framework
• Office XP and later
• Exchange Server 2000 and later
• SQL Server 2000 SP4 and later (including MSDE).

However, tools that use the new platform cannot yet check for the presence of SQL Server and Exchange service packs; Office 2000 updates; updates for Windows Server System products, such as Commerce Server and BizTalk Server; or products such as Digital Image Suite. There is no timetable for when these and other products will be supported by the common patch detection infrastructure. Chief Software Architect Bill Gates and Vice President Mike Nash (of Microsoft's Security Business Unit) promised a unified update process for all Microsoft products almost two years ago, but they might be having some difficulty getting all product groups on board.

It is important to note that until WUA and MU support all of these products, administrators will have to continue to scan systems using the MBSA version 1.2.1 and any patch-specific ESTs (whose scanning engines and patch data files cover some products not included in MU and WUA).

The Baseline Security Analyzer

MBSA is a free tool that helps administrators check for needed security updates and common security misconfigurations, such as weak or unassigned passwords. The MBSA differs from MU in two significant ways. First, MBSA focuses on security patches only, so it does not check for nonsecurity critical updates published in MU, such as the critical update the Office team issued to remove a font that contained the swastika symbol. Second, in addition to detecting missing security patches, MBSA can check the basic security configuration of the Windows Firewall, the Automatic Update Service, the presence and quality of passwords, whether the Guest account is enabled, and incomplete updates (which have been downloaded and installed, but need a restart of the computer to be active).

In addition to highlighting security weaknesses, MBSA provides administrators with initial guidance they can follow to correct any problems the scanner detects. Administrators can run MBSA on individual computers or use it to scan a series of computers on a network. (For an example of a security report, see the illustration "MBSA 2.0 Security Report".)

SMS 2003 Inventory Tool for Microsoft Update

The SMS 2003 ITMU is a free download that installs on SMS 2003 site servers and brings SMS 2003 up-to-date to use the same scanning technology used by SMS 2003's little brother, WSUS. Although the scan engine is significantly different from SMS 2003's existing MBSA and Office scanning tools, ITMU generally works in a manner similar to the earlier tools and the administrator interface is the same. Like the new MU and MBSA 2.0 scanners, ITMU detects many more Microsoft products and uses the Microsoft Update catalog data. However, unlike MBSA, SMS 2003 can use ITMU to automatically build patch packages that SMS runs on targeted computers to remotely apply the patches and report back installation status.

One other welcome enhancement over the earlier SMS 2003 scanning tools is that ITMU automatically configures patches with the correct silent install switches, which saves work for administrators and makes the patching process more reliable.

ITMU requires SMS 2003 SP1 and several additional hotfixes that must be installed on the SMS 2003 servers. ITMU also requires installing an updated SMS agent and Windows Installer 3.1 on each managed computer (SMS can centrally deploy these updated components). If not already present, Microsoft XML 3.0 or later must also be installed on all systems.

Availability and Resources

A full description of the products MBSA 2.0 supports, as well as products that still require either the Enterprise Scanning Tool or MBSA 1.2.1, is at support.microsoft.com/kb/895660.

The latest version of MBSA can be downloaded from www.microsoft.com/technet/security/tools/mbsa2.

ITMU may be downloaded from www.microsoft.com/smserver/downloads/2003/tools/msupdates.mspx.

Microsoft Update and the Windows Server Update Services (WSUS) are described in detail in "Free Software Update Technology to Cover All Products" on page 12 of the Feb. 2005 Update and "Updated Patching Tools Cover OSs, Applications" on page 13 of the July 2005 Update.

SMS 2003 patch management is described in "Stronger Systems Management Server Worth a New Look" on page 9 of the Nov. 2003 Update.

Microsoft will update the Office Visio 2003 Connector for MBSA, which helps administrators view the results of an MBSA scan in a network diagram. For details on the current version of this Visio add-in for MBSA 1.2.1, see www.microsoft.com/technet/security/tools/mbsavisio.mspx.