ARN

Microsoft freeware checks for Windows security holes

Microsoft this week made available a freeware vulnerability-assessment tool for Windows desktops and servers.

The tool, called Baseline Security Analyzer, runs locally on a PC and lets network administrators check whether their NT 4.0, Windows 2000 or XP desktops and servers are missing software patches for security holes or are improperly configured.

Baseline Security Analyzer is a "read-only" tool that doesn't automatically locate and apply software patches as other tools on the market will. Microsoft signaled its growing interest in developing such software to automate this process, however.

To date, Microsoft has relied on Shavlik Technologies, a St. Paul, Minnesota, company that specializes in test tools, to produce the freeware available from Microsoft. But the Redmond giant has long-term goals to improve the software-patching process for its customers that may entail Microsoft striking out on its own in the test-tool area.

"We need to find an automated way to do this," said Craig Mundie, Microsoft's vice president and CTO, in his keynote at the RSA Security conference. The numerous vulnerabilities discovered over time in Microsoft operating system and application software has made any unpatched Microsoft server and browser a popular target for hackers and computer worms, such as Nimda and Code Red.

Microsoft is working on a patch-rating system to define discovered software holes on a scale of high to low risk. While Microsoft is making a concerted effort to prevent coding errors that lead to problems such as buffer-overflow vulnerabilities, Mundie said that the company's long-term goal is to create the means to automate the discovery of holes and the patching process.

"If we depend on people to do this, we'll be swamped," he said. "In fact, we are swamped."

This week's posting of the Baseline Security Analyzer at the Microsoft Web site is but a first step, says Lara Soskonsky, a Microsoft security program manager who was demonstrating the freeware tool at Microsoft's pavilion at the RSA conference.

"We don't push out the patches, but we may add that feature as an option in Version 2.0. In future versions, we'll also add more applications, such as Internet Information Server 4.0, 5.0, SQL 7, Internet Explorer 5.0 and up, Office 97 and Office 2000, among others," Soskonsky said. "And we'll add .Net [support] to Version 2.0."

The second version may be out even as soon as a few months, she added.

Whether Microsoft will continue its reliance on Shavlik Technologies to build the freeware is under review. "We haven't decided whether or not to go out on our own," said Soskonsky, but it's possible Microsoft may be inching toward its own suite of commercial test-tool products.

Should that happen, Shavlik Technologies could see its symbiotic relationship with Microsoft undergo a disruptive change. At present, Shavlik has enjoyed the ability to advertise its more robust and full-featured vulnerability-assessment tools on Microsoft's Web site, next to the freeware it built for Microsoft.

Shavlik's first project for Microsoft was a Web-based vulnerability-assessment service created last autumn after the outbreak of the Nimda worm in August. The second project, the Microsoft Baseline Security Analyzer, is a stripped-down version of Shavlik's own HFNetChk Pro AdminSuite 3.6, which can push out software patches and remotely install them in a scheduled fashion. It can check for weak passwords and weak administrative accounts. The latest version of Shavlik's tool, which costs US$1,500 for 50 users, also became available this week.

For larger enterprises that want to do detailed analysis across machines, Shavlik shipped Shavlik EnterpriseInspector, priced at $3,000 and up. This version also checks to make sure antivirus software is installed on machines.

"We have over three million people using our products," said company CEO Mark Shavlik. The Shavlik commercial tools require their own console and don't share information with the Microsoft SMS management console without extensive coding to enable that, he acknowledged.

Shavlik said he hoped to continue the freeware relationship with Microsoft that has benefited his firm. "It's been a way for people to learn about our products at the Microsoft Web site," he said.