News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: Microsoft details security tool update

Microsoft's Christopher Budd explains how to use the new versions of the Security Baseline Analyzer and the Systems Management Server Inventory Tool for Microsoft Updates.

The November 2006 Microsoft monthly security bulletin includes six new security updates addressing issues in Microsoft Windows and Microsoft XML Core Services. In addition, this month we have released new versions of the Microsoft Security Baseline Analyzer (MBSA) and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU).

For this month's column, I'll first explain why we've released new versions of these tools and what your organization should do with them. Then I'll provide some information to help you assess your testing and deployment needs based on this month's security updates.

About this column:
As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.


Administrators who use MBSA and SMS ITMU to manage security updates in their environment should be aware that we have released new versions of these tools.

In the October 2006 Microsoft security bulletin webcast we let customers know that starting in November we would be using a new architecture for the WSUSSCAN.CAB file. The WSUSSCAN.CAB file is a data file that catalogs information about all Microsoft security updates. This file is used by the newest generation of Microsoft detection and deployment tools such as MBSA, SMS ITMU and the Microsoft Update (MU) Automatic Update (AU) client. At a high level, this file provides detailed information about each security update that enables these tools to scan and correctly identify what updates are applicable to a system and, in the case of SMS ITMU and AU, deploys those updates. The WSUSSCAN.CAB is a "cab" (or cabinet) file, which is a file-compression technology

The cabinet file architecture has a limited number of files it can contain within it; with each progressive bulletin release, the WSUSSCAN.CAB has grown in size and has approached this limit.

In August 2006 we began paring down the contents of the WSUSSCAN.CAB to ensure that the file remained under that architectural limit. This process has involved removing information from the WSUSSCAN.CAB file about security updates that are no longer applicable. For example, information about security updates for products that are no longer supported was removed in August and September 2006. As we have been removing information about updates, we have documented what we have removed in a Microsoft Knowledge Base article. This process was intended as an interim solution until a broader change could be implemented to address the limitation; with the November 2006 release, we are implementing that broader change.

The change we're making is to move from using a single CAB file, which was named WSUSSCAN.CAB, to multiple .CAB files within a single .CAB file, now named WSUSSCN2.CABusing more than one CAB file to store information about security updates. This new architecture will ensure that the architectural limitations of CAB files do not affect our detection and deployment tools. The November 2006 monthly security bulletin release is the first release that uses this new architecture.

However, this change requires that the tools which use the WSUSSCAN.CAB file be updated so they can understand and use the new architecture. Because of this, in November 2006 we have also released new versions of MBSA and SMS ITMU.

MBSA uses the WSUSSCAN.CAB for offline scanning only; it is not used by MBSA in its default online scanning mode. This means that the new architecture released in November only affects customers who use MBSA in offline scan mode. So if you use MBSA in offline scan mode, you'll want to download and deploy the new MBSA 2.0.1 from the MBSA site. If you use MBSA in its default online scanning mode, you don't need to take any action. This change does not affect online scanning mode at all.

In addition to a new version of MBSA, we've released an updated version of the SMS ITMU. While the change to MBSA affects only a segment of MBSA customers, the changes to the SMS ITMU affect all SMS ITMU customers, and they all should download and deploy the updated version of ITMU to all systems. The new version of the SMS ITMU can be found on the SMS ITMU site here. In addition to support for the new WSUSSCAN.CAB architecture, the new version of the SMS ITMU includes performance enhancements and support for client workstations running Windows Vista.

We will continue to support the old WSUSSCAN.CAB file through March 2007; however, we are encouraging customers to deploy the updated tools as soon as possible. We will continue to remove updates from WSUSSCAN.CAB to ensure that we stay below the CAB file limitation. However, as we continue to remove updates, we will need to start removing information about updates that are not obsolete. Because of the potential effect on organizations, we are encouraging people to deploy the updated versions as soon as possible. In addition, once the March 2007 deadline arrives, tools such as the SMS ITMU will stop detecting and deploying updates. Because of these reasons, it is critical that customers move to update their detection and deployment tools.

If you use a detection and deployment technology from a company other than Microsoft, you should check with your vendor to find out if this new architecture requires any updates to its tools. We have been working with our partners who use the WSUSSCAN.CAB to help them understand this new architecture and make changes as needed.


Now I want to call out two items from the November 2006 Microsoft monthly security bulletin release: MS06-071, "Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution," and MS06-069, "Vulnerabilities in Macromedia Flash Player From Adobe Could Allow Remote Code Execution."

MS06-071 addresses an issue that we first discussed in Microsoft Security Advisory 927892, which is a vulnerability in Microsoft XML Core Services. Unlike MS06-061, the versions of XML that are affected by this issue are not versions that came with Microsoft Windows or Microsoft Office; in this case, the vulnerable versions have been only provided for download from the Microsoft Web site. Our detection and deployment tools, including MBSA and SMS ITMU, will correctly identify systems that have a vulnerable version of XML for which there are updates available. As we noted in the Microsoft Security Advisory, we are aware of limited attacks attempting to exploit this vulnerability. While these are limited in scope, we are encouraging customers to deploy this update as soon as possible.


MS06-069 addresses an issue we first discussed in September 2006 in Microsoft Security Advisory 925143, "Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities."

In that advisory we let customers know about a vulnerability in a version of the Adobe Flash Player that was provided with Windows XP SP2. In that advisory we encouraged customers to follow the guidance provided by Adobe in its security bulletin to install the latest version of the Flash Player. In MS06-069, we are providing security updates for the version of Flash Player that was provided with Windows XP SP2. Those customers who do not want to deploy the latest version of the Flash Player should deploy the updates provided in MS06-069.

And finally, the December monthly security bulletin will be on released Dec. 12.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.