Microsoft Baseline Security Analyzer (MBSA) 2.0 is available (895660)

INTRODUCTION

Microsoft Baseline Security Analyzer (MBSA) 2.0 is an easy-to-use tool that helps small and medium-sized businesses evaluate their security according to Microsoft security recommendations. The tool also offers specific remediation guidance. This article discusses the availability of MBSA 2.0. This article also explains how to upgrade to the new version.

MBSA 2.0 includes many improvements and new features. We recommend that most customers use MBSA 2.0. To download MBSA, visit the MBSA home page at the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA 2.0 includes the following key features:

Severity ratings
Local and remote scans for Microsoft Office XP security updates
Additional guidance for locating updates and taking appropriate action
CVE-IDs for supported updates
Improved help content
Compatibility with Windows Server Update Services
Automatic Microsoft Update registration and agent update
Detection of updates on Windows XP Embedded and on 64-bit versions of Microsoft Windows

MBSA 2.0 detects products that are currently supported by Microsoft Update, the central catalog of updates for Microsoft products. Microsoft Update replaces Windows Update. Windows Update only updates Microsoft Windows operating system products. Microsoft Update hosts the detection logic for MBSA 2.0 and other tools.

MBSA 1.2.1 and the Enterprise Update Scan Tool (EST) support several products that Microsoft Update may not support when MBSA 2.0 is released. If Microsoft Update does not provide a security update, we will provide users of MBSA 2.0 a way to detect the update. For more information about how to obtain and use the Enterprise Update Scan Tool, click the following article number to view the article in the Microsoft Knowledge Base:

894193 How to obtain and use the Enterprise Update Scan Tool

The MBSA 1.2 tool will be discontinued on March 31, 2006. After this date, MBSA 1.2.1 will no longer be supported and the MSSecure.xml file that is automatically downloaded by MBSA 1.2 will no longer be updated to include new security bulletins. We encourage you to migrate to MBSA 2.0 before this date to guarantee continued security bulletin detection.

Note Microsoft is committed to providing accurate security update detection and deployment for all MSRC security updates for supported Microsoft customers. These include all Systems Management Server (SMS) managed clients. Therefore, catalog data for Microsoft SMS 2.0 or SMS 2003 with the Software Update Services (SUS) Feature Pack will continue to be updated to guarantee continued security update detection for SMS 2.0 or SMS 2003 customers. The Extended Security Update Inventory Tool will also be updated to guarantee comprehensive detection and deployment for all Microsoft security issues that are listed on the Microsoft Security Bulletin Search Web page. To use the Microsoft Security Bulletin Search, visit the following Web site:

http://www.microsoft.com/technet/security/current.aspx

Support Statement for SMS 2.0

Software Update Services Feature Pack and SMS 2003 Security Update Inventory Tool

As documented in Microsoft Knowledge Base article 895660, the MBSA 1.2.1 catalog (MSSecure.XML) that is used to provide security detection and deployment information to MBSA 1.x will be no longer be updated for use with MBSA 1.2.1 after March 31, 2006. The SMS 2.0 Software Update Services Feature Pack and the SMS 2003 Security Update Inventory Tool use the MBSA 1.x scan engine and therefore the MSSecure.XML file. To enable customers using SMS 2.0 Software Update Services Feature Pack and the SMS 2003 Security Update Inventory Tool, MSSecure.XML will continue to be updated for use with these SMS tools. The MSSecure.XML file will be updated until SMS 2.0 reaches the end of Extended Support in December 2010. Newer Microsoft products cannot be supported with either the SMS 2.0 Software Update Services Feature Pack or the SMS 2003 Security Update Inventory Tool because of limitations in the MBSA 1.x scan engine. The Microsoft products not supported by these tools include, but are not limited to: Internet Explorer 7, SQL Server 2005, Windows Vista, Windows Server codename "Longhorn", and any 64-bit products or operating systems.

The following table lists the security update detection tools that we provide for various Microsoft products. See the "More Information" section for important references and for information about how to download tools.

Affected Products	MBSA 2.0	EST	MBSA 1.2.1
Microsoft Windows 2000 with Service Pack 3 (SP3) or Service Pack 4 (SP4), Microsoft Windows XP, Microsoft Windows Server 2003, and components *	X		X
Microsoft DirectX	X
.NET Framework	X
Microsoft Windows Messenger	X
Microsoft FrontPage Server Extensions (Office XP and later)	X
Microsoft Windows Media Player 10	X
Windows Script 5.1, 5.5, 5.6	X
64-bit versions of Windows Server 2003	X
64-bit versions of Windows XP	X
Microsoft Windows XP, Embedded Edition	X
Microsoft Outlook Express	X
Microsoft SQL Server 2000 with Service Pack 4 (SP4) *	X		X
Microsoft Exchange 2000 with Service Pack 3 (SP3) *	X		X
Microsoft Office XP *	X		X
MSN Messenger (MS05-009, MS05-022) **		X
Microsoft Visual Studio 2002; Visual Studio 2003; FoxPro 8.0; Picture It!; Digital Image Pro 7.0, 9.0, and 2002; Greetings 2002; and Producer for PowerPoint (MS04-028) **		X
Microsoft ISA Server 2000 (MS05-034) **		X
Microsoft Services for UNIX (MS05-033) **		X
Microsoft Interactive Training (MS05-031) **		X
Microsoft Word Viewer 2003 (MS05-023) **		X
Microsoft Office 2000 (MS04-027, MS03-050, MS04-033)			X
Microsoft SQL Server 7.0, 2000 SP3a (MS03-031)			X
Microsoft Exchange 5.0 (MS05-012) and Microsoft Exchange 5.5 (MS05-012, MS05-029, MS03-046, MS03-047, MS04-026)			X
Microsoft SQL Server 7.0 and 2000 (SP3a only)			X
Microsoft Host Integration Server 2000, 2004 and SNA Server 4.0			X
Microsoft BizTalk Server 2000, 2002 and 2004			X
Microsoft Commerce Server 2000 and 2002			X
Microsoft Content Management Server 2001 and 2002			X

* Indicates products that make up the minimum Microsoft Update baseline.
** Indicates support for security updates only, not for update rollups or service packs. To view the specific security updates that are supported in each tool, see the "More Information" section.

MORE INFORMATION

We recommend that all customers use MBSA 2.0 to check their security update compliance. However, to deploy updates, we recommend another comprehensive update management solution, such as Windows Server Update Services (WSUS) or Systems Management Server (SMS) 2003 with Service Pack 1 (SP1). Two MBSA scanning options are available:

MBSA 2.0
MBSA 1.2.1

MBSA 2.0 is the recommended option. Each of these tools are described here. To use these tools effectively, you must also use the appropriate version of the Enterprise Update Scan Tool to scan for updates that were released before the Microsoft Update catalog was available.

If I choose MBSA 2.0 now, will I need MBSA 1.2.1 in the future?
Microsoft is committed to the success of Microsoft Update and the tools that use it. If a security update cannot be made available in Microsoft Update after updates to the MBSA 1.2.1 catalog stop, we will provide users of MBSA 2.0 a way to detect the update.

Note Updates to the MBSA 1.2.1 catalog will stop in the first quarter of 2006.

Do I have to use both MBSA 1.2.1 and MBSA 2.0?
No. On systems that use products that are included in the Microsoft Update baseline, use MBSA 2.0 and the appropriate version of the Enterprise Update Scan Tool. On systems that use older versions of some products, use MBSA 1.2.1 and the appropriate version of the Enterprise Update Scan Tool. For example, if you have Office 2000 installed broadly in the environment, we recommend that you use MBSA 1.2.1 and the Enterprise Update Scan Tool. If you have a mixed environment, you may choose to use both MBSA 2.0 and MBSA 1.2.1, or to use either tool. In these cases, make sure that you monitor updates that are not covered by the MBSA version you are using. Also, use the version of the Enterprise Update Scan Tool that was released for those updates.

To use MBSA 2.0

If your installed products meet the minimum baseline for Microsoft Update, you can obtain the greatest detection coverage by using MBSA 2.0 and the latest Enterprise Update Scan Tool. To do this, follow these steps:

Review the products that are listed as the minimum baseline for the Microsoft Update catalog. These products include the following:
- Windows 2000 with Service Pack 3 (SP3) or Service Pack 4 (SP4), Microsoft Windows XP, and Microsoft Windows Server 2003
- Microsoft SQL Server 2000 with Service Pack 4 (SP4)
- Microsoft Exchange 2000 with SP3
- Microsoft Office XP
If the products that you use match this baseline, use MBSA 2.0 to detect and to manually apply required updates. Otherwise, use MBSA 1.2.1.

To complete the assessment process, run the version of the Enterprise Update Scan Tool that is indicated in the following table. Then, install the updates that are not yet supported by Microsoft Update.

Affected Products	Solution
Visual Studio 2002; Visual Studio 2003; FoxPro 8.0; Picture It!; Digital Image Pro 7.0, 9.0, and 2002; Greetings 2002; and Producer for PowerPoint (MS04-028)	Enterprise Update Scanning Tool version 2 for Bulletin MS04-028 (Standalone)
MSN Messenger (MS05-009)	February 2005 Enterprise Update Scan Tool
MSN Messenger (MS05-022) and Word Viewer 2003 (MS05-023)	April 2005 Enterprise Update Scan Tool
Microsoft Interactive Training (MS05-031), Services for UNIX (MS05-033), and ISA Server 2000 (MS05-034)	June 2005 Enterprise Update Scan Tool

To use MBSA 1.2.1

Several products that are supported by MBSA 1.2.1 are not currently available in Microsoft Update. Therefore, MBSA 2.0 cannot scan for them. Until the updates for these products become part of the Microsoft Update catalog, you may have continue to use MBSA 1.2.1.

Note Updates to the MBSA 1.2.1 catalog will stop in the first quarter of 2006. Users of MBSA 1.2.1 will not be made aware of the latest security updates after this time. The MBSA 1.2.1 catalog will remain available for scanning these products, but new updates to these products will be published only to Microsoft Update. We strongly encourage all users of MBSA 1.2.1 to evaluate the MBSA 2.0 command-line output to make sure that scripts and migration have completed before the MBSA 1.2.1 catalog is no longer updated.

To use MBSA 1.2.1, follow these steps:

To confirm that MBSA 1.2.1 is the correct option for your needs, review the products that are not available in Microsoft Update. These products include the following:
- Microsoft Office 2000
- Microsoft Exchange 5.0 and 5.5
- Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 with Service Pack 3a (SP3a)
- Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft SNA Server 4.0
- Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, and Microsoft BizTalk Server 2004
- Microsoft Commerce Server 2000 and Microsoft Commerce Server 2002
- Microsoft Content Management Server 2001 and Microsoft Content Management Server 2002
If you use the products that are listed in step 1, use MBSA 1.2.1 to obtain complete coverage. Use MBSA 1.2.1 to detect and to manually apply required updates.

Affected Products	Solution
Visual Studio 2002; Visual Studio 2003; FoxPro 8.0; Picture It!; Digital Image Pro 7.0, 9.0, and 2002; Greetings 2002; and Producer for PowerPoint (MS04-028)	Enterprise Update Scanning Tool version 2 for Bulletin MS04-028 (Standalone)
MSN Messenger (MS05-009) and Microsoft Windows SharePoint Services (MS05-006)	February 2005 Enterprise Update Scan Tool
MSN Messenger (MS05-022) and Word Viewer 2003 (MS05-023)	April 2005 Enterprise Update Scan Tool
Exchange 5.5 (MS05-029), Microsoft Interactive Training (MS05-031), Services for UNIX (MS05-033), and ISA Server 2000 (MS05-034)	June 2005 Enterprise Update Scan Tool