Microsoft extends life of security scanner

Last-minute extension prevents a gap in security update detection for users of the MBSA vulnerability assessment tool.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Microsoft at the 11th hour has extended support for a popular tool that lets users scan Windows computers for unpatched programs and other security flaws.

The software maker originally planned to end support for version 1.2 of the Microsoft Baseline Security Analyzer on Friday. However, following user feedback, the company has now extended support until an undetermined date, Doug Neal, program manager at Microsoft, said in an interview Thursday.

"The decision was based on a lot of customer feedback we received that said removing support at this time would create a gap in security update detection for Microsoft products," he said. The decision to extend support was made on Monday, he added.

The MBSA tool is used by organizations to determine which Microsoft security patches need to be installed on their systems. Microsoft released MBSA 2.0 last July. However, that version can't detect the need for fixes for some Microsoft products, including Office 2000, MSN Messenger and the Microsoft Works Suite.

Microsoft had nonetheless pushed customers to upgrade to 2.0, giving rise to some protest. "It would seem to me that ending support for MBSA 1.2 is an extremely ill-advised move," one user wrote recently in a Microsoft forum on MBSA. Some people also argued that MBSA lacks certain features, such as support for scripting results.

Microsoft first introduced the MBSA tool four years ago as part of its efforts to regain the public's trust in the security of its products. The software has won a loyal user base; more than 3 million scans are done with it each week, Neal said. "It is a popular tool, even more popular then we first thought," he said.

The major difference between MBSA 1.2 and version 2.0 of the product is the underlying scan technology. The older version is based on a scan engine Microsoft licensed from Shavlik Technologies. The newer version uses the Windows Update agent on Windows computers. Microsoft made this change to unify its patch detection technologies.

No new end-of-life date has been set for the aging MBSA version. Instead, Microsoft is soliciting more feedback from users. "Instead of setting a new date that may be subject to change, the MBSA team is taking additional time to further assess customer needs," Neal said. An update will be provided on or before June 30, he said.

The MBSA is free and scans for missing Microsoft patches. Alternative vulnerability scanners that can also call out missing updates from other software makers are sold by companies including McAfee, Qualys, Internet Security Systems and Shavlik.