November's Patch Tuesday marked Microsoft's first monthly release without any updates sent to its Microsoft Baseline Security Analyzer v1.2, the company's original patch scanning tool.
Microsoft would have ended support for MBSA v1.2 last year, but the outcry from Windows IT managers made the software company extend support for another year.
Wanting to appease Windows IT managers with older Microsoft products, Microsoft announced a deal earlier this year with the creator of MBSA, Shavlik Technologies LLC, based in Rosemont, Minn., to continue support.
Microsoft stopped supporting the tool in July, and October's Patch Tuesday was the last time it sent updates to the tool's MMSecure .XML file. The MSSecure .XML file contains all the patches Microsoft has released for what are now legacy products since 1999. Shavlik now provides a free tool on its Web site called NetChk Limited for IT managers with Microsoft legacy products such as Windows NT 4.0, Windows 2000 SP3 and below, Exchange 5.0 and 5.5 and Office 2000.
NetChk Limited also takes the scan data and turns it into XML files that can be read by newer versions of MBSA. Microsoft still supports MBSA v2.0, which supports 64-bit Windows servers and MBSA v2.1 beta.
While Microsoft Baseline Security Analyzer's debut made Microsoft the first operating system vendor to offer a free patch-scanning tool, the majority of Windows IT managers no longer use the scanning tool.
"Many people these days use WSUS [Windows Server Update Services] as their tool for verifying patches against servers," said Greg Shields, an independent security consultant for enterprise systems in Denver, Colo. "There really aren't too many people using MBSA v1.2."
WSUS is a basic software update service for Microsoft Windows operating systems and some of its platforms, such as Exchange Server and Microsoft Office. It allows IT administrators to send out patches and updates to desktops throughout a company from an internal server and identifies computers and applications that are missing the necessary patches.
Some Windows IT shops also use paid products from Shavlik or other patch management companies like Big Fix Inc., based in Emeryville, Calif., or Lumension Security, formerly PatchLink, based in Scottsdale, Ariz.
Shavlik makes sense
Shavlik was a natural partner for Microsoft in developing MBSA, since founder Mark Shavlik once worked at Microsoft on the Windows NT kernel project, among others.
Shavlik was first a security consultant and application development company producing a product called Inspectorscan, which scanned systems for missing patches and poor security configurations.
Based on updated Interscan technology, Shavlik developed a product in 1999 called Hot Fix Network Checker, or HFNetChk, which is the engine used in Microsoft Baseline Security Analyzer. HFNetChk was eventually folded into MBSA v1.2, and its technology is also used in Microsoft's Systems Management Server.
Microsoft's MBSA and WSUS technology support a partial range of Microsoft products but no non-Microsoft patches. Most third-party patch management products now include scanning and updates for non-Microsoft companies like Adobe, Apple's iTunes and others, as well as other security features that help protect network endpoints.