Friday, January 12, 2007

Software Vulnerability Scanner for the Masses


Most of the times when we talk about pc security, we think of the guarding against the big vulnerabilities with Windows Updates, Office Updates, anti-virus protections, spyware/malware scans, firewalls, etc.

However, inside most of our computers reside hundreds of programs, and thousands of files that could contain holes for exploitation by a clever hacker.

One of the biggest complaints I hear from users who want to install software from home or the web on their workstations at work is, "I don't understand why you won't authorize me to have this program!"

Easy.

  1. We would have to ensure that all licensing conditions are met for installation.
  2. We would have to ensure it doesn't break any of the approved business-critical software applications we do approve for you to do your job.
  3. We cannot begin to end up supporting every potential application and problem with our limited resources that might be brought into our network.
  4. But the biggest reason of all...we don't have the time to fully test every application to ensure it doesn't present any security holes to our network.

So we keep a list of the applications we do approve of, and then must keep a constant eye out for vulnerability reports, patch issuances, and plan for upgrades on them all. That can be a lot of work.

Home-user pc's are even more problematic to keep safe due to the number of applications that can collect on them.

Short of doing the same work that we perform in the enterprise environment...what's a home user to do?

Enter the free service Secunia Software Inspector. Yes. I did say free.

I stumbled upon this wonderful vulnerability scanner for the masses the other day while I was preparing my post on Keeping up with Technology Security.

Secunia is a network security company that focuses on finding and managing software vulnerabilities in the corporate environment. Secunia provides daily public updates on current exploits and viruses. And they now are offering a free on-line vulnerability scanner for pc's.

How great is that?!

Here's how it works.

Browse over to the Secunia Software Inspector website in Firefox, Internet Explorer, or Opera (Java required). IE worked the fastest and smoothest for me.

Click the "Start Now" button to activate the Java application.

Then, once it has loaded to memory, click the displayed page's "Start" button.

It will download the latest patch level catalog to the Java application, then begin a quick scan of your drive.

Secunia's Software Inspector is looking for the presence of many Internet browsers and plugins, IM clients, Email clients, media players, operating systems, Quicktime files, and the like (full list here). It's not everything, but it sure covers the most commonly found applications likely to be on user's systems...and often behind on patches.

Once complete, it will clearly notify you of any software in its list it finds needing updating that is present on your system.

Now it's up to you to get the patches or upgrades...kindly provided on the results page in most cases.

My Own Results

Not surprisingly, my Windows and Apple products were up to date.

However, I found I had did have some work to do...thanks to Adobe.

Adobe has a policy of not uninstalling older versions of their products when you install new ones. The do this for backwards compatibility. Unfortunately, this can lead to vulnerabilities in your systems.

Although I had recently installed the latest-and-greatest Adobe Reader 8. I failed to uninstall Adobe Reader 6.0.0.878. The latest version for that build was 6.0.5. I chose to just fully uninstall it.

Next up, Macromedia Flash Player. Turns out I had versions 5, 7, and 8 all on there. I checked the "Add-Remove Programs" list, but it was only listed there once. The latest is version 9.0.28.0. So I downloaded it and installed it. Reran the scan and they were still showing. By looking at the scan results, I was able to locate and find that these earlier versions I had were .ocx and .dll based files. So I renamed them (in place) and rescanned. Secunia wasn't fooled one bit. Even though I had renamed them, it still found them! So I chose to delete them.

Finally I had to deal with Sun's Java platform.

I had the latest version which checked out fine, but it picked up all the older versions of Java that had never been removed (Java and Adobe folks must hang out together.) So I uninstalled all but the latest version.

Rescanned and now I got a clean bill of health!

Note: There is also an option to run a "thorough" scan. This will scan all your drives looking for the software/files in the event it was installed or copied to a "non-standard" installation location.

Final Thoughts

Secunia's Software Inspector will now be a site I visit and run regularly.

It is fast, it does a good job at looking for vulnerable versions of software that most Windows users are likely to have on their systems, and it is a free service from a trusted security company.

It doesn't check everything, but all it takes is one hole to sink an entire ship...so every vulnerability caught and patched is one less thing to worry about.

I'm really surprised I haven't seen more references to this on the web and in blogs!

While it may not be as thorough a patching plan as enterprise environments use...it sure will go a long way to easily keep your home systems safer.

Additional Links

Free Tool Scans Your PC for Missing Patches - via the Washington Post Security Fix column.

Secunia Software Inspector finding lots of unpatched software - via InfoWorld

Are you patched? Interesting statistics from Secunia Software Inspector - Via Spyware Sucks

Versiontracker - website that tracks and lists the latest version updates for software. Nice place to keep an eye on as well.

Keep Safe!
--Claus

No comments: