Tuesday, December 25, 2007

Secunia Personal Software Inspector RC-1: Wowzers!

A while back I blogged about the Secunia Personal Software Inspector (PSI).

I found my early beta version of PSI to be a great localized start to their free, on-line vulnerability scanner. I found it to be fast, effective, and dead-on useful. I liked it so much I installed it on all our home systems. But there were a few things missing:

  1. It didn't seem very customizable. It was pretty much run and respond.

  2. It added itself into the Windows autostart group and I couldn't find a way to disable this behavior without manually removing it with a third-party utility.

  3. It was unclear how to exclude applications/folders from the scanning. I always ended up with a significant list of "unsecure" applications when the program went through my program archive folder.

Early Beta versions that were subsequently released allowed for Vista support, exclusion rules (finally!) and more application detection/monitoring. But it just seemed to be falling short of what it was capable of achieving. It was like loading MS Word, but only finding Notepad. Lots of promise, but thin on delivery.

Secunia clearly had a hidden vision.

The recent release update of Secunia PSI version 0.9.0.0 (Release Candidate 1) just blew the doors off their earlier programs. I am not aware of any program that comes close to the features and abilities of this application.

Secunia's PSI has the potential to allow Windows users to monitor the security/patch status of their applications like no other application I am aware of.

Be amazed. I was, and I was already familiar with it.

I even was surprised by what it found in the XP SP3 RC1 package...but more on that later.

What PSI Is and Is Not

The Secunia PSI is an invaluable tool for you to use when assessing the security patch state of software installed on your system. It constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.

It doesn't scan your system for malware, viruses, trojans, rootkits or other baddies. It doesn't replace your need for a firewall. What it does do, and it does it outstandingly well, is to scan your system and then compare the findings against Secunia's database of applications with security updates. It then reports on any application matches it finds and clearly and helpfully displays the insecure applications on your system...and offers you solutions to fix them.

You may decide to uninstall the program, delete the program, upgrade the program, patch the application, or indicate to PSI you want to "exclude it" from listing.

It identifies applications that need to be patched with a newer version, as well as those that are at end-of-life status and must be considered for upgrade to an entirely new version or build (or just have be abandoned).

Not only does it do periodic scheduled scans of your entire system, it also actively monitors your system when you install and uninstall new applications; updating your PSI report accordingly.

Cool stuff.

Supported Systems

Microsoft XP - SP2, Windows 2003, Vista, and Windows 2000 - SP4.

You must have administrator-level permissions to install and run PSI on a system.

You must have network access available to the Secunia servers (all data is sent via encrypted transmissions for security), as well as access to Windows Update servers,

Now...on to the features

Overview Tab

The PSI Overview has received a major update.

You may (optionally) register the program. I did so and provided a user name, my email address and confirmed that I was using the program for personal use.

It is currently giving my Vista notebook a Secunia System score of 100%. This is a simple ratio of the number of secure applications to the number of all applications installed on my system. It reports that my last system scan was 24 hours ago, and that I have no insecure applications, no end-of-life applications, and 268 patched (current) applications on my system. (Of course, that is 268 applications that Secunia has in it's database, my actual installed number may be a bit higher.)

I have a historic bar-chart to show me a week-by week comparison on how my system is doing, as well as a pie-chart showing the breakdown of insecure, end-of-life-and patched applications.

Insecure Tab

This tab lists all the applications that Secunia currently detects that were located on your system, and were found to need to be updated to a newer patch/version level.

Each application is listed individually with the name, version, security state, and some icons to indicate options available to assist you with resolution.

By default, the system will only display "Easy-to-Patch" applications. These are ones that most general users should not have any issues updating. You can disable that if you are technically comfortable with more advanced updating techniques that some applications may require.

For example, after my first scan, it hid eight of those "hard-to-patch" applications. Those turned out to be no big deal for me to update, but some users might not want to or be able to Microsoft Core XML Services or end-of-life versions of Microsoft Digital Image 2006.

If an insecure application is found, it may be expanded into a detail view.

This provides a brief summary of the security issues related to the application and sometimes helpful hits on patching and why was identified. It also provides a "Fix It!" section that advises a user on what steps they can take to rectify the situation.

At the bottom of the expanded application section is the "Toolbox" with eight icons that may or may not all be accessible depending on the application.

  1. Download Solution: If a direct download link is available for the product to be updated, clicking on this link will either begin a direct file download of the patch/updated version or pull up the web-page from which you can search for the download.

  2. Solution Wizard: This icon launches a PSI mini-wizard to walk you though the process of downloading and installing an update. This is a great addition to help users who might not be used to downloading and updating programs. It is non-technical in presentation and very clear in most circumstances.

  3. Re-Scan Application: If you have updated/deleted/modified the application and it is still reporting the old version, this button launches a quick-scan of the application, which usually causes the item to then be removed from the Insecure list. I haven't had to use this as I have PSI to monitor installations/de-installations of software so it catches these changes automatically.

  4. Online References: This icon pulls up a dialog box which will list any security advisories related to the product that Secunia itself has, as well vendor web page information (if available).

  5. Technical Details: This icon (to me) is one of the most helpful icons of all. It provides the version number of the detected application, as well as the full installation path and filename. This is extremely helpful for locating obscure applications that might be hard to track down, or not listed in the Add/Remove Programs list. (More on that in a minute.)

  6. Open Folder: This icon launches Windows Explorer to the folder where the insecure application was found. This is really helpful and saves time when you want to examine the file and it's program folder for more information.

  7. Ignore Application: This is a feature I really was hoping for. This allows you to set a default "ignore" filter on the application so it will not appear in the list. I find this really helpful for managing the older (and insecure) archive applications I keep around, just in case. It also is an easy way to deal with end-of-life applications that no more updates or patches are available for.

  8. Add/Remove Programs: This last icon launches the Add/Remove Programs window for quick uninstallation of the application if you so choose.

The full scope of information, details, and helpful options provided for each application is simply amazing.

I've hinted around one more interesting feature of PSI, it does a full file-system scan of your hard-drives looking for insecure applications it has cataloged. This is much more important that may be understood at first. Not only does PSI look at "installed" applications (including Windows Updates) on your system, but it is also able to identify applications that were not "installed" but copied over to your system, say portable applications. This allows a much more thorough scan and protection of your system for insecure applications. And if "real-time" application monitoring is enabled, anytime you copy an application to your system (or install it in the traditional sense) it will check and report if it is a patched or insecure version. Amazing.

End-of-Life Tab

This tab also contains all the items listed in the "Insecure' tab.

However, applications listed here are ones that PSI has detected but that vendors are no longer issuing patches or alerts regarding security issues. It is left up to you if you wish to remove/uninstall them, filter them "ignore", or see if an upgrade to a newer program/version is possible.

You can also just choose to leave them alone, which I had to do in a few cases, but it is a case of some information is better than none at all. If you know that an application is insecure, but choose not to respond, at least that puts you ahead of others who don't know at all. This information at least allows you to assess the potential threat(s) the insecure application poses as a threat-vector and respond accordingly.

Patched Tab

This patch contains a list of all the applications that Secunia PSI has detected on your system and that patches are available for.

It contains all the information and options as listed under the "Insecure" tab.

I do find the tab description from Secunia a bit confusing:

This page displays applications that the Secunia PSI has detected on your computer for which there are no known security updates available. Newer versions may be available, however, these are not known to address security issues.

At first read, this might lead some to think these are insecure applications that have no security updates available, or that may have newer versions but don't address security problems.

That would be an incorrect interpretation.

Wit a careful reading, what this list of programs actual is, are all the programs detected on your system, that Secunia PSI is able to monitor and catalog, and that were found to be current on their security patch level. Having a program listed here under this tab is a Good Thing.

It is possible that an application listed here may actually have a newer version or patches available, but they do not offer any known security protections over the application listed at the scan time.

Scan Tab

Clicking on the Scan tab does either one of three things: it will start a manually initiated scan of your system, it will show you the progress status of an ongoing scan, or it will allow you to stop the current scan.

It also displays when the last scan was ran, and when then next one will begin (usually a week apart).

Finally it shows if there are any errors encountered during the PSI scan.

The scan times themselves do take a bit of time to run. As it will scan your entire system (except for any exclusion filtered locations) it is not necessarily a blazing-fast process, however, once a scan is run it is pretty unobtrusive and doesn't seem to impact the system at all. Scans will execute automatically once a week, or on demand if you choose to run one manually.

Settings Tab

The user setting options for Secunia PSI are much more user-friendly than in previous versions.

Earlier versions of PSI were basically left to being able to install the program, download patches and apply them, manually scan, or remove the program. You weren't allowed control if you didn't want PSI to load at boot or to disable application monitoring.

Secunia must have gotten some feedback on these areas because they are addressed here, and the power is in the user's hands.

You may enable/disable showing of "hard-to-patch" applications.

You may enable/disable Secunia PSI from running at boot.

You may enable/disable application monitoring which allows PSI to alert you to potential application security problems as programs are installed or copied to your system, as well as updating your lists when they are uninstalled or deleted.

This tab also displays all your current "Ignore" rules set for locations and/or applications you have chosen to manually remove from the scan lists for whatever reason. This is a really great idea of PSI as it still allows you to see which applications you excluded, so although they might no longer appear in your lists, they are never "out-of-sight" and forgotten.

Lastly, here you can set additional Ignore rules (filters). You provide a rule name, then set the rule which is a drive or folder path, or file which you want PSI to ignore and exclude from scanning. This gives you complete flexibility and allowed me to have PSI completely skip my archive folder and subdirectories. No more "false-alerts" on applications I have stored away, but don't want to monitor.

Profile Tab

This is a fully optional section where you may enter a username, screen-name, email address, and save our profile. This does two things; 1) provides you with security-related information from Secunia as well as new feature updates and notifications on PSI, and 2) gets your name to show up on the Overview tab.

It is optional, and provides a method for you to cancel your subscription and delete your Secunia Profile.

How many applications give you that right up front?

Feedback Tab

This last tab allows you to send feedback to Secunia regarding issues, ideas and suggestions. It's a simple comment text field with the options to share your name and email address if you wish.

Additional Thoughts

It is free for personal use.

Secunia PSI does not have an offline mode. It can maintain your last scan results and system standings, but scans require an Internet connection to get its "application signature" list and security standing results.

In the act of patching some older versions of Flash, I found out that PSI does use Flash to control some elements of its graphs. While Flash doesn't seem to be required, it does enhance the GUI and display of PSI.

Secunia claims that PSI can catalog and provide information on over 5,500 applications, and (if I am reading it correctly, over 300,000 versions of those applications) at this time while the on-line version can only scan and report on the most common 40 applications. Or as Secunia puts it:

The PSI is currently able to detect and check more than 5,500 different applications (major branches).

To clarify, by 1 application we mean ALL versions of a particular application. As an example, our rule for Opera 9.x is capable of detecting version 9.00, 9.01, 9.02, ..[snip].., 9.23, 9.24, 9.50 and so on. This also includes localised and future/not-yet-released versions.

It uses the Windows default web-browser as set on the system. That means it can use and supports Internet Explorer, Firefox, Opera, and Netscape Navigator. It does not (yet) let you manually override the System default web browser and choose your own. For example, I still leave Internet Explorer as our default system web browsers, even though I never use it. However, PSI will not let me manually point PSI to use Firefox instead. That would be a nice option.

While you can run a scan manually whenever you wish, you don't seem to be able to change the automatically set frequency to a particular scheduled date/time. That would be a nice feature.

PSI and XP SP3, RC1: Very Interesting!

As I mentioned in my post introduction, PSI made a curious discovery when I ran it on my desktop system.

Late last month I had been playing with a pre-release version of XP SP3 on my virtual systems, just to peek around and see what it really could do.

As part of that process, I had copied the unpacked XP SP3 files to my main "real" drive for more poking and peeking.

Later I had downloaded the XP SP3 RC1 version and was able to successfully create a Slipstreamed XP SP3 setup disk.

So I now had multiple copies of the unpacked XP SP3 files scattered in various places on my desktop system.

After Secunia PSI got done with it's pass, I was going through the process of updating and/or removing the insecure applications it found on my system and found two surprises.

Turns out Microsoft has included two insecure application versions in its XP SP3 RC1 package!

The first was "flash.ocx" which turned out to be identified as version 6.0.7.9.0

http://secunia.com/advisories/26027/

The other application was .NET version 1.0.3705.6018 "aspnet_wp.exe".

http://secunia.com/advisories/26003/

I can't say that these will actually install on a user's system in all circumstance, however seeing as newer secure versions are available I was startled to see them present.

Only thing I can figure is that these particular versions are included for base compatiblity purposes, but it was still a curious find...and showed the depth that PSI runs in application/file scanning.

Secunia Personal Software Inspector - RC1 - Highly Valca Recommended.

--Claus

No comments: