Ottawa PC Users' Group, Inc.
 Product Review 


Secunia PSI - Vulnerability management made easy
by Chris Taylor

If you have been using computers since the 80’s, you may remember a few things about software security vulnerabilities;
1 – they were not often discovered by bad guys
2 – they were infrequently patched by vendors
3 – it was hard to find out that patches were available

Fast forward to the 90’s.
Some vendors started showing concern over vulnerabilities, probably driven by the fact that the bad guys were getting much better and much faster at finding and exploiting security vulnerabilities. Microsoft was one of the most active in trying to make sure people patch their software (some might say they were the vendor that had the biggest need to patch for security vulnerabilities) and introduced Windows Update back in the late 90’s. Although a little crude in the beginning, it worked and made it a lot easier to keep Windows patched.

Microsoft has continued to improve Windows Update over the years. Overall, it has become an easy and reliable way of keeping Windows and some other Microsoft software up-to-date. And it seems lots of people agree. According to Wikipedia, the Windows Update web site processes an average of 90,000 page requests per second and on Patch Tuesday, outbound traffic can exceed 500 gigabits per second.

But what of other vendors? Well, most have a much spottier record on making patches easy for the end user. Only in recent years have most of the big names built automated updating into their products. Adobe did not enable automatic updating in Adobe Reader until the spring of 2010. For a single purpose program, Adobe Reader has had an astonishing number of security vulnerabilities over the years. And don’t get me started on security issues with Adobe Flash.

But even Adobe is now light years ahead of most vendors, most of whom simply have no way of automatically updating their software, leaving it to the end user to somehow find out if there are security vulnerabilities for which the vendor has written a patch.

Fast forward to 2010
The world of security vulnerabilities has become astoundingly chaotic. In October, Microsoft had a record 49 vulnerabilities fixed on patch Tuesday. Adobe Reader has been patched 6 times this year, always for multiple vulnerabilities. Apple, who likes to pretend they don’t have security problems, patched iTunes 4 times so far this year, for a total of 63 vulnerabilities!

The bad guys are getting very good at quickly exploiting vulnerabilities. They reverse engineer patches to find how to exploit those who have not patched. There are zero-day exploits coming out that have no patch available, leaving vendors to (sometimes) scramble to get a patch out. It is the wild, wild west out there, folks.

Secunia to the rescue
Secunia is a security firm founded in 2002 that focuses on vulnerability intelligence and management, tracking information about security vulnerabilities. And then they did a very nice thing for the health of the Internet and all the Windows computers attached to it; they released a wonderful program – free for home use – that keeps the software on your computer patched!

Secunia Personal Software Inspector (PSI) is a small agent that you install on your computer. I installed the 2.0 beta version. It scans your computer and collects version information embedded in all your program executables, dynamic link libraries, web browser plug-ins, etc. It then correlates this information with Secunia’s product database and compiles a list of your installed programs. It then correlates this list with Secunia’s vulnerability database to determine if any of your programs have security vulnerabilities and, if so, if there are patches available to address the vulnerabilities.

Once the scan finishes, which only takes a few minutes, all your installed programs are listed and insecure programs are highlighted in red at the top of the list. Secunia includes a vulnerability rating so you can know how severe the problem is. Right from that screen, you can view more details about the program. If it needs a patch, you can initiate it right from a link.

There are some programs that Secunia cannot patch by itself for some reason. In those instances, you will get a link to the vendor’s site so you can deal with the problem manually.

By default, PSI will automatically scan your computer once a week looking for new programs or new vulnerabilities. The tray icon will change from a re-assuring green to yellow or red if vulnerabilities are discovered.

PSI has a fair amount of configurability, depending on how automatic you want things to be. You can go from totally manual, where you have to load the program and initiate scans and manually approve patches, right up to having it load automatically, monitor when new programs are installed or removed, and download and install patches automatically as PSI sees they are required.

I have opted for almost the most automatic configuration of PSI. The only non-automatic choice I made was to have PSI prompt for approval to apply the required patches. The reason I do this is not because I want to refuse a security patch. I always accept security patches. But I am curious as to how often I am getting patches and this will let me keep better tabs on things.

Proof in the pudding
As many of you know, I am a little paranoid when it comes to the security of my computers. I work in IT security. I give presentations at the Ottawa Public Library on how to protect your computer. So, when I first installed PSI, I thought it would give me the added assurance that I am up-to-date on all my security patches. Imagine my surprise when it told me 2 of my 90 programs had security vulnerabilities for which patches were available.

One was Infanview – a really nice, free, image viewer. I never thought to check if Irfanview had security vulnerabilities.

The second was an open source component included in TubeSucker – a free program for downloading YouTube videos. I never would have found that one on my own.

So far, I have installed PSI on half a dozen computers of mine, friends and family. None of them have reported as fully patched when PSI was installed.

What about unknown programs?
What if Secunia’s database of over 12,000 programs does not cover some of yours? Well, if your program is so obscure that Secunia does not know about it, it is pretty unlikely the bad guys are looking for security vulnerabilities in it and actively writing exploits. But it could happen.

I noticed I have a program installed that is not on PSI’s list of programs found on my computer; a nifty little program called FotoSketcher that can apply paint-like effects to your digital images. So, I clicked the link in PSI; “Are you missing a program?”, and was walked through a process to submit info to Secunia so they could track it in the future. But I couldn’t submit it. It turns out the author did not embed version information into the executable. Without version information, there is no way for Secunia to track for vulnerabilities.

PSI is an amazing program that every Windows user should install. Secunia is to be commended for making this tool available free for home use. Highly, highly, highly recommended!


Bottom Line:

Secunia Personal Software Inspector 2.0 beta
Free for home use
System requirements: Windows XP SP3, Vista, or 7 with the latest version of Microsoft Update
Both 32-bit and 64-bit Windows supported
http://secunia.com/vulnerability_scanning/personal/


Click here to view the full OPCUG website with frames.

Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews do not necessarily
represent the views of the OPCUG or its members.

Send comments or suggestions to the .