Ottawa PC Users' Group, Inc.
PSI - Vulnerability management made easy
If you have
been using computers since the 80s, you may
remember a few things about software security
1 they were not often discovered by bad guys
2 they were infrequently patched by vendors
3 it was hard to find out that patches were
Fast forward to the 90s.
Some vendors started showing concern over
vulnerabilities, probably driven by the fact that the bad
guys were getting much better and much faster at finding
and exploiting security vulnerabilities. Microsoft was
one of the most active in trying to make sure people
patch their software (some might say they were the vendor
that had the biggest need to patch for security
vulnerabilities) and introduced Windows Update back in
the late 90s. Although a little crude in the
beginning, it worked and made it a lot easier to keep
has continued to improve Windows Update over the years.
Overall, it has become an easy and reliable way of
keeping Windows and some other Microsoft software
up-to-date. And it seems lots of people agree. According
to Wikipedia, the Windows Update web site processes an
average of 90,000 page requests per second and on Patch
Tuesday, outbound traffic can exceed 500 gigabits per
But what of
other vendors? Well, most have a much spottier record on
making patches easy for the end user. Only in recent
years have most of the big names built automated updating
into their products. Adobe did not enable automatic
updating in Adobe Reader until the spring of 2010. For a
single purpose program, Adobe Reader has had an
astonishing number of security vulnerabilities over the
years. And dont get me started on security issues
with Adobe Flash.
Adobe is now light years ahead of most vendors, most of
whom simply have no way of automatically updating their
software, leaving it to the end user to somehow find out
if there are security vulnerabilities for which the
vendor has written a patch.
Fast forward to 2010
The world of security vulnerabilities has become
astoundingly chaotic. In October, Microsoft had a record
49 vulnerabilities fixed on patch Tuesday. Adobe Reader
has been patched 6 times this year, always for multiple
vulnerabilities. Apple, who likes to pretend they
dont have security problems, patched iTunes 4 times
so far this year, for a total of 63 vulnerabilities!
The bad guys
are getting very good at quickly exploiting
vulnerabilities. They reverse engineer patches to find
how to exploit those who have not patched. There are
zero-day exploits coming out that have no patch
available, leaving vendors to (sometimes) scramble to get
a patch out. It is the wild, wild west out there, folks.
Secunia to the rescue
Secunia is a security firm founded in 2002 that
focuses on vulnerability intelligence and management,
tracking information about security vulnerabilities. And
then they did a very nice thing for the health of the
Internet and all the Windows computers attached to it;
they released a wonderful program free for home
use that keeps the software on your computer
Personal Software Inspector (PSI) is a small agent that
you install on your computer. I installed the 2.0 beta
version. It scans your computer and collects version
information embedded in all your program executables,
dynamic link libraries, web browser plug-ins, etc. It
then correlates this information with Secunias
product database and compiles a list of your installed
programs. It then correlates this list with
Secunias vulnerability database to determine if any
of your programs have security vulnerabilities and, if
so, if there are patches available to address the
scan finishes, which only takes a few minutes, all your
installed programs are listed and insecure programs are
highlighted in red at the top of the list. Secunia
includes a vulnerability rating so you can know how
severe the problem is. Right from that screen, you can
view more details about the program. If it needs a patch,
you can initiate it right from a link.
some programs that Secunia cannot patch by itself for
some reason. In those instances, you will get a link to
the vendors site so you can deal with the problem
PSI will automatically scan your computer once a week
looking for new programs or new vulnerabilities. The tray
icon will change from a re-assuring green to yellow or
red if vulnerabilities are discovered.
PSI has a
fair amount of configurability, depending on how
automatic you want things to be. You can go from totally
manual, where you have to load the program and initiate
scans and manually approve patches, right up to having it
load automatically, monitor when new programs are
installed or removed, and download and install patches
automatically as PSI sees they are required.
I have opted
for almost the most automatic configuration of PSI. The
only non-automatic choice I made was to have PSI prompt
for approval to apply the required patches. The reason I
do this is not because I want to refuse a security patch.
I always accept security patches. But I am curious as to
how often I am getting patches and this will let me keep
better tabs on things.
Proof in the pudding
As many of you know, I am a little paranoid when
it comes to the security of my computers. I work in IT
security. I give presentations at the Ottawa Public
Library on how to protect your computer. So, when I first
installed PSI, I thought it would give me the added
assurance that I am up-to-date on all my security
patches. Imagine my surprise when it told me 2 of my 90
programs had security vulnerabilities for which patches
Infanview a really nice, free, image viewer. I
never thought to check if Irfanview had security
was an open source component included in TubeSucker
a free program for downloading YouTube videos. I
never would have found that one on my own.
So far, I
have installed PSI on half a dozen computers of mine,
friends and family. None of them have reported as fully
patched when PSI was installed.
about unknown programs?
What if Secunias database of over 12,000
programs does not cover some of yours? Well, if your
program is so obscure that Secunia does not know about
it, it is pretty unlikely the bad guys are looking for
security vulnerabilities in it and actively writing
exploits. But it could happen.
I noticed I
have a program installed that is not on PSIs list
of programs found on my computer; a nifty little program
called FotoSketcher that can apply paint-like effects to
your digital images. So, I clicked the link in PSI;
Are you missing a program?, and was walked
through a process to submit info to Secunia so they could
track it in the future. But I couldnt submit it. It
turns out the author did not embed version information
into the executable. Without version information, there
is no way for Secunia to track for vulnerabilities.
PSI is an
amazing program that every Windows user should install.
Secunia is to be commended for making this tool available
free for home use. Highly, highly, highly recommended!
Personal Software Inspector 2.0 beta
Free for home use
System requirements: Windows XP SP3, Vista, or 7 with the
latest version of Microsoft Update
Both 32-bit and 64-bit Windows supported
Click here to view the
full OPCUG website with frames.
Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON K2G 1S6
opinions expressed in these reviews do not necessarily
represent the views of the OPCUG or its members.
comments or suggestions to the .