I’ve been focused on defensive computing for a long time. If I had to rank the most important aspect, the number one thing is to be skeptical. No software can protect the gullible. This article is about the next most important aspect of defensive computing: the ongoing process of applying bug fixes to software.
Why do I rate software updates ahead of antivirus and antispyware software? Because no anti-malware product is perfect. A computer running a fully patched version of Adobe Reader, for example, cannot get infected by a malicious PDF file. A computer running antivirus software and a buggy copy of the Adobe Reader can get infected.
Keeping Windows itself up to date has gotten easy enough so that even non-techies have little problem with it. If you run Office, it too can be updated automatically. However, the rest of the software on a Windows computer is a totally different issue.
Microsoft does not update software from Sun, Adobe, Mozilla, Piriform, Foxit, Tall Emu, VideoLAN, Irfan Skiljan or anyone else. Instead, every software vendor is forced to re-invent the wheel and Windows users are left with a huge hodge-podge of software update mechanisms. It’s a mess.
It has been estimated that Windows users have a dozen programs on their machines that are missing security patches. That seems high to me, but even a single buggy application opening a maliciously crafted file can infect a PC.
Looking at it the other way, estimates are that only two percent of PCs are fully patched. My personal experience has been that it is all but impossible to keep up with security patches for all, or even most, of the software installed on a PC. Installing some patches is the best many users can hope for.
Into this breach steps Danish software company Secunia with assorted products that report on missing security patches (bug fixes to me). This article is about a free Secunia product, their Online Software Inspector (OSI). They also offer free downloadable software (Personal Software Inspector) and a commercial product (Corporate Software Inspector). All the software is for Windows.
The Online Software Inspector is the bottom-of-the-line product from Secunia, but it’s a great thing nonetheless. I highly recommend it to all Windows users.
For one thing, the report is simple to read: green check marks are good, red Xs are bad (see below for a sample). It’s also devoid of techie lingo. And, you don’t need to install software (except perhaps Java, more below).
The online report, however, isn’t nearly as comprehensive as the installable Windows application (Personal Software Inspector). However, it reports on many popular applications as well as missing Windows patches.
In all, OSI currently evaluates 24 applications for missing patches. Two notable omissions are the Foxit PDF reader and the VLC media player.
Anyone seriously concerned about security would be well served by the Personal Software Inspector, but it’s a step up in complexity. Also, it’s hard enough to get a clean bill of health from the Online Inspector.
As the name implies, OSI is an online utility. There are a number of web browser add-on technologies that let programs run inside a web page without being fully or normally installed on a Windows computer. The Secunia Online Software Insepctor uses Java, which has to be installed before OSI can run.
One way to tell if Java is installed is to look in the Windows Control Panel at the list of installed software. Another method is my JavaTester.org website which runs a small Java program that reports on the installed version of Java (shown above).
OSI requires Java version 1.6.x or later. The leading one in the version number, however, is sometimes dropped. That is, in some contexts, version 1.6.16 (for example) is referred to simply as Version 6 Update 16. In other contexts, such as my JavaTester website, it is referred to as version 1.6.0_16. These mean the same thing. Blame Sun. Many have.
If Java is not installed, it can be downloaded from Sun (my preference is for the manual installation). Your browser may also detect that Java is needed and prompt to install it. In the old days, when Firefox users ran across a web page that needed Java, Firefox would warn about the missing software and offer to auto-install it. However, with the release of Firefox version 3, the auto-installation of the Java plug-in no longer worked. Fortunately, in the latest versions of Firefox, auto-installing Java works again.
OSI is compatible with all the popular web browsers (Internet Explorer, Firefox, Opera and Chrome) and is supported on Windows XP, Vista, 7, 2000 and 2003.
Running the Online Software Inspector
On the initial page (below) it’s obvious that you click the red button. However, although the button is labeled “start scanner,” this does not start the scanner. Instead, it loads the Java program. Or, tries to load it.
Java programs are not normally allowed to read files on your computer. Of course, the Secunia application has to read files, so you can expect to see the Java security warning shown below. If you click the Run button, this not only allows the Java program to run, but, thanks to the “Always trust content from this publisher” checkbox being on by default, prevents the issuance of this warning in the future.
If all goes well, you should now see the screen shown below.
In the bottom left corner it says “Java Applet loaded successfully. Press “Start” to begin.”
A Java program inside a web page is called an applet. It’s not unusual to see a message in this area
that says “Loading Java Applet… Try x of 50…”. Each “try” takes less than a second. The only times I’ve had this fail on me is when Java was not installed.
Before starting the inspection, I like to turn off the “Display only insecure programs” checkbox. This is a matter of opinion, the important information is displayed either way. I just like knowing which programs were, in fact, inspected. Also, a clean system, set to display only insecure programs, produces no report, which might be confused with a scan that never ran at all.
Initially there is no need for a “thorough” inspection. The default type of inspection looks for applications in their default folders. After getting a clean bill of health with a default inspection, anyone interested in extra credit, can go back and run a thorough inspection. Expect it to take significantly longer to run.
In addition to scanning for applications in non-default folders, a thorough inspection is also needed by anyone that wants portable applications inspected. Then too, applications are sometimes included with other applications. For example, the Adobe Reader or Flash player may be installed as part of another, much larger, application. Scanning for these requires a thorough inspection.
The blue Start button kicks off the scan.
Below is a perfect report card from a Windows XP SP3 machine. Green checks are happy checks.
It’s hard to get a clean bill of health. Most likely you will run across a program missing a security patch. In the example below, from a Windows 7 machine, Firefox was at version 3.5.3 and missing the patch to bring it up to the just-released version 3.5.4.
You may be initially surprised to find multiple old copies of Flash or Java. Both programs have a history of not removing prior versions when installing new ones.
After getting your house in order, the next question is when to scan again. Fortunately Secunia has a free reminder service. After an inspection, you may see the window below, offering to email you when there is an update to the software supported by OSI. I find these notifications extremely useful.
Even if you don’t use OSI, you can sign up for update notifications from Secunia.
As useful as it is, and even though I heartily recommend it for all Windows users, OSI is not
To begin with, all known security flaws are not patched. It can take weeks for some vulnerabilities to get patched. In the interim, Secunia gives the known buggy software a green check. This is because they scan for missing patches. No patch, nothing missing.
I disagree with this philosophy and would much prefer some type of warning about software with known flaws that haven’t yet been patched.
Another aspect of scanning only for missing patches is that Secunia does not check for the latest version of software. As they put it in the FAQ:
“Software can be detected by the Secunia Software Inspector as secure, even if the vendor has released a more recent version. This is because vendors release software updates not just to patch vulnerabilities, but also to fix software bugs or introduce software enhancements. These fixes and enhancements may be non-security related (for example, adding new functionality or features). Therefore, prior versions of software can be secure even if they are not the most recent ones, as long as no known vulnerabilities are reported in them.”
And, though OSI is great at finding missing patches, it does not install them. Instead, it merely provides links to patched versions of the software.
Finally, as noted earlier, OSI is very limited in the applications it scans. Among the missing, popular applications are the Foxit PDF reader, the VLC media player and IrfanView. And while it checks all the popular web browsers, it does not go so far as to check their installed plug-ins.
Despite its flaws, any computer with a clean bill of health from OSI is more secure than one that fails inspection. Go inspect.