SANS ISC: Tools for updating third-party software

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Last week we pointed out multiple vulnerabilities in commonly used client software. Several readers replied to my request asking for  tools used to update third-party software, and the most recommended tool for Windows is Secunia PSI (Personal Software Inspector), still in Release Candidate (RC-1) state, for personal use only (they also have a commercial version).

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). For Linux you are pretty much tied to the software package manager of the distribution you like to use. I strongly encourage you to evaluate the best tool that meets your needs.

Thanks to all the readers for submitting their suggestions!

I honestly think this is something we need to take very seriously, as most malware and attacks today (targeted, botnets, etc) are focused on the clients, exploiting OS and third-party software vulnerabilities (plus social engineering). The two sides of the coin are:

• Corporate environments (not covered by this post) that frequently (in my own experience) present disheartening scenarios, having vulnerable outdated systems without patches for several months.
• Small organization, SOHO environments, independent professionals, end users, etc. We need to find solutions to deal with all the frequent security updates and simplify the user's software update life.

I've been testing Secunia PSI in a few computers recently and I got a good first impression. The tool scans the system and detects not only vulnerable installed software but remnant installations that still could lay around on the file system. It is focused on outdated vulnerable third-party software - just from a security perspective. Additionally, it can detect small pieces of software that do not appear in the "Add and Remove Programs" list, such as the Adobe Flash Player Plugin and ActiveX components. My main concern about this tool (shared by Kelvin too) is that the data about your installed applications is sent to Secunia to match it against their File Signatures engine, as they state on their website. The impact of someone getting access to all that information is pretty serious.

No matter what process (even manual if it works for you) or tool you use, all your installed software must be updated in a timely fashion! I know you are aware of it, but some responses to my request came from outdated vulnerable browser versions. Blame on my as well, as the software update checks not always work as expected. More about this is a near future post...

-- Raul Siles - www.raulsiles.com