Patching/upgrading applications

Date January 27, 2008

There hasn’t been all that much security news (that I’ve been interested in) this week, so I thought I’ll pull this out of the “to blog” folder.

When at Foundstone, we obviously use our own scanner to get much of the initial recon work done.  Reviewing the findings, often the vast majority of them are missing patches, with a large number not in the operation systems themselves but in the applications installed on the machines.  Companies generally (but not always!) realize the importance of patching machines, and rely on services like Windows Update, or update functionality in products themselves, to gets a lot of the work done for them.  However, update services often only work on one part of a system (for example, the OS and related components), and certainly wont update competitors software (i.e. Flash, Adobe, QuickTime, etc).  It’s important to not only ensure that the operating system is patched-up-to-date, but also the client software as it’s just as easy to take over a machine through an application vulnerability (not running as a local administrator really helps limit this exposure, but that’s a topic worthy of another post).  Running all these updaters though can be a PITA, and it’s really easy to forget to do.

Secunia (one of my favorite sources to check the vulnerability history of a product), have released a client tool much like Windows update that scans for known insecure software regardless of the vendor and reports it’s results to prompt the user to upgrade/update.  From their blog, Secunia notes that nearly 95% of machines that they have scanned thus far have insecure software in one form or the other, and break it down like so…SecuniaPSI

Number of insecure applications per computer/user:

0 Insecure Applications: 4.54% of computers

0-5 Insecure Applications: 27.83% of computers

6-10 Insecure Applications: 25.69% of computers

11+ Insecure Applications: 41.94% of computers 

…which aren’t all that surprising, but somewhat eye-opening.

In any case, it’s worth making sure that application as patched just as much as the operating system, and Secunia’s PSI is a good way of keeping up with that information.

Category Posted in Security


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>