Outdated client applications

Published: 2010-01-24
Last Updated: 2010-01-24 22:01:46 UTC
by Pedro Bueno (Version: 1)
17 comment(s)

The Aurora target attack made me think about the client applications again.

This and when I saw Mikko Hypponen's twitter message on the saveie6.com website (that was actually quite funny).
For some time the weakest link on computer security has been the outdated applications/OS.
At first, the OS (in this case I am specific about MS Windows) was the main target and Microsoft decided to include
the option to install updates automatically.

This definitely helped a lot the regular user. But what about the third party applications, such as another browser (Firefox, Chrome, Safari),
media player ( realplayer, quicktime...), doc reader,etc...?
For some years, the exploit kits such as MPack are quite smart on keep large databases of exploit for several different client applications.
Sometime ago I found an application that would keep track of all installed applications and check for the most recent versions and pop up
when it was available.
My main concern in this case was privacy.

How do you handle/manage client application upgrade? In your home or company?
Send me your ideas and I will post a consolidated list of suggestions.


Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

17 comment(s)


What I think is missing is a package management system, like Debian's APT for example.

Someone (ideally Microsoft) needs to produce a full system that covers distribution (to an extent), installation/uninstallation, and upgrading of just about all software. But that's not easy.

For open-source software, I hear that a few such platforms already exist, but that was only possible because the software could be legally redistributed.
...oops, I meant to say that package management systems are springing up for open-source software on *win32* platforms.

Obviously a lot of open-source OS distributions already have good package management.
There are many home users that use the computer as an appliance - like a toaster, almost. These users know nothing about security - some of them know that they need AV, but they assume that once they have it that they are fully protected.

They never think to update their machine - in fact it wouldn't be until such a time that they purchase a new machine that they would upgrade everything. Until their ISP puts them into a walled garden, many such users have no clue that their machines might even be infected with anything (they might notice general slowness, and if they do, they might be inclined to try and use those "services" that are offered on TV - which I suspect aren't very effective, but don't have any hands-on knowledge).

I would argue that there are millions such machines out there and they all provide a fertile growth medium for the botnets out there.
Secunia PSI is a great tool to monitor new and available updates of third party application. It will also download updates to legit sites hosting the updates. It has a free version as well for windows users
I second Secunia PSI. Very simple to use and monitors a large list of 3rd party apps.
+3 on Secunia PSI.
Sadly, it seems the only effort for a corporate standard updater fails for now
+ Industry-Standard Updater For Third-Party Apps Fails To Materialize, 2010/01/20

For home users, many solutions.
On Windows:
* FileHippo
* Sumo
* Update Start
* http://windows-get.sourceforge.net/

on MacOS,
* http://www.eagle-of-liberty.com/logicielmacupdate/
i use Secunia PSI but i have very few windows machine (<10). for a greater number of boxes it's impossible to manage updates the right way. we absolutely need something to automate the whole process.
+5 on Secunia. I use it at home for all my Windows PCs and it works great. My wife and kids understand it and it's easy to use.

I also use the corporate edition of Secunia at work. Its not cheap but after 2 years of use I've found the cost/benefit to definitely be worth it.
Looking at win-get I see that it has packages for easy downloading+installing, but it doesn't appear to have an auto-update feature. That's the crucial part, I think -- ideally to do away with the built-in auto-update features of different pieces of software (if they even have one) and manage all updates from one utility. Some of the version numbers of software available to win-get look a bit old, and possibly not secure any more.

Secunia PSI works rather well for me at home, but it's obviously too fiddly in a larger environment, for which it seems they offer a more appropriate commercial product. FileHippo works okay at home too but it doesn't pick up on those vulnerable DLLs or codecs lying around.

Even if there was an easy way to retrieve updates, I suspect it would involve a lot of downloading for people to stay up-to-date. The less often you use your computer, the more updates would have to be downloaded and applied. And whilst updates are being applied, a low-end system may be almost unusable due to heavy disk IO, CPU and/or RAM usage.

All that effort for a user who maybe only wants a few hours' access to the Internet each month. The OS/app. updates may use up more of their bandwidth allowance than their actual Internet use.

So, even if people had an easy way to keep their computer up-to-date, would they?

A packaging system could help by offering a 'stable' branch with older, assumed-secure, less-often-updated versions; and an 'unstable' branch with latest releases and all the new features (and new bugs). But the actual software vendors might not support two versions.

This must be where cloud computing and those in-browser web apps come in, to try and show us a 'better way' with no apparent client-side installation or updating of anything. But it wouldn't appear to make sense, for example, for your word processor to require an Internet connection (when in reality, it does, if you're opening documents from third parties).

Diary Archives