Keeping those apps updated

On the heels of Microsoft’s last Security Intelligence Report there have been a number of articles like this one on positing that applications rather than the OS (read Microsoft) are the primary culprits for software vulnerabilities.

Research by vulnerability specialist Secunia suggests that third-party applications are increasingly being used by malware writers in preference to using operating system attacks.

The Danish company said that data from its free Personal Software Inspector (PSI) tool showed that there were far more unpatched applications than operating systems among users. Furthermore, application patches were left open to abuse for far longer than operating system patches.

While I’m certainly not convinced that this lets OS vendors – and yes this includes Apple as well as Microsoft – off the hook, it definitely points out a serious problem: how do you keep all of your software patched. Not just the OS. The approach that pretty much all Windows users have grown to accept is to run the updater services that come with each package they install in addition to the OS updater. There are significant problems with this approach. There are frequently clashes between the different vendors updater programs, not to mention that they consume system resources and are generally not terribly stable. As if these weren’t bad enough, the bottom line is these updater programs – including OS updaters – only patch security problems as a side effect. Let’s be real here, the primary purpose of update programs is not to make the end user more secure – it’s to cover the vendor’s booty and to grab  more booty from the end user by pushing new features, applications and services.

Back when I was building highly available UNIX software, a patch meant “the smallest change possible to fix a specific problem“. If you weren’t seeing that specific problem, then you didn’t install the patch. In addition a patch NEVER, EVER introduced new functionality. Period. Now certainly this led to problems of it’s own like an explosion of patches and extremely complex mechanisms for determining which patches should be applied, but it also led to systems that were stable and highly available. Systems that were not shutdown or restarted for years. That is certainly not the case nowadays with personal computers. We’ve been convinced – mostly by OS vendors – that we should accept every update they choose to push to us. Without question. In fact the default (recommended) behavior in Windows Vista is to automatically install all updates that Microsoft deems “important”. Stuff like “Microsoft Genuine Advantage Validation Tool” (what user isn’t dying to have this on their machine?)  Stuff that reboots your machine – automatically (hey – it’s Windows we’re totally used to that). And application vendors can be even worse. Who hasn’t ended up with a copy of “Adobe Photoshop Album Starter” on their system with no idea what they would ever use it for. And don’t even get me started on Real. The point is that if what you want is to keep your personal computer secure without additional bloatware, crapware, superfluous features and the instability introduced by same, vendor provided update software will not get you there. Or even near there.

I’m a long time user and huge fan of Secunia PSI. I have it installed on all of my Windows machines because it actually addresses this problem of how to keep your applications and the OS patched. Without having to run multiple update services. Or even Microsoft update. How does it perform this amazing feat? First off, Secunia is primarily a security research company. They make a living by finding and cataloging software vulnerabilities. They also sell a corporate version of their Software Inspector, but in general they have no financial stake in end users buying the latest, greatest versions of any particular software. The Secunia company jewels are the research and associated database of vulnerabilities that they can cross reference to specific updates that will fix those vulnerabilities. Essentially Secunia PSI works like this: it scans your system for software that it knows about (a real scan, not just a registry scan) and looks up those packages in the Secunia database, reporting on vulnerable software it finds. It works on a pull rather than push model (i.e. you pull down their database info, you don’t push your software inventory to them). So rather than having Adobe or Microsoft notify you to download an update just because there is one, PSI will only notify you if there is a known vulnerability in your software and specifically which update will fix it. The best part is that it knows about all of the software installed on your system – not just the most recent version according to “Add Remove Programs”. A PSI scan of my wife’s laptop discovered three (count ’em – 3) different and vulnerable versions of Apple Quicktime. Apparently several programs had installed their own private version of Quicktime and never registered it. I’ve seen similar situations with Java and Flash.

So now I run Secunia PSI on my Windows boxes – real and virtual – instead of a separate updater for every peice of software I own. Now if Secunia would only come out with a Mac version of PSI I’d be a happy camper. Or at least a marginally less snarky camper. So update your Windows systems intelligently. Don’t just be a stooge for the software vendors. Give Secunia PSI a shot. You’ll be glad you did. And your system will be much happier. And more secure.