Secunia PSI 2.0 Identifies and Installs Application Updates

PSI 2.0 offers critical enhancements to Secunia's free application vulnerability assessment tool, adding remediation and update capabilities on top of the old notification engine. Secunia PSI has been an important part of my security toolkit for several years, providing a single stop for me to check whether all the applications installed on my Windows 7, Vista, or XP PCs are fully patched and up to date. It does this via an easy-to-understand posture assessment score based on the detected system status. Keeping both the OS and applications up to date is among the best ways to avoid exploit and attack, particularly against threats not yet detected by complementary antimalware programs.

PSI (Personal Software Inspector) 2.0 eases many of the qualms I've had about the product, finally fixing Windows rights issues and the reliance on third-party plug-ins for full operation. It's also added promising auto-update capabilities that could let users disable many of the different auto-update engines covertly installed in Windows desktops by many ISVs.

PSI 2.0 is available as a free download for personal use only from http://www.secunia.com. Corporate customers interested in similar, enterprise-oriented capabilities with central management can look into Secunia's for-pay CSI (Corporate Software Inspector). Of course, PSI could also be a useful tool for enterprise users to use to protect any home systems used to access corporate resources.

Secunia finally extended PSI's always-on benefit to computers for which the primary user does not run with local administrator rights by default. This makes the software more feasible to use consistently on locked-down desktops.  Previous versions of PSI required administrative rights in order to run, which keeps the application from running automatically in restrictive use cases.  

To address this shortcoming, the core PSI functionality now spans over four distinct processes. A pair of new services-the PSI Agent and the Update Agent-auto-start at boot with system privileges, while a revamped system tray applet runs as the logged-in user. In this way, PSI 2.0 can auto-start at system boot no matter what rights the interactive user has. It further has the ability to conduct weekly scans and continuous monitoring of the installed application set, to alert when state changes are detected, and to silently perform updates in the background without requiring user interaction.

The only component that requires the user to input administrator credentials is the slimmed-down PSI.exe, which is now the sole management interface used to change PSI behavior or to perform manual updates or posture assessments.

PSI 2.0 uses its new privilege model to good effect, delivering new auto-update capabilities for some third-party applications. Behind the scenes, PSI 2.0 can download and silently install patches to commonly installed applications from Adobe (Air, Reader, Flash), Mozilla (Firefox), and Google (Picasa), as well as Oracle's Java and FileZilla.

When set to auto-update, I found PSI 2.0 could recognize the presence of an out-of-date application, say Firefox 3.6.12, then automatically download and install the update to 3.6.13. However, there are limitations to the auto-update engine. Since the data used to determine whether the application is out of date is based on Secunia's application vulnerability reports, PSI might not perform updates that deliver feature updates that don't include security patches. So, using the same example, I found that PSI would not automatically update Firefox 3.5.16 to 3.6.13.

Users may also set PSI to require manual approval before performing updates, and I found that the Scan Results page hinted at several different kinds of update scenarios when used in this manner. PSI won't update the Windows OS directly, but users, instead, see a link to Microsoft update. On the other hand, third-party applications supported for automatic updates require the user only to click the upgrade link on the Scan Results page for silent download and update. To update slightly less supported applications-Apple QuickTime, for instance-users will find only a download link to obtain an installer package directly from the ISV for manual installation.

In my tests, however, I found those download links might not provide the best path to an up-to-date application. In one test case, for instance, I found that PSI would not link to the most current version of the application in question. PSI easily found an old copy of QuickTime on Windows XP to be way out-of-date, offering an upgrade link to version 7.68.75.0. After performing that upgrade manually, PSI then informed me that QuickTime needed another update, this time to 7.69.80.9.

However, I did like the protections afforded through PSI's linking process to third-party patches. In my tests, I found that PSI would perform hash checks to ensure the downloaded files matched expectations.  

The Scan Results page looks much different than in previous versions, as the entire application set now is shown on a single screen, with end-of-life and insecure applications migrated to the top for easy recognition. In previous versions, PSI broke the computer's application set into three distinct screens, (for end-of-life, up-to-date, and insecure applications), making the user click around to identify the state of everything.

The new System Tray icon is now more useful, as well. While in past versions, the system tray icon solely indicated that PSI was active, in the new version the icon changes color to reflect the overall security posture of the computer. If more than 10 percent of installed applications require updates, the icon shows red, while a fully patched system delivers a green icon.

The new Dashboard looks similar to the old version, displaying the aggregate posture assessment score and last scan date, as well as the auto-update status and history items, particular to 2.0. PSI 2.0 also shows trending graphs for the posture-assessment score over the last five weeks and a line chart showing the total number of security patches released over the last 6 months applicable to the PC's installed application set.

I was also gratified to find that PSI 2.0 no longer requires the Adobe Flash ActiveX plug-in to display the graphical trending data, a requirement I found quite annoying in the previous PSI iterations.