Time, Money and the Lies Others Tell You

Securitywatch's Ryan Naraine notes that new Secunia users are finding their computers insecure, as applications have fallen out of date. As a Secunia user, I can say there are a lot of causes for my inability to keep my primary system up to date (by Secunia's standards.) For instance, on my work PC at this moment, Secunia's PSI is telling me that I currently have 4 insecure applications, 1 End-of-life application, with 76 up-to-date apps. Better than most, but hardly perfect. 5 of 81 are not secure - a 6.2% failure rate. Basically, I can be hacked via known vulnerabilities. Of the four vulnerable applications, 2 are Adobe Flash. I've tried upgrading to the latest version. I've tried uninstalling, then reinstalling. I've tried uninstalling completely. None of these steps have gotten PSI to recognize any difference. I guess I can figure out how to manually remove Flash for good - but it may be a lot of work. One is my anti-virus program. Work provides and manages this software, so there's not much I can do (other than badgering IT, and I am sure they are sick of my badgering), unless I decide to fully manage my own AV solution. Looking through the release notes of the current and recent iterations of the software, there are no mentions of patched vulnerabilities are jumping out at me. Lots of bug fixes and improvements, but maybe not any plugged security holes. But the free version of PSI does not make that distinction. The other vulnerable application is QuickTime. I've got Quicktime Player installed because I need iTunes to sync my iPhone to my Outlook calendar. I've covered my dismay with this setup plenty in the past, but it is the only reliable way I've been able to sync the data I need. When I upgraded to iTunes 7.5, the install package included Quicktime 7.3. Since then, Quicktime moved to 7.3.1, but iTunes stayed at 7.5 So the Apple Software Update application tells me I am up to date, but a check of the Quicktime website tells me I am ever so slightly behind. Essentially, one of the many tools I am forced to rely on to keep my system up to date is lying to me. The end of life program is a prior version of Winzip. I guess my company actually paid for the Winzip license (I never see that annoying Expiration notice on this PC). I can see why the company may not want to pay for the new version, since the old one does everything that our users want it to do, presumably. But to get security updates, we're beholden to pay for licensing upgrades to get the new version, chock full of features we don't need? Yes, of course. This is one of the costs of security that everyone must face. But personally, this case is out of my hands. Or I suppose I could install the latest WinRAR. Secunia's PSI is a means to an end. People downloading these kind of tools are presumably wanting to check their status, likely knowing something is out of date. So they can fix it - if they are allowed to and it is relatively easy. Given the Apple and Winzip anecdotes above, I'd say perhaps the numbers Ryan notes are really a larger indictment of the software makers - their crappy update applications and their upsell tactics used in the name of security.

Securitywatch's Ryan Naraine notes that new Secunia users are finding their computers insecure, as applications have fallen out of date. As a Secunia user, I can say there are a lot of causes for my inability to keep my primary system up-to-date (by Secunia's standards).

For instance, on my work PC at this moment, Secunia's PSI is telling me that I currently have four insecure applications, one end-of-life application with 76 up-to-date apps. Better than most, but hardly perfect. Five of 81 are not secure-- a 6.2 percent failure rate.

Basically, I can be hacked via known vulnerabilities.

Of the four vulnerable applications, two are Adobe Flash. I've tried upgrading to the latest version. I've tried uninstalling, then reinstalling. I've tried uninstalling completely. None of these steps have gotten PSI to recognize any difference. I guess I can figure out how to manually remove Flash for good--but it may be a lot of work.

Another vulnerable application is my anti-virus program. Work provides and manages this software, so there's not much I can do (other than badgering IT, and I am sure they are sick of my badgering) unless I decide to fully manage my own AV solution. Looking through the release notes of the current and recent iterations of the software, there are no mentions of patched vulnerabilities jumping out at me. Lots of bug fixes and improvements, but maybe not any plugged security holes. But the free version of PSI does not make that distinction.

The other vulnerable application is QuickTime. I've got QuickTime Player installed because I need iTunes to sync my iPhone to my Outlook calendar. I've covered my dismay with this setup plenty in the past, but it is the only reliable way I've been able to sync the data I need.

When I upgraded to iTunes 7.5, the installation package included QuickTime 7.3. Since then, QuickTime moved to 7.3.1, but iTunes stayed at 7.5. So the Apple Software Update application tells me I am up-to-date, but a check of the QuickTime Web site tells me I am ever so slightly behind.

Essentially, one of the many tools I am forced to rely on to keep my system up-to-date is lying to me.

The end of life program is a prior version of WinZip. I guess my company actually paid for the WinZip license. (I never see that annoying expiration notice on this PC.) I can see why the company may not want to pay for the new version, since the old one does everything that our users want it to do, presumably. But to get security updates, we're beholden to pay for licensing upgrades to get the new version, chock full of features we don't need?

Yes, of course. This is one of the costs of security that everyone must face. But personally, this case is out of my hands. Or I suppose I could install the latest WinRAR.

Secunia's PSI is a means to an end. People downloading these kinds of tools are presumably wanting to check their status, likely knowing something is out of date. So they can fix it--if they are allowed to, and it is relatively easy.

Given the Apple and WinZip anecdotes above, I'd say perhaps the numbers Ryan notes are really a larger indictment of the software makers and their crappy update applications and up-sell tactics used in the name of security.