Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Outdated client applications - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outdated client applications


The Aurora target attack made me think about the client applications again.

This and when I saw Mikko Hypponen's twitter message on the saveie6.com website (that was actually quite funny).
For some time the weakest link on computer security has been the outdated applications/OS.
At first, the OS (in this case I am specific about MS Windows) was the main target and Microsoft decided to include
the option to install updates automatically.

This definitely helped a lot the regular user. But what about the third party applications, such as another browser (Firefox, Chrome, Safari),
media player ( realplayer, quicktime...), doc reader,etc...?
For some years, the exploit kits such as MPack are quite smart on keep large databases of exploit for several different client applications.
Sometime ago I found an application that would keep track of all installed applications and check for the most recent versions and pop up
when it was available.
My main concern in this case was privacy.

How do you handle/manage client application upgrade? In your home or company?
Send me your ideas and I will post a consolidated list of suggestions.

__________________________________

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

Pedro

155 Posts
ISC Handler
What I think is missing is a package management system, like Debian's APT for example.

Someone (ideally Microsoft) needs to produce a full system that covers distribution (to an extent), installation/uninstallation, and upgrading of just about all software. But that's not easy.

For open-source software, I hear that a few such platforms already exist, but that was only possible because the software could be legally redistributed.
Steven C.

171 Posts
...oops, I meant to say that package management systems are springing up for open-source software on *win32* platforms.

Obviously a lot of open-source OS distributions already have good package management.
Steven C.

171 Posts
There are many home users that use the computer as an appliance - like a toaster, almost. These users know nothing about security - some of them know that they need AV, but they assume that once they have it that they are fully protected.

They never think to update their machine - in fact it wouldn't be until such a time that they purchase a new machine that they would upgrade everything. Until their ISP puts them into a walled garden, many such users have no clue that their machines might even be infected with anything (they might notice general slowness, and if they do, they might be inclined to try and use those "services" that are offered on TV - which I suspect aren't very effective, but don't have any hands-on knowledge).

I would argue that there are millions such machines out there and they all provide a fertile growth medium for the botnets out there.
Eric

43 Posts
Secunia PSI is a great tool to monitor new and available updates of third party application. It will also download updates to legit sites hosting the updates. It has a free version as well for windows users
Eric
10 Posts
I second Secunia PSI. Very simple to use and monitors a large list of 3rd party apps.
Eric
1 Posts
+3 on Secunia PSI.
FTWMike

24 Posts
Sadly, it seems the only effort for a corporate standard updater fails for now
+ Industry-Standard Updater For Third-Party Apps Fails To Materialize, 2010/01/20
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=222301742&cid=RSSfeed

For home users, many solutions.
On Windows:
* FileHippo
* Sumo
* Update Start
* http://windows-get.sourceforge.net/

on MacOS,
* http://www.eagle-of-liberty.com/logicielmacupdate/
Julien

10 Posts
i use Secunia PSI but i have very few windows machine (<10). for a greater number of boxes it's impossible to manage updates the right way. we absolutely need something to automate the whole process.
guly

3 Posts
+5 on Secunia. I use it at home for all my Windows PCs and it works great. My wife and kids understand it and it's easy to use.

I also use the corporate edition of Secunia at work. Its not cheap but after 2 years of use I've found the cost/benefit to definitely be worth it.
guly
2 Posts
Looking at win-get I see that it has packages for easy downloading+installing, but it doesn't appear to have an auto-update feature. That's the crucial part, I think -- ideally to do away with the built-in auto-update features of different pieces of software (if they even have one) and manage all updates from one utility. Some of the version numbers of software available to win-get look a bit old, and possibly not secure any more.

Secunia PSI works rather well for me at home, but it's obviously too fiddly in a larger environment, for which it seems they offer a more appropriate commercial product. FileHippo works okay at home too but it doesn't pick up on those vulnerable DLLs or codecs lying around.

Even if there was an easy way to retrieve updates, I suspect it would involve a lot of downloading for people to stay up-to-date. The less often you use your computer, the more updates would have to be downloaded and applied. And whilst updates are being applied, a low-end system may be almost unusable due to heavy disk IO, CPU and/or RAM usage.

All that effort for a user who maybe only wants a few hours' access to the Internet each month. The OS/app. updates may use up more of their bandwidth allowance than their actual Internet use.

So, even if people had an easy way to keep their computer up-to-date, would they?

A packaging system could help by offering a 'stable' branch with older, assumed-secure, less-often-updated versions; and an 'unstable' branch with latest releases and all the new features (and new bugs). But the actual software vendors might not support two versions.

This must be where cloud computing and those in-browser web apps come in, to try and show us a 'better way' with no apparent client-side installation or updating of anything. But it wouldn't appear to make sense, for example, for your word processor to require an Internet connection (when in reality, it does, if you're opening documents from third parties).
Steven C.

171 Posts
I think Microsoft is trying to do this with Config Manager. With config manager you can use WSUS for 3rd party apps vendors like Citrix. Adobe is hit and miss with config manager. From what I understand MS is having trouble getting vendors to cooperate.
Steven C.
4 Posts
For windows side of things, I use System Center Essentials, though still trying to get the bang for the buck... I manually configure and deploy custom packages (Java, Adobe junk...).

To follow up on Joe's comment, I think MS needs to do more in that regard, they already work closely with many big names, though more often it's the other way around. Regardless, when you shell out big bucks for their software you expect things to work, right? (not to mention that setting up SCCM is pain)
Steven C.
3 Posts
ocsinventory is a commercial product which is automating this type of things. (sorry, I first posted this comment to https://isc.sans.org/diary.html?storyid=8077 ; but it was a mistake)
Anonymous
ocsinventory is also working on various linux distributions ; but I do not trust it enough to give him root access on my linux laptop.
Anonymous
Secunia is the recommendation I make to friends and family. It's still a little too techie for the typical computer user. But it's better than nothing. Most people know they should do something, but don't know when or how. Secunia helps big time.
Paul

4 Posts
Secunia is the recommendation I make to friends and family. It's still a little too techie for the typical computer user. But it's better than nothing. Most people know they should do something, but don't know when or how. Secunia helps big time.
Paul

4 Posts
Add one more for Secunia PSI. I run it at home and suggest it to just about everyone I talk to. I haven't worked with their CSI (enterprise) product, but it looks very promising on paper for large environments.
Dave

1 Posts

Sign Up for Free or Log In to start participating in the conversation!