Security Program Automatically Tracks Down Missing Patches
Secunia has updated its Personal Software Inspector (PSI) with the ability to silently download and apply patches from multiple vendors soon after their release. PSI 2.0 is now available in an open beta test,
Alongside the failure of security software to detect an exploit or a piece of malicious software, missing patches remain a significant reason why computers become infected with bad code. Cybercriminals are increasingly probing third-party applications to find a way to take over computers.
Secunia looked at the top 50 programs used by its more than two million users. Twenty-six of those programs are made by Microsoft, which uses an auto-update mechanism to distribute patches on the second Tuesday of the month. Of the 420 or so vulnerabilities found in those 50 programs in 2009, about 35 percent of those were Microsoft programs, said Stefan Frei, research analyst director for the company.
The rest were in third-party applications from Adobe Systems, Apple and others, which use up to 13 different update mechanisms for the remaining 65 percent of vulnerabilities found in the 24 applications, Frei said.
Many of those applications have auto-update mechanisms, but none have uniform schedules for checking for new patches, Frei said. That leaves a window of opportunity for cybercriminals.
"This clearly shows why cybercrime is happening," Frei said. "They [cybercriminals] don't need Microsoft."
Even with diligent patching, there are "lots of users who have one, two, three apps that are not patched," Frei said.
In 2009, Secunia proposed to software vendors to create a common protocol that all vendors could use in order to get patches distributed faster. No agreement was reached, Frei said.
As a result, Secunia figured out the "secret sauce" to silently auto-update many applications in PSI 2.0. "This works for quite a few applications, and we are increasing the number of applications we can support," Frei said. "If the vendor releases the patch in a way that we can automate the download of the installation, it works."
PSI takes an inventory of applications on a person's computer and their version number. It then checks in with Secunia several times a day to see if a new patch has been released, which is the default configuration for the application although users can turn it off. Secunia recommends leaving PSI run in the background, as it is a lightweight application, Frei said.
Since PSI 2.0 was released a couple of days ago, more than 6,500 people have downloaded it and more than 10,000 patches have been installed. Most users need at least one patch. The number of downloads of PSI and patch installs was surprising, Frei said.
"We were astonished after 24 hours when we looked at the data," he said.
Secunia recorded more than 2,000 installations of patches for Adobe's Flash Player and more than 1,000 for Adobe Reader. Other most frequently patched applications from the sample set included Sun's Java JRE, Adobe Air, Irfan View, the Opera Web browser, Skype, Wireshark and the Firefox browser, according to Secunia's blog.
PSI 2.0 is free. The software is expected to come out of beta later this year, Frei said.
Send news tips and comments to email@example.com