Secunia: We Don't Know How Vendors Will React to Our Repackaging Their Updates
Security firm Secunia expects a reaction from vendors as it plans to repackage security updates for hundreds of applications into its own proprietary installer and deliver them through the new version of Personal Software Inspector (PSI).
The Denmark-based vulnerability research and management company launched the beta version of Personal Software Inspector 3.0 at the RSA Conference 2012 on Monday. PSI is a free consumer product that helps users keep their software up-to-date.
PSI 2.0 had the ability to automatically and silently install security updates for several popular applications like Flash Player, Adobe Reader or Java.
However, statistics showed that except for those, users hardly upgraded any other programs, despite being notified by PSI that patches are available, said Thomas Kristensen, Secunia's chief security officer.
PSI 3.0 takes a totally different approach and aims to deliver security updates that require as little interaction from users as possible. To achieve this, Secunia will wrap a proprietary installer around security patches for hundreds of popular applications in order to suppress their dialog boxes.
The security updates will be repackaged manually by Secunia's staff and will be pushed to PSI 3.0 users from the company's server, Kristensen said. However, the company will do this without the explicit approval of all the vendors, which might raise some legal issues.
It will be interesting to see how vendors respond, Kristensen said. "There will probably be some challenges. There will be some who will react and we'll have to deal with that."
Other companies have repackaged third-party software with their own installers for various reasons in the past. Some software distribution websites like Download.com do this to bundle browser toolbars for extra revenue.
However, Secunia will not add anything to its installer. "The only thing we want to do is apply a minimal patch without interacting with the user," Kristensen said.
In some cases vendors might distribute third-party toolbars or advertisements with their software updates themselves, in which case Secunia's silent installer could cut into their revenue stream.
According to Kristensen, software vendors have a responsibility to get security updates out to their users and there's no reason to ask users if they want to install toolbars or participate in other promotions when they're applying security updates.
"If you're offering new features, a new version, something more fancy -- fair enough -- get them to your website. Secunia doesn't want to get into that game. We don't want to push a new version to your users. That's not our goal," Kristensen said.
However, not all vendors deliver security patches separately from updates that also provide new features. "If they don't want us to repackage their installers, I only have one message for them: Provide a proper silent installer for the user or provide a different update mechanism that works for the user and it doesn't nag them," Kristensen said.
PSI 3.0 will remain in beta for several months, during which time Secunia will add support for additional software. The program is only available for Windows and the company doesn't have plans to release a version for other platforms at this time.
"The goal is to provide an automatic security updater for millions of users," Kristensen said, adding that it will be one of the biggest patch management platforms on the planet, probably surpassed only by Microsoft's WSUS (Windows Server Update Services) and Windows Update service.