Educause Security Discussion mailing list archives
Re: Checking for old web browsers and media plugins
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Wed, 18 Feb 2009 16:44:23 -0600
I've been fairly impressed with Secunia's product as well. Seems like it'd be a decent way to manage your golden image before distributing via PatchLink or BigFix or something. -jml
Curt Wilson <curtw () SIU EDU> 2009-02-18 15:54 >>>
This puts the onus on the driver but the Secunia Online Software Inspector (req. java) checks for approx. 70 common 3rd party apps + MS apps for missing patches. They have a personal software inspector PSI but that's licensed for home use only, and a network version (NSI) that we have been considering. It's not patch management, but it is at least alerting that the latest client side exploit of the week might hit the persons Adobe reader/Quicktime/browser/Flash/Java/etc. I do not work for secunia and have no interest in promoting their product but I've found these useful in an environment with lots of unmanaged machines. Adam Carlson wrote:
Have you tried running Nessus scans with credentials against Windows systems? When Nessus can connect to the target system's registry and is provided administrator credentials, Nessus can see which applications are installed and find outdated 3rd party applications in need of patching(like Java, Adobe Reader/Flash, iTunes, Firefox, AOL instant messenger, RealPlayer, Quicktime, etc. and many more). Despite using BigFix for centralized patch management, we recently discovered an outdated version of the Opera web browser with it's own outdated version of Flash via Nessus and a registry connection. While BigFix does support some 3rd party applications, it doesn't claim to or try to track them all(no patching solution currently does this), so it was not surprising that BigFix hadn't patched Opera. As you've pointed out, two of the biggest challenges is knowing which 3rd party applications may be installed and which of those that are installed, need security updates. The Nessus people have done a good job of fulfilling those two requirements. They definitely don't track every application in the world, but when I was using Nessus in bank audits, I was surprised more than a few times by its ability to identify security holes in applications I had never even heard of. Running Nessus with credentials/registry access gives an order of magnitude more information about the system and can detect many more vulnerabilities than a network-only scan can gather. Your idea of using your web applications to detect outdated plugins/browsers would still work very well for external users and I would see it as complimentary to Nessus scans, but I would also encourage you to look into running Nessus with credentials since you already have purchased the software. -Adam Bob Bayn wrote:We've seen some drive-by compromises here lately. We run weekly Nessus scans every week against all of our active IPs but those scans don't discover things like old web browsers or missing updates on various media plugins. We are wondering if it would be productive to put some detection and reporting of obsolete browser or media plugins into some of our commonly used local web pages (access to our CMS or ERP) so we can encourage some updating before the drive-by events happen. Is anybody doing this or considering it?Bob Bayn (435)797-2396 Security Team coordinator "IT will NEVER ask for your password via email, honest!" Office of Information Technology at Utah State University
-- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Checking for old web browsers and media plugins Bob Bayn (Feb 18)
- <Possible follow-ups>
- Re: Checking for old web browsers and media plugins Dean De Beer (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins John Ladwig (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Bob Bayn (Feb 20)