Re: Checking for old web browsers and media plugins

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I've been fairly impressed with Secunia's product as well.  Seems like it'd be a decent way to manage your golden image 
before distributing via PatchLink or BigFix or something.

   -jml

> > > Curt Wilson <curtw () SIU EDU> 2009-02-18 15:54 >>>
This puts the onus on the driver but the Secunia Online Software
Inspector (req. java) checks for approx. 70 common 3rd party apps + MS
apps for missing patches. They have a personal software inspector PSI
but that's licensed for home use only, and a network version (NSI) that
we have been considering. It's not patch management, but it is at least
alerting that the latest client side exploit of the week might hit the
persons Adobe reader/Quicktime/browser/Flash/Java/etc.

I do not work for secunia and have no interest in promoting their
product but I've found these useful in an environment with lots of
unmanaged machines.


Adam Carlson wrote:
> Have you tried running Nessus scans with credentials against Windows
> systems?  When Nessus can connect to the target system's registry and is
> provided administrator credentials, Nessus can see which applications
> are installed and find outdated 3rd party applications in need of
> patching(like Java, Adobe Reader/Flash, iTunes, Firefox, AOL instant
> messenger, RealPlayer, Quicktime, etc. and many more).
>
> Despite using BigFix for centralized patch management, we recently
> discovered an outdated version of the Opera web browser with it's own
> outdated version of Flash via Nessus and a registry connection.  While
> BigFix does support some 3rd party applications, it doesn't claim to or
> try to track them all(no patching solution currently does this), so it
> was not surprising that BigFix hadn't patched Opera.
>
> As you've pointed out, two of the biggest challenges is knowing which
> 3rd party applications may be installed and which of those that are
> installed, need security updates.  The Nessus people have done a good
> job of fulfilling those two requirements.  They definitely don't track
> every application in the world, but when I was using Nessus in bank
> audits, I was surprised more than a few times by its ability to identify
> security holes in applications I had never even heard of.
>
> Running Nessus with credentials/registry access gives an order of
> magnitude more information about the system and can detect many more
> vulnerabilities than a network-only scan can gather.
>
> Your idea of using your web applications to detect outdated
> plugins/browsers would still work very well for external users and I
> would see it as complimentary to Nessus scans, but I would also
> encourage you to look into running Nessus with credentials since you
> already have purchased the software.
>
> -Adam
>
> Bob Bayn wrote:
> > We've seen some drive-by compromises here lately.  We run weekly Nessus scans every week against all of our active 
> > IPs but those scans don't discover things like old web browsers or missing updates on various media plugins.  We are 
> > wondering if it would be productive to put some detection and reporting of obsolete browser or media plugins into 
> > some of our commonly used local web pages (access to our CMS or ERP) so we can encourage some updating before the 
> > drive-by events happen.  Is anybody doing this or considering it?
>
>
> > Bob Bayn     (435)797-2396     Security Team coordinator
> > "IT will NEVER ask for your password via email, honest!"
> > Office of Information Technology at Utah State University

-- 
Curt Wilson
SIUC IT Security Officer & Security Engineer