And indeed Secunia seems to have developed a very good reputation, by discovering a number of major vulnerabilities and getting their developers (commercial or open source) to fix them early.
Secunia provides security vulnerability advisories and maintains a list of vulnerabilities discovered by their research specialists (some of which are greyed out and marked "Pending Disclosure" ... interesting).
They also provide "Binary Analysis" reports for purchase but only by certain types of companies and organizations (so as not to help the crooks, I imagine). These are in-depth analyses of a restricted number of vulnerabilities that they apparently regard as the most dangerous and/or interesting.
If you examine the above lists, you should feel rather scared about what you're running on your system! You'll find some very familiar software free and retail products mentioned, ones that many of us use (such as media players, PDF viewers, Office suites, web browsers, and amazingly even security products too.
A lot of them are desktop products that run under Windows, the easiest and largest target for malware, but you'll notice that Linux and various enterprise platforms rate a mention here and there.
Apart from the Binary Analysis reports, Secunia also offers three types of vulnerability scanning:
- - Simple free online scan, run via your browser, and scans some 70 software products on your PC
- - A free personal desktop (home user) utility, called Personal Software Inspector, or PSI.
- - For enterprise users, a retail product called Secunia NSI (watch this Flash demonstration to find out more about NSI)
This article is about the free Secunia PSI desktop utility for Windows.
PSI version 1.0 was released in late November, after well over a year of beta testing by users all around the globe (including yours truly). I've been testing it for a week before posting this report.
Secunia's stated idea for the Personal Security Inspector was to make it possible for all PC users to secure the programs on their PCs, raise awareness about the need for patching insecure programs, bring software vulnerability reports ("which Secunia is famous for") to the end user, in a manner that makes sense and is feasible for all PC users, and provide the end users a single point with all relevant security information and patches.
From my experience, what does al this mean in practice?
PLEASE READ ON...
Importantly, not all software providers offer such mechanisms. Many users have no idea about the overall status of software o their PCs. Are new versions or patches/fixes available? How do I get them for some of the obscure software on my system? If they're security fixes, will I get them applied in time to prevent exploits?
This is where Secunia PSI steps in, and in my opinion does a good job. It provides you with regular and consistent awareness of and control over the patching a wide range of Windows software. That is, it prods and nudges you and gets you to improve your software housekeeping that you might otherwise put off maÃ±ana (and we all know that tomorrow never comes).
PSI is a very lightweight utility, with a download size of only 0.5 Mb, and is available in English, Danish and German. It installs quickly, sits unobtrusively in the Windows system tray continually monitoring for threats, popping up warnings and information about software installations/uninstallations.
You start off a scan whenever it pleases you, and it works its way through your system examining a wide range of Windows programs and determining if each one is missing important security patches and updates.
Click on the adjacent thumbnail to see the results of a recent scan on my own system. Here's a brief explanation of the numbered points.
Point (1) shows that I have aback-level version of WinZip installed, which I know about but rarely use and so I'm not at all concerned about this, but at least PSI keeps reminding me about the potential security exposure from WinZip 7.
Points (2) and (3) relate to Adobe Systems software that I have now removed. I've explained that I don't use Adobe Reader any more (see Foxit Reader 3.0 released, now it's even easier to read PDF documents) and Adobe AIR was there for an old test and not used any more anyway.
Points (4) and (5) warn me about version 2 of Firefox and OpenOffice being out of date, but I was about to upgrade to the latest verion (release 3) of both of these anyway, and have done so now.
Point (6) reminds me that I have multiple older versions of Java Runtime Environment installed (there are some technical reasons for this), and I've subsequently updated to the jazzy new version anyway (see Sun releases a major Java runtime and SDK update - Java SE 6 Update 10).
Regarding point (7), I'm not too sure why I even have WinPcap on my system, but at least I know that it's a back-level version!
Point (8) is a column showing Secunia's threat rating level (amber and red indicate that some action should be taken).
Point (9) is a beauty. If you click on the "download" icon in a given row, you are transferred to the download function (usually a web page) for obtaining the current release of the product in the two of the report, obviating a painful hunt to find how to get and apply the update. And point (10) takes you to the Secunia forum where tou may find out more about issues with the product.
Finally, point (11) is a chart that builds up over time to show status of vulnerabilities over time on your system,
I heartily recommend that you install and keep actively using Secunia PSI.
See all my articles, including
some fun and test your grey matter at the same time!