Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Data loss - Never allow PSI to perform automatic updates!

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
ejoakim Data loss - Never allow PSI to perform automatic updates!
Member 2nd Jul, 2012 20:14
Ranking: 0
Posts: 4
User Since: 11th Jun, 2011
System Score: N/A
Location: SE
Last edited on 2nd Jul, 2012 20:16

For some reason, I thought the check box labeled "Install updates automatically" in PSI 3 referred to keeping PSI itself up to date. It does not!

I was doing work using my computer when out of nowhere, the "Would you like to save before closing?" dialog popped up. One second later, I was still looking confused when the dialog and the rest of my applications disappeared. I was then immediately logged out, as Windows proceeded to reboot my computer. Upon examining the event log, a series of silent software updates had been installed without my approval, one of which caused msiexec to initiate a no-questions-asked reboot.

How is such a dangerous option even included? It should at least carry a warning, not to mention a more accurate description!

mogs RE: Data loss - Never allow PSI to perform automatic updates!
Expert Contributor 2nd Jul, 2012 20:26
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello.
Have you not read the psi FAQ's ?
As follows : an excerpt from same :-
How do I update my programs with the Secunia PSI?

The Secunia PSI interface will show you all detected insecure programs on your machine. Many commonly used programs can be automatically updated, and the only necessary action when it comes to them will be to select which language should be installed. For auto-updatable programs without localisation options, no actions are required.

For programs that cannot be auto-updated, use the "Click to update" button (or "Install Solution" in PSI 2.x or the blue download arrow in PSI 1.x). With most popular programs, this will silently install a Secunia SPS package. For more information on SPS, please see this section of our FAQ. For programs that do not yet have an SPS installer, you can proceed with the installation as usual.

If you do not wish any automatic updates to be performed, you can simply disable it during the install of the Secunia PSI. It can also be enabled and disabled in the settings of the Secunia PSI.
http://secunia.com/vulnerability_scanning/personal...

--
Was this reply relevant?
+0
-0
ejoakim RE: Data loss - Never allow PSI to perform automatic updates!
Member 2nd Jul, 2012 21:07
Score: 0
Posts: 4
User Since: 11th Jun 2011
System Score: N/A
Location: SE
Last edited on 2nd Jul, 2012 21:10
Many software applications feature an option to automatically check for updates. When I see a check box labeled "Install updates automatically", my first reaction is that this controls a feature similar to what I've become accustomed to by other software. There is nothing about this label to indicate that perhaps I should put more thought into this particular decision.

How can you expect a user to read through an FAQ upon the seeing this plain check box? Or do you expect every user to read it all before launching the installer? This doesn't seem like optimal use of thousands of users' time. It also sets the tone that you don't believe in your own UI's ability to help the user, and don't want to take responsibility for it.

In short: FAQs are no replacement for an inadequate UI.
Was this reply relevant?
+0
-0
mogs RE: Data loss - Never allow PSI to perform automatic updates!
Expert Contributor 2nd Jul, 2012 21:33
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
As your "User since" date is over a year ago I would have thought you to be more familiar.
I still regularly glance thro' them(FAQ's} particularly when versions change/are added.
I can't say that I'm particularly aux fait with the psi 3.0 UI....tho' I did give it a spin when in Beta some time back.....that would really have been the time to have pointed out your dissatisfaction.....if it really is dangerous : rather strange that nobody else seemed to raise the matter.

--
Was this reply relevant?
+0
-0
Maurice Joyce RE: Data loss - Never allow PSI to perform automatic updates!
Handling Contributor 2nd Jul, 2012 22:06
Score: 11560
Posts: 8,884
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 2nd Jul, 2012 22:06
@ejoakim,

I agree. The dumped down FAQ should only be used as a last resort. They have become a "wise man's (last resort) guide & a fool's bible". It does not really cover your problem in any case.

With version 3 the answer to part of your question on the PSI interface by clicking the Need Help? button (bottom right).

Once again this is before or after the event reading. As U point out,what is missing (amongst many other helpful educational features, is the correct wording descriptions of actions that the programme intends taking.

If what U say is correct there appears a major flaw in PSI 3. Even though U may well have given Secunia third party rights to auto update a PC that should not include a reboot without a user option to abort/delay that action.

The User Manual does not help either. In doing a little research it looks like PSI 3 has been released with a PSI 3 BETA Manual!!!!

http://secunia.com/?action=fetch&filename=Secunia_...

I would email support at support@secunia.com to ascertain the exact position regarding this reboot action.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
ejoakim RE: Data loss - Never allow PSI to perform automatic updates!
Member 2nd Jul, 2012 22:09
Score: 0
Posts: 4
User Since: 11th Jun 2011
System Score: N/A
Location: SE
I understand that this feedback would have been more useful during beta, but I didn't question the meaning of the option until this happened. I guess it's quite rare for PSI to launch a patch while you're using the subject application (thus necessitating a reboot as the files are in use).
Was this reply relevant?
+0
-0
Anthony Wells RE: Data loss - Never allow PSI to perform automatic updates!
Expert Contributor 2nd Jul, 2012 22:32
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

This specific problem of the wording being unclear as to whether it refers to the PSI or to the software it is detecting on your computer was raised during Beta testing and was remarked on by a Secunia Official (from Support) ; I guess it got lost somewhere in the mix .

One could argue that as the PSI is a "vulnerabilty checker/updater" it should be obvious what it refers to but ,as you say , you have a "programmed" response to seeing the "box" ; so you might like to remind Support when/if you email them (as suggested by Maurice) that this confusion still exists .

Take care

Anthony

PS: if you right click the tray icon and select "Privacy Statement" you can get at the User Manual and the FAQ's.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability