Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Auto-Updates: ticking the boxes

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI 2.0 Beta

This thread has been marked as locked.
taffy078 Auto-Updates: ticking the boxes
Contributor 12th Jun, 2010 06:52
Ranking: 408
Posts: 1,335
User Since: 26th Feb, 2009
System Score: 100%
Location: UK
Auto-updates delivered its promise! Brilliant.

But what I hadn't realised until now is that after it has done its job, some of the ticks disappears - presumably those it has updated?

So just a reminder to 'basic' users such as myself to keep checking the "Auto-Updates" tab to make sure all the boxes you want ticked are still ticked.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003

Leendert Kip Auto-Updates: ticking the boxes
Member 12th Jun, 2010 07:43
Score: 70
Posts: 526
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
You are right. Yesterday Flash was updated automatically and after that
the 'tick' from the box disappeared. So I ticked again. Also, there is no history kept. Maybe some explanation from Secunia suppport necessary?

--
PC: JJ Computer Services
Intel Core I3 2100 3.1Ghz
DDR3 Kingston ValueRam 4GB 1333
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 9
Mozilla Firefox 31NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 11
Mozilla Firefox 31NL
Was this reply relevant?
+0
-0
Maurice Joyce RE: Auto-Updates: ticking the boxes
Handling Contributor 12th Jun, 2010 17:13
Score: 11736
Posts: 8,984
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Looks like a very responsible attitude by Secunia.

For very good reasons, fault finding if things go wrong being one of them, many users will NEVER allow any vendor,this includes Microsoft,from ever taking control of a PC by allowing automatic updating unless it is anti viral definitions within an established installed programme.

Looking at it rationally there is no real difference in allowing anyone to drive your brand new car unsupervised without even bothering to check his/her driving licence,personal insurance or phyical fitness to drive.

I believe,and hope, they are asking U to tick a box each time U wish to update a programme they have found as vulnerable that has a vendor patch available. It will then attempt a one off auto update to save the user all the normal hassle. That way,the user remains in control & should get a perfect fix.

We are dealing with a TP version but as @Leendert Kip says the response from Secunia will be of interest.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-1
Leendert Kip Auto-Updates: ticking the boxes
Member 12th Jun, 2010 17:34
Score: 70
Posts: 526
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
Last edited on 12th Jun, 2010 17:35
Hi Maurice, thanks for the excellent explanation on the unticking after an update is processed. I didn't see any reason for that after my first experience with auto update and now I understand why.

--
PC: JJ Computer Services
Intel Core I3 2100 3.1Ghz
DDR3 Kingston ValueRam 4GB 1333
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 9
Mozilla Firefox 31NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 11
Mozilla Firefox 31NL
Was this reply relevant?
+0
-0
Maurice Joyce RE: Auto-Updates: ticking the boxes
Handling Contributor 12th Jun, 2010 18:26
Score: 11736
Posts: 8,984
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Only Secunia can say how it should really work.

My observation is just that. I believe the tick is removed after each update which would make it responsible & controlled updating.

What they are really doing is providing a direct link from the vendor to end user which is a very nice feature but it does require the vendor to get his updating procedure correct.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
taffy078 RE: Auto-Updates: ticking the boxes
Contributor 12th Jun, 2010 22:44
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
What attracted me to the Secunia forum was the way that they empathise with 'basic' PC users i.e. such as me.

For example, on the Forum tab Secunia says: "Updating And Patching - not always an easy task" and "Got a Problem Patching a Program? - you're not alone."

The Auto-Update facility is brilliant, in my view. The purpose of my starting this thread is to remind everyone like me
on 12th Jun, 2010 06:52, taffy078 wrote:
to keep checking the "Auto-Updates" tab to make sure all the boxes you want ticked are still ticked.


To quote the Auto-Updates tab "Simply check the 'Auto-Update' box for each of the programs for which you want the Secunia PSI to automatically download and install the required updates".

Perhaps this could be expanded to state "Keep checking the Auto-Updates tab to make sure all the boxes you want ticked are still ticked".

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 15th Jun, 2010 11:25
Hi,

The check in the boxes should now hopefully stay in place, even after an update.
We understand that some of your like the idea of the check removing itself after an update. However, this is not the intended use for the Auto-Update tab. Our goal is to make patching as easy as at all possible for users, so patches will indeed be silently installed in the background.

I suggest that anyone who wants to track updates closer stick to the old model of manual patching.

hope this helps.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Auto-Updates: ticking the boxes
Handling Contributor 15th Jun, 2010 11:39
Score: 11736
Posts: 8,984
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Thanks Emil - That has clarified the auto fix box ticking for me.

Are U intending to link the patching back to the vendor (third party link) or are Secunia extracting the update from the vendor & packaging it for users?


I ask for example with Flash. As we know,if Flash is in use it will update but leave behind remnants of the old.

I assume U are calling the remnants zombies & somewhat harmless in terms of vulnerability?

If that is the case purists who wants to remove these zombies must still do so manually unless your packaging includes this aspect (doubtful)?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 15th Jun, 2010 12:05
Hi Maurice,
Currently, we only link directly to vendor patches. Our silent updates are possible only if there are silent install flags available for a package. We may need to create our own packages to "silence" some installers, however. Stay tuned for updates.

The Zombie files are, quite correctly, the files left behind when installing updates. There will be improved handling of these files in later versions. Currently, you must still remove the zombies, though (So there will probably still be need for your guides).

hope this helps.
Was this reply relevant?
+0
-0
thedillpickl RE: Auto-Updates: ticking the boxes
Contributor 15th Jun, 2010 16:38
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi All;

Maurice brings up a valid point of whose 'driving' your computer. Taffy expresses an equally valid point that some users just want to have a safe computing experience, with out a hassle. I believe Secunia has, as explained by Emil, came up with a good plan for both camps.

I would like to make a couple of suggestions (getting off the topic a bit).

1) Add a button, maybe in the "Auto Update" section, to show/not show zombie files. This would allow persons such as I to see "Insecure" zombie files the way we do now and allow us to deal with them. It would allow others to hide them, so as not to be bothered with the constant reminder that they are there.

2) Please keep 'bloatware' off the vendor links. The toolbars and such are a pain to remove once installed. Possibly the vendors will supply Secunia with special links to avoid this. A warning, next to the 'tick' box, stating that using it may download extra 'goodies' is another possibility.


Regards;

Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-0
Anthony Wells RE: Auto-Updates: ticking the boxes
Expert Contributor 15th Jun, 2010 16:48
Score: 2437
Posts: 3,330
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 15th Jun, 2010 16:52
For Emil ,

I did ask on another thread , but didn't get an answer before it closed :-

http://secunia.com/community/forum/thread/show/445...

So , which browser , if any , will you use to collect/supply the auto-update ??

In addition , can you say whether you will be able to avoid the "ever so useful" extras that come with many downloads ??

Did I read correctly that Adobe Flash was only updated when there was/is a reboot ; does this still leave the ActiveX .ocx "zombies" behind ?? Have they now been downgraded in the insecurity/vulnerability stakes ??

Everything else looks OK .

Take care
Anthony


EDIT : my posting crossed with that from Fred , but it looks like we have similar concerns .


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
Leendert Kip Auto-Updates: ticking the boxes
Member 15th Jun, 2010 16:58
Score: 70
Posts: 526
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
Last edited on 15th Jun, 2010 17:02
In my case auto update for Flash worked out excellent! No problem during update and no zombie-files left! My only remark was that the tick from the
selection box disappeared after update (already solved by Secinia) and that there is no history data.

--
PC: JJ Computer Services
Intel Core I3 2100 3.1Ghz
DDR3 Kingston ValueRam 4GB 1333
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 9
Mozilla Firefox 31NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 11
Mozilla Firefox 31NL
Was this reply relevant?
+0
-0
thedillpickl RE: Auto-Updates: ticking the boxes
Contributor 15th Jun, 2010 20:42
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Last edited on 15th Jun, 2010 23:08
Add to wish list:

A log file with Auto Update history (thanks Leendert Kip), so that people like me can look under the hood. Please place the filename in PSI some where so that those of us with bad memories can find it. Better yet, how about a button to open it for us? (What's up with me & buttons lately?)


Fred

Edit:

Whoops! Just looked at "Auto Updates", it has a "Update history" list, but...

> Is this a permanent record?

> Is this record a file on my computer or on a Secunia server?

> If stored on my computer, can I look at it without PSI (.txt file, etc.)?

> Does this list have a length limit as to how many updates it will store?

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+1
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 16th Jun, 2010 09:02
Last edited on 16th Jun, 2010 09:09
on 15th Jun, 2010 16:38, thedillpickl wrote:

2) Please keep 'bloatware' off the vendor links. The toolbars and such are a pain to remove once installed. Possibly the vendors will supply Secunia with special links to avoid this. A warning, next to the 'tick' box, stating that using it may download extra 'goodies' is another possibility.


Hi Fred,
We do try to avoid bloatware in our silent installs. Including bloatware that can't be deselected in an installer, is a criteria for being marked as "no go" for auto updates. If you discover any silent installs including bloatware, please contact us at support@secunia.com so we can remedy the situation.

on 15th Jun, 2010 16:48, Anthony Wells wrote:

So , which browser , if any , will you use to collect/supply the auto-update ??

Did I read correctly that Adobe Flash was only updated when there was/is a reboot ; does this still leave the ActiveX .ocx "zombies" behind ?? Have they now been downgraded in the security/vulnerability stakes ??
Take care
Anthony
.


Hi Anthony,

I hope that the one of your question I "ignored" will be answered by my reply to Fred. Otherwise, just let me know.

The PSI doesn't use a browser for the automatic updates. It fetches the file in the back ground, and runs the executable all by itself. It's just a little Secunia auto-magick. ;)

The Flash updates aren't installed during a reboot. Once you've flagged a program for auto-update, the PSI will download the update it's supposed to be installing, then check if the program is running every minute. Once the program is no longer running, the executable will be run in the background.

The Zombie files should now have been downgraded in threat rating. A zombie file is flagged if there are two versions of the same software on one system - the old one is then a "zombie". So if you have Flash 10a, and install Flash10b, leaving 10a behind, 10a will be the "Zombie".

on 15th Jun, 2010 20:42, thedillpickl wrote:

A log file with Auto Update history (thanks Leendert Kip), so that people like me can look under the hood. Please place the filename in PSI some where so that those of us with bad memories can find it. Better yet, how about a button to open it for us? (What's up with me & buttons lately?)


There is already a way to obtain the "logs" for the PSI. If you exit the PSI, run cmd, and enter
"cd C:\Program Files\Secunia\PSI"
"psi.exe --verbose --debug file.txt"
the file.txt in C:\Program Files\Secunia\PSI will contain logs describing the various auto-updates and other operations.

on 15th Jun, 2010 20:42, thedillpickl wrote:

> Is this a permanent record?
> Is this record a file on my computer or on a Secunia server?
> If stored on my computer, can I look at it without PSI (.txt file, etc.)?
> Does this list have a length limit as to how many updates it will store?


The log will "remember" the last 5 auto-updates. This log can only be viewed from within the PSI, but the debug log described above will serve your purpose. The file is stored on your system.

Hope this helps.
Was this reply relevant?
+0
-0
Leendert Kip Auto-Updates: ticking the boxes
Member 16th Jun, 2010 09:11
Score: 70
Posts: 526
User Since: 22nd Jan 2009
System Score: 100%
Location: NL
Hi Emil, you say that the history for auto update keeps records for the last 5 updates. In my case there is no history record for the first update performed last week, which was that for Flash. Maybe it works not good yet?

--
PC: JJ Computer Services
Intel Core I3 2100 3.1Ghz
DDR3 Kingston ValueRam 4GB 1333
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 9
Mozilla Firefox 31NL

Laptop: MSI GT780DX
Intel Core I5-2450
DDR3 RAM 6GB
Windows 7 Home Premium 64bits SP1
Secunia PSI 3.0.0.9016
Internet Explorer 11
Mozilla Firefox 31NL
Was this reply relevant?
+1
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 16th Jun, 2010 09:17
on 16th Jun, 2010 09:11, Leendert Kip wrote:
Hi Emil, you say that the history for auto update keeps records for the last 5 updates. In my case there is no history record for the first update performed last week, which was that for Flash. Maybe it works not good yet?


Hi,

That log is a work-in-progress, and will improve over time. You shouldn't worry about it.
Was this reply relevant?
+0
-0
Anthony Wells RE: Auto-Updates: ticking the boxes
Expert Contributor 16th Jun, 2010 16:23
Score: 2437
Posts: 3,330
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Jun, 2010 16:26
Hi Emil ,

Thank you very much for your reply .

Just to clarify the "zombie" (if that is even possible :)) , you say that PSI checks to see if the "program" is running , by that do you mean the "Flash" program - presumably not PSI ?? However , if "Flash" is not running then for ActiveX updating neither should be PSI ; so does the the updater run when PSI is closed thereby removing the previous .ocx and no "zombie" as with LK , or am I missing something ?? Is this more auto-magick ?? Hence my question about rebooting .

Concerning the security marking for "Zombies" can we take it that the previous marking as in the "insecure" tab was too severe or will we get specific advice about any vulnerability they might engender .

I appreciate this is work in progress , so maybe my questions are irrelevant :)) Even so , no thumbs down , please :))

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
thedillpickl RE: Auto-Updates: ticking the boxes
Contributor 16th Jun, 2010 23:13
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
Hi Emil;

Thanks for all the input & help!

Glad to know Secunia is as concerned about bloatware as the rest of us. The "Auto Updates" (so far) appears to be 'cool'. Also glad zombies will still be listed so we can zap 'em.

Did the verbose load of PSI. The file.txt is there, opened in "Edit" because I couldn't remember what the text reader was called. Boy, the black box has changed a lot since I used it much. Found much useful(?) info, but where's the line showing the auto update PSI did of Flash NPAPI that is in the "Auto Updates" page? I see connection to Secunia, start up settings, connect to filesystem..., user interface loaded, adding/not adding <program> to auto update list, downloading software inspection rules, a scan and a whole bunch of scheduled scan calls.

Again, all your hard work is much appreciated.


Fred

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 17th Jun, 2010 09:00
Last edited on 17th Jun, 2010 09:06 Hi,

on 16th Jun, 2010 16:23, Anthony Wells wrote:

Just to clarify the "zombie" (if that is even possible :)) , you say that PSI checks to see if the "program" is running , by that do you mean the "Flash" program - presumably not PSI ?? However , if "Flash" is not running then for ActiveX updating neither should be PSI ; so does the the updater run when PSI is closed thereby removing the previous .ocx and no "zombie" as with LK , or am I missing something ?? Is this more auto-magick ?? Hence my question about rebooting .


The PSI checks to see if a process is running before installing an upgrade. This way, we avoid a program being installed/upgraded while already running (which could cause problems).
The PSI does not execute any upgrades after shutting down. It schedules the update as soon as you check the "auto-update" box, then waits until the program isn't busy before executing.

(unknown source)

Concerning the security marking for "Zombies" can we take it that the previous marking as in the "insecure" tab was too severe or will we get specific advice about any vulnerability they might engender .


The previous security ratings for "zombie" files was not too severe - The vulnerabilities were, after all, still present in the dated software.
However, the software's exposure to threats (the internet, being used) is much smaller when there is a more recent version installed and being used - So even though a critical exploit might still be present in a (f.x) old version of Adobe Reader, you'd have to open a dangerous file in that specific version of the program to get attacked (at least with the exploits still present in that version..)

The new ratings do not reflect that the vulnerabilities are somehow "less" dangerous when other versions are installed, but instead reflect a smaller degree of exposure.

on 16th Jun, 2010 23:13, thedillpickl wrote:

Did the verbose load of PSI. The file.txt is there, opened in "Edit" because I couldn't remember what the text reader was called. Boy, the black box has changed a lot since I used it much. Found much useful(?) info, but where's the line showing the auto update PSI did of Flash NPAPI that is in the "Auto Updates" page? I see connection to Secunia, start up settings, connect to filesystem..., user interface loaded, adding/not adding <program> to auto update list, downloading software inspection rules, a scan and a whole bunch of scheduled scan calls.


The log you've got now contains all the information you can access. The PSI will maintain the most recent 5 updates in history. To keep track of any updates the PSI installed automatically, just check back to the auto-update tab.

Hope this helps.
Was this reply relevant?
+0
-0
Anthony Wells RE: Auto-Updates: ticking the boxes
Expert Contributor 17th Jun, 2010 11:20
Score: 2437
Posts: 3,330
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Emil ,

Thank you once again for your reply in "cleaning up " a "zombie" .

on 17th Jun, 2010 09:00, wrote:
Hi,

The new ratings do not reflect that the vulnerabilities are somehow "less" dangerous when other versions are installed, but instead reflect a smaller degree of exposure.

Hope this helps.


I think this information is crucial for someone - especially one less experienced - to understand the difference between an "insecure" listing and a "zombie" . I hope this will be prominently displayed in the relevant "tab" (I don't have a "zombie" to check on) .

Another question(s) ; location is critical , so will you be detecting I386 files and say "Windows.old" files as "zombies" or is that too complex ?? Are "back up" folders or drives detectable as such or are the "ignore rules" the way forward ??

Take care
Anthony





--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 17th Jun, 2010 12:13
Last edited on 17th Jun, 2010 12:14 Hi,

Zombie files get flagged if there is a more current version of the same software on the machine. We won't check for Windows.old, i386, or any other backup folders or drives.
If you want to exclude locations from your search results, Ignore Rules are still the way to go.

hope this helps.
Was this reply relevant?
+0
-0
Anthony Wells RE: Auto-Updates: ticking the boxes
Expert Contributor 17th Jun, 2010 12:20
Score: 2437
Posts: 3,330
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

That is clear , thank you Emil :)

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
ottchris-primary RE: Auto-Updates: ticking the boxes
Member 17th Jun, 2010 13:35
Score: 5
Posts: 25
User Since: 19th Apr 2008
System Score: 100%
Location: UK
on 17th Jun, 2010 12:13, wrote:
Hi,

Zombie files get flagged if there is a more current version of the same software on the machine.


True for Google Chrome, not true for Sun Java JRE. Adobe CS5 installs multiple copies of JRE, in my case in four of the component app folders. These soon become out of date and are not updated along with the 'system copy' by the Java update process. It was the same with CS4 but rather than doing a problematic manual delete or update as I did with CS4, I intend to discuss the problem with Adobe. In the meantime, PSI has them under the Insecure Tab as 'Requires uninstall' not 'Zombie file'. Incidentally. AFAIK there is no way to 'uninstall' them except by manual deletion of files and registry entries. They are in a different partition to the system copy but they are not backups, the majority of my executables are installed in a dedicated partition separate from that of the OS. However, they are all on the same drive or "machine".


--
OS: Windows XP Pro SP3
Was this reply relevant?
+0
-0
ottchris-primary RE: Auto-Updates: ticking the boxes
Member 17th Jun, 2010 14:57
Score: 5
Posts: 25
User Since: 19th Apr 2008
System Score: 100%
Location: UK

Re "Zombie files get flagged if there is a more current version of the same software on the machine."

on 17th Jun, 2010 13:35, ottchris-primary wrote:
True for Google Chrome, not true for Sun Java JRE. Adobe CS5 installs multiple copies of JRE, in my case in four of the component app folders. These soon become out of date and are not updated along with the 'system copy' by the Java update process. It was the same with CS4 but rather than doing a problematic manual delete or update as I did with CS4, I intend to discuss the problem with Adobe. In the meantime, PSI has them under the Insecure Tab as 'Requires uninstall' not 'Zombie file'. Incidentally. AFAIK there is no way to 'uninstall' them except by manual deletion of files and registry entries. They are in a different partition to the system copy but they are not backups, the majority of my executables are installed in a dedicated partition separate from that of the OS. However, they are all on the same drive or "machine".


Having thought about it a bit more, it's probably reasonable not to designate the duplicate JRE installations as "Zombie". Nevertheless, the "unistall" instructions are risky in that if followed through would probably result in the one system copy of JRE being removed.


--
OS: Windows XP Pro SP3
Was this reply relevant?
+0
-0
thedillpickl RE: Auto-Updates: ticking the boxes
Contributor 17th Jun, 2010 19:28
Score: 376
Posts: 872
User Since: 3rd May 2009
System Score: 100%
Location: US
@Emil;

Thank you!

--
XP Home
Chrome, Firefox, IE8
--
consilio et animis
Was this reply relevant?
+0
-0
This user no longer exists RE: Auto-Updates: ticking the boxes
Member 18th Jun, 2010 09:37
on 17th Jun, 2010 13:35, ottchris-primary wrote:
True for Google Chrome, not true for Sun Java JRE.

In the meantime, PSI has them under the Insecure Tab as 'Requires uninstall' not 'Zombie file'. Incidentally.


Hi,

Thank you for noticing this. In the future, Java JRE will be flagged as "Requires Uninstall", as well as a "zombie file". Our developers have been informed.
Was this reply relevant?
+0
-0
bwawsc RE: Auto-Updates: ticking the boxes
Member 20th Jun, 2010 00:08
Score: 3
Posts: 19
User Since: 17th Jun 2010
System Score: 97%
Location: US
There are programs that install their own copies of Java JRE, and don't keep them up to date - but removing them will break the parent program. Examples include Blurb's BookSmart and IBM's Lotus Notes and Domino. I was able to trick BookSmart into using the system copy of JRE by editing a couple of their configuration files, but that will only last until the next update of BookSmart. Lotus Notes I can't deal with, it has Java so embedded that any attempt to remove it will break Notes completely. I know the advice in the PSI UI is to use caution - and I suppose it's possible to mark them for Ignore. I would like to see something more explicit for known instances of this, though - not just "Zombie", which implies that it can be deleted as irrelevant, but something that tells you it's known that removing it will break the parent program.

--
Bill Walton
Was this reply relevant?
+0
-0
ottchris-primary RE: Auto-Updates: ticking the boxes
Member 20th Jun, 2010 03:09
Score: 5
Posts: 25
User Since: 19th Apr 2008
System Score: 100%
Location: UK
on 20th Jun, 2010 00:08, bwawsc wrote:
There are programs that install their own copies of Java JRE, and don't keep them up to date - but removing them will break the parent program.


I fully understand the point you are making. Indeed, I have no immediate intention of touching the multiple copies of JRE installed under Adobe CS5. Nevertheless, unless informed otherwise by either Adobe or Sun, we have to assume that those copies are security risks and therefore need to have a mechanism for updating them. At the moment probably only Adobe can address that requirement in this particular example. There is also the question why these additional copies are needed when an up to date 'system copy' is already installed. In the case of CS5 while there are several applications involved, the installation is one process. Does each application really need it's own copy of JRE or is Adobe being lazy and simply collecting individual application installation processes together without bothering to modify them to allow for the fact that they are being installed as a suite? I'm writing this in order to remind myself to raise this with Adobe next week! :-)

--
OS: Windows XP Pro SP3
Was this reply relevant?
+1
-0
bwawsc RE: Auto-Updates: ticking the boxes
Member 20th Jun, 2010 03:53
Score: 3
Posts: 19
User Since: 17th Jun 2010
System Score: 97%
Location: US
on 20th Jun, 2010 03:09, ottchris-primary wrote:
...I'm writing this in order to remind myself to raise this with Adobe next week! :-)

Be sure to post your results - I'm sure there are several of us who would like an answer to these questions... :-)

--
Bill Walton
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability