Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Please show alert for patched, but insecure programs

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI 2.0 Beta

This thread has been marked as locked.
mentin Please show alert for patched, but insecure programs
Member 1st Nov, 2010 07:16
Ranking: 4
Posts: 4
User Since: 13th Oct, 2010
System Score: N/A
Location: US
Last edited on 1st Nov, 2010 07:18

It seems like Secunia is moving in the direction of only showing user what CAN BE PATCHED. So in Scan Results page, it is all nice and green, no alerts - even though Adobe Flash has a critical vulnerability, IE has low-priority vulnerability.

OK, I can see these two in Secure Browsing page (even though it appears like Secunia is trying to hide it from me and only show to 'advanced' users).

But I want to know about all KNOWN vulnerabilities to installed products, not just about vulnerabilities THAT CAN BE PATCHED.

E.g. if Acrobat Reader has vulnerability, but there is no patch, I can think about uninstalling it and leaving without it for some time, or using FoxIt for now (and vise versa when FoxIt has vulnerability).

Don't hide it, please make vulnerability assesment easily available. Otherwise, PSI is reduced to 'what can I patch' tool, and that is not very valueable to me.

Patch management is nice, and I appreciate PSI trying to assist me in patching, especially with auto-patch. But I don't want to loose security assesment tool.

M.Hansen RE: Please show alert for patched, but insecure programs
Secunia Official 1st Nov, 2010 12:58
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

The PSI is supposed to help users to identify which programs that are installed and which needs to be updated with security patches.

We decided to add the "Secure Browsing" feature because Internet browsers is such a big target for vulnerabilities.

"Secure Browsing" will allow users to see if their browsers is affected by vulnerabilities that not even been patched yet, allowing them to either:
1. Uninstall the program.
2. Use a different browser that is secure for browsing.
3. Apply any workaround (if any) which can be read in the Secunia Advisory.
4. Be extra careful when performing certain tasks (like opening specific files).
5. Ignore the warning (not recommended).

Making the PSI track unpatched vulnerabilities for all programs would interfere with our corporate product: "Vulnerability Intelligence Feed (VIF)"
http://secunia.com/products/corporate/VIF
Anthony Wells RE: Please show alert for patched, but insecure programs
Expert Contributor 1st Nov, 2010 13:24
Score: 2437
Posts: 3,327
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Morten ,

That is sad news as comments and replies to an earlier Beta suggested that Secunia was considering how to do exactly what @mentin was asking : ie : to have a second listing for "advanced" users , alongside "secure browsing" , which showed the installed programme "insecure, no solution" as vulnerable and the relevant SA .

Secunia provided the "Insecure Library Loading" list and that along with my own knowledge of the status of my programmes - including data from SA's - allows me to "easily" compile my own list of "vulnerable"software and keep it in my head/write it down as in the good old pre-IT days . I could do a list for al my programmes' status , but I feel that is a job reasonably well done by the PSI and , incidentally , saves me enormous time and effort !!

Obviously , I don't know how this might clash with the commercial Secunia products and that you need to have some secrets only money can buy ; but like I said , that is all rather triste when the aim is (supposedly) security for all , irrespective if whom they may be and what they can afford :)))))

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+7
-0
mentin RE: Please show alert for patched, but insecure programs
Member 1st Nov, 2010 19:07
Score: 4
Posts: 4
User Since: 13th Oct 2010
System Score: N/A
Location: US
Sad indeed, especially given that IVF is corporate product, too expensive and complex for personal use. Not sure how they can overlap.

I would actually pay for good product helping me keep my 3 home computers safe, if it would report all the known vulnerabilities and what can be patched, and had minimum automation (run weekly and send me report without me having to logon to every computer).

But Secunia corporate products are obviously too expensive for personal use.
Was this reply relevant?
+4
-0
E.Jeppesen RE: Please show alert for patched, but insecure programs
Secunia Official 2nd Nov, 2010 11:18
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
on 1st Nov, 2010 07:16, mentin wrote:
It seems like Secunia is moving in the direction of only showing user what CAN BE PATCHED.


Actually the PSI has moved in the opposite direction of that. In the beginning the PSI would only inform the user of vulnerabilities that could actually be fixed (by installing an available patch from the vendor). Today the PSI also have a "Secure Browsing" tab showing many of the most essential programs and whether they are affected by a known vulnerability, even if the vendor has not yet released a patch.

The Secure Browsing tab is also present in the latest version of PSI 2.0 beta.
Anthony Wells RE: Please show alert for patched, but insecure programs
Expert Contributor 2nd Nov, 2010 13:05
Score: 2437
Posts: 3,327
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 2nd Nov, 2010 13:13
Actually , the first 2.0 PSI Betas removed all "secure browsing" data and this was subject to a considerable amount of user comment in the feedback on various threads . At the same time a lot of "embedded" programmes which cannot be directly patched but which have user workarounds have specifically been removed from scan results as they have no "easy/direct" patch available .

This was indeed rendering the PSI a "security patch checker" and not a "vulnerability checker" and those phrases were from the mouth of Secunia . Helping the inexperienced to a less traumatic updating event is most laudable , but not to the extent of reducing/ignoring the presentation of legitimate vulnerability data on "insecure , no solution" programmes when that data is readily available .

At least the "secure browsing" data (which refers to "browsers" and "some" of their plug-ins and extensions - the majority of which are not currently displayed) has been restored in version 1.9.0.4001 ; two steps back , one step forward .

For maximum impact the PSI should remain free to all home users , but as they are not all traumatised by updating , perhaps Secunia could reconsider displaying - for interested users - the data in question alongside the most estimable "secure browsing" stuff ; that would really keep in closer step with the Danish national "Think, Block, Update" campaign . If you cannot update , perhaps you can take alternative action : block ?!!

I would be most interested to learn/understand how this would conflict with a/the commercial programme(s) and Secunia's developing reputation within the security community ?!

Take care

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+5
-0
RTdev RE: Please show alert for patched, but insecure programs
Member 3rd Nov, 2010 22:15
Score: 7
Posts: 16
User Since: 27th Oct 2009
System Score: N/A
Location: N/A
Last edited on 3rd Nov, 2010 22:22
Hi,
PSI 1.9.0.3 had become a "security patch checker" and i don't need a "security patch checker". I need a "VULNERABILITY CHECKER"
After alarming Secunia of that and understanding they didn't want to go back, I uninstalled 1.9.0.3 and reinstalled PSI 1.5.0.2 to use it for the time secunia would let it work.
Recently I discovered that secunia had accepted to reintroduce in PSI 1.9.0.4 the "secure browsing tab" that so many users asked for.

This a good thing, but this is not sufficient.
What I need is a "VULNERABILITY CHECKER"
The advanced users need 2 separate and distinct informations for EACH program:
- first one is the " secure / insecure " status.
- second one is the " patched / unpatched " status.
Because a program can be "not up to date" but "secure".

The utility of these 2 informations should not reserved only to browsers but is indispensable for EACH program.

The corresponding columns could be hidden by default and activated by checking an item in the "settings" tab.

Please, Mr SECUNIA, let us view ALL the vulnerable programs (even those without solution), don't hide any known vulnerable program.

Hiding vulnerabilities is FALSE SECURITY and useless.


--

Ignorance is bliss............but only till you realize you were.
Was this reply relevant?
+2
-0
lvd RE: Please show alert for patched, but insecure programs
Member 4th Nov, 2010 00:32
Score: 2
Posts: 5
User Since: 8th Mar 2010
System Score: 96%
Location: DE
Last edited on 4th Nov, 2010 00:34
I second mentin's request.

I use PSI mainly to assess my security risk. For that I need information. PSI2beta is nice but not from this point of view. In fact, it performs worse than 1.5 did in this regard. It hides known vulnerabilities based solely on the fact that they can not be patched.

This behavior is not only useless but dangerous for me. I see little house with checkboxes on them and think everything is fine. I get a 100% Secunia Score yet my PC is open like a black market through Adobe Flash and Reader. And on a personal note: I feel being treated like an idiot - I understand that PSI needs and wants to appeal to non tech savvy users. But please Secunia, don't dumb down a complex issue too much.

I want "Unpatched, no vendor solution" back! I really liked this bar out of five boxes, one click and I got the SA. That was great. If IE is insecure like hell, tell me! Donít hide that! PSI2beta shows IE8 with a green checkbox on a house. What is up with that? I know it means patched and nothing more, but the sense of OK, everything is fine is just wrong. IE8 is totally insecure and PSI does not show that. The secure browsing section does not solve this issue, it merely highlights it further. Besides, it's hidden by default.

PSI is not an AV software, it does not need to be, which all to often have these flashing 100% secure eye-catcher somewhere. I originally found PSI because I exactly didn't want these kind of security programs.

Also, I don't understand how this affects VIF. VIF seems to be able to do exactly what mentin mentioned.

Hiding known risks does not provide security.
Was this reply relevant?
+2
-0
smurphdude RE: Please show alert for patched, but insecure programs
Contributor 4th Nov, 2010 07:01
Score: 107
Posts: 40
User Since: 13th Aug 2010
System Score: 100%
Location: UK
A quick post to agree with all of the above posters. I also feel it's misleading that the betas do not report a threat level for vulnerable applications with no vendor solution and would hope that this feature would be included again as an option. Lack of this feature devalues the usefulness of PSI significantly imho.
Was this reply relevant?
+2
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability