Old apps, new vulnerabilities
One of the best security defenses you can have is a fully patched computer. Not just the OS, but all applications -- large and small -- should be completely up to date. But making sure you have the latest patches isn't enough. You have to check and see if the older, vulnerable versions of the software you patched aren't still installed and available. Unfortunately, many well-known applications, when patched, do not remove the older versions. Malicious Web sites can often choose which version your client runs, so while you think you're safe with the latest patches, the older versions of your software can be called, instead, to execute a known vulnerability you had long ago stopped worrying about.
Many patch management tools only check to see that the latest installed software versions are patched. Make sure your patch-scanning tool combs the hard drive looking for old application versions. One of my favorite tools for detecting missing patches is Secunia's Software Inspector. It will inspect your hard drive and validate the patch status of more than a thousand popular applications. The Software Inspector comes in a free online Java-based version; a new installable, free, consumer-based executable version; and an enterprise-ready commercial version. The free consumer executable and commercial versions will not only scan and report, but proactively monitor newly installed software. It's pretty nifty. (Author's note: "Nifty" is a technical term.)
If you run Secunia Software Inspector, do it in Thorough mode. It takes a minute or two to run versus 15 seconds for non-Thorough mode, but you'll find more missing patches. I've yet to run Software Inspector on a computer for the first time and not find missing patches. What is even more surprising is how often Software Inspector finds older, vulnerable versions of software installed. Some of the older versions are installed in separate folders, and others are installed alongside newer versions.
The most common applications that I find with previous vulnerable versions are Sun Java, Adobe Flash, Adobe Shockwave, Adobe Acrobat Reader, RealPlayer, and Microsoft .Net Framework. On the Linux/Unix/BSD side, you can add Firefox and Thunderbird, as many users end up installing newer versions to folders named after the new version numbers.
When you update Java, Flash, and .Net Framework using the official mechanism, the package installs the new version, but leaves the previous version behind. Windows/Microsoft Updates detects the older versions of .Net Framework and tries to keep them patched. But Java, Flash, and a score of other vendors add the newer version, leave the older version behind, and never patch it.
Many vendors, particularly Sun and Adobe, are afraid to remove older versions because newer versions can break functionality in older applications. And they have a right to be cautious: I've seen thousands of workstations suddenly surface with a "broken" mission-critical application because of an overnight update.
Even if the update breaks applications on, say, only 0.5 percent of its client base, a large vendor with hundreds of millions of customers is looking at potentially a million or more angry end-users. It's not a way to grow market share.
- +
Everything you need to know about Microsoft certs 31 December, 2007 07:16:29
Certification guru Patrick Regan explains the new Microsoft certs and reveals which Cisco, project management and security certs are worthwhile.Moderator-Julie: Welcome and thank you for coming. Our guest today is certification guru Patrick Regan. Patrick has penned over a dozen books, written the study guides for the A+ certification exams for Cisco Press and is currently writing an Exam Cram on Windows Server 2008. When not writing books, Patrick is a senior network engineer at Pacific Coast Companies supporting a large enterprise network and a celebrity blogger for Microsoft Subnet. We are giving away 15 free copies of Patrick's latest book, too. Go to the contest page for details. Now onto the chat.
Click here for case studies, whitepapers and other useful vendor content 
ARN Panel Sessions: Day 3The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?
Intel launches sales of the Core i7 processor Several hundred PC hobbyists came to Tokyo'a Akihabara electronics district late Saturday night as Intel kicked off worldwide sales of its new Core i7 processor.
Electronic voting in U.S. electionDoubts about voting machines are lingering in the minds of many Americans as they head to the polls.
When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
NetApp Named 2008 Citrix Ready Solution of the Year by Citrix Systems 20 November, 2008 11:33:00
Extreme Networks Ethernet Transport lowers total cost of ownership for carrier metro networks 20 November, 2008 10:21:00
Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008
Deciding it was time for more streamlined operations, Bankstown Council teamed up with OSS Infotech, a Microsoft Gold Certified Partner. The solution included Microsoft Windows Server, Microsoft SQL Server® and Microsoft Exchange®.
Buying Guides
Latest Products
