Check (All) Your Windows Patches: Secunia
Microsoft issues patches for its own Windows apps, yet other vendors' programs remain a security challenge. Secunia offers a free online software inspector for patch notification.
I've been focused on defensive computing for a long time. If I had to rank the most important aspect, the number one thing is to be skeptical. No software can protect the gullible. This article is about the next most important aspect of defensive computing: the ongoing process of applying bug fixes to software.
Why do I rate software updates ahead of antivirus and antispyware software? Because no anti-malware product is perfect. A computer running a fully patched version of Adobe Reader, for example, cannot get infected by a malicious PDF file. A computer running antivirus software and a buggy copy of the Adobe Reader can get infected.
Keeping Windows itself up to date has gotten easy enough so that even non-techies have little problem with it. If you run Office, it too can be updated automatically. However, the rest of the software on a Windows computer is a totally different issue.
Microsoft does not update software from Sun, Adobe, Mozilla, Piriform, Foxit, Tall Emu, VideoLAN, Irfan Skiljan or anyone else. Instead, every software vendor is forced to re-invent the wheel and Windows users are left with a huge hodge-podge of software update mechanisms. It's a mess.
It has been estimated that Windows users have a dozen programs on their machines that are missing security patches. That seems high to me, but even a single buggy application opening a maliciously crafted file can infect a PC.
Looking at it the other way, estimates are that only two percent of PCs are fully patched. My personal experience has been that it is all but impossible to keep up with security patches for all, or even most, of the software installed on a PC. Installing some patches is the best many users can hope for.
Into this breach steps Danish software company Secunia with assorted products that report on missing security patches (bug fixes to me). This article is about a free Secunia product, their Online Software Inspector (OSI). They also offer free downloadable software (Personal Software Inspector) and a commercial product (Corporate Software Inspector). All the software is for Windows.
The Online Software Inspector is the bottom-of-the-line product from Secunia, but it's a great thing nonetheless. I highly recommend it to all Windows users.
For one thing, the report is simple to read: green check marks are good, red Xs are bad (see below for a sample). It's also devoid of techie lingo. And, you don't need to install software (except perhaps Java, more below).
The online report, however, isn't nearly as comprehensive as the installable Windows application (Personal Software Inspector). However, it reports on many popular applications as well as missing Windows patches.
In all, OSI currently evaluates 24 applications for missing patches. Two notable omissions are the Foxit PDF reader and the VLC media player.
Anyone seriously concerned about security would be well served by the Personal Software Inspector, but it's a step up in complexity. Also, it's hard enough to get a clean bill of health from the Online Inspector.
As the name implies, OSI is an online utility. There are a number of web browser add-on technologies that let programs run inside a web page without being fully or normally installed on a Windows computer. The Secunia Online Software Insepctor uses Java, which has to be installed before OSI can run.
One way to tell if Java is installed is to look in the Windows Control Panel at the list of installed software. Another method is my JavaTester.org website which runs a small Java program that reports on the installed version of Java (shown above).
OSI requires Java version 1.6.x or later. The leading one in the version number, however, is sometimes dropped. That is, in some contexts, version 1.6.16 (for example) is referred to simply as Version 6 Update 16. In other contexts, such as my JavaTester website, it is referred to as version 1.6.0_16. These mean the same thing. Blame Sun. Many have.
If Java is not installed, it can be downloaded from Sun (my preference is for the manual installation). Your browser may also detect that Java is needed and prompt to install it. In the old days, when Firefox users ran across a web page that needed Java, Firefox would warn about the missing software and offer to auto-install it. However, with the release of Firefox version 3, the auto-installation of the Java plug-in no longer worked. Fortunately, in the latest versions of Firefox, auto-installing Java works again.
OSI is compatible with all the popular web browsers (Internet Explorer, Firefox, Opera and Chrome) and is supported on Windows XP, Vista, 7, 2000 and 2003.Next Page: Running the Online Software Inspector