Old apps, new vulnerabilities

One of the best security defenses you can have is a fully patched computer. Not just the OS, but all applications -- large and small -- should be completely up to date. But making sure you have the latest patches isn't enough. You have to check and see if the older, vulnerable versions of the software you patched aren't still installed and available. Unfortunately, many well-known applications, when patched, do not remove the older versions. Malicious Web sites can often choose which version your client runs, so while you think you're safe with the latest patches, the older versions of your software can be called, instead, to execute a known vulnerability you had long ago stopped worrying about.

Many patch management tools only check to see that the latest installed software versions are patched. Make sure your patch-scanning tool combs the hard drive looking for old application versions. One of my favorite tools for detecting missing patches is Secunia's Software Inspector. It will inspect your hard drive and validate the patch status of more than a thousand popular applications. The Software Inspector comes in a free online Java-based version; a new installable, free, consumer-based executable version; and an enterprise-ready commercial version. The free consumer executable and commercial versions will not only scan and report, but proactively monitor newly installed software. It's pretty nifty. (Author's note: "Nifty" is a technical term.)

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

If you run Secunia Software Inspector, do it in Thorough mode. It takes a minute or two to run versus 15 seconds for non-Thorough mode, but you'll find more missing patches. I've yet to run Software Inspector on a computer for the first time and not find missing patches. What is even more surprising is how often Software Inspector finds older, vulnerable versions of software installed. Some of the older versions are installed in separate folders, and others are installed alongside newer versions.

The most common applications that I find with previous vulnerable versions are Sun Java, Adobe Flash, Adobe Shockwave, Adobe Acrobat Reader, RealPlayer, and Microsoft .Net Framework. On the Linux/Unix/BSD side, you can add Firefox and Thunderbird, as many users end up installing newer versions to folders named after the new version numbers.

When you update Java, Flash, and .Net Framework using the official mechanism, the package installs the new version, but leaves the previous version behind. Windows/Microsoft Updates detects the older versions of .Net Framework and tries to keep them patched. But Java, Flash, and a score of other vendors add the newer version, leave the older version behind, and never patch it.

Many vendors, particularly Sun and Adobe, are afraid to remove older versions because newer versions can break functionality in older applications. And they have a right to be cautious: I've seen thousands of workstations suddenly surface with a "broken" mission-critical application because of an overnight update.