Update WebMail Notifier To Version 2.9.11 Fixes Broken Gmail Script

My Firefox add-on, WebMail Notifier, stands head and shoulders above the rest in terms of my productivity or, lack of the same if it  stops working – as it did over-night. The problem was restricted to Gmail – Hotmail and Yahoo Mail were unaffected – still, what a pain!

From the: Why reinvent the wheel files – Geeks, just like everyone else, turn to Google, or….. – in the event that others have experienced the same problem and, a solution has been posted.

Long story short –

Google has initiated a number of changes in Gmail’s log-in address (which they seem to do regularly), that broke the log-in script in WebMail Notifier. Apparently, this Google rollout is taking place over several days – so, it’s possible that if a user has more than one Gmail account, one or more may be impacted, but not others.

I found a number of manual solutions to this problem – all of which worked. However, if you are currently dealing with this issue – you can avoid all the hassle by simply downloading version 2.9.11 of WebNotifier, which corrects the problem.

Download at: WebMail Notifier

Kudos to the add-on developer for jumping on this quickly – again.

Not Running Secunia PSI? Why Not?

Despite the fact that burglaries are at an all-time high in my neighborhood, and despite the fact that the Police regularly caution residents to lock both windows and doors when not at home, one of my close neighbors always leaves at least one window open while she’s out. I have to say – it just boggles my mind.

Throughout the summer she is out of town every weekend and, you guessed it – she still leaves at least one window wide open. Her behavior, not to put too fine a point on it – is idiotic. If you’ve ever wondered why your home owners insurance policy is more expensive than it needs to be, it’s partially due to lamebrains like my neighbor.

Computer systems running insecure and unpatched applications are analogous to the open window in my neighbor’s house, and are a common gateway used by cyber-criminals to infect unaware users’ machines. Worse, unlike the aftereffects of a home burglary, which are rather self evident, a compromised computer can often remain undetected.

As important as it is, that you secure your computer by implementing a layered security approach, it’s equally as important that you close any “open windows” in your operating system, by keeping your installed applications current and up-to-date. And, Secunia, the leading provider of Vulnerability Intelligence, can help you do just that with its free application – Secunia Personal Software Inspector (PSI).

Since PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application, when available – installing this small free application will assist you in ensuring that your software installations are relatively secure. I say “relatively”, since there is no perfect system.

The following screen captures illustrate, just how easy it is to take that extra step toward a more secure computing experience, using PSI. Click on any graphic to expand to its original size.

During the install process, you will have an opportunity to select “Auto Updates”. I suggest that you take advantage of this feature.

Again, during the install process, you will have an opportunity to select “full changes in the tray icon”. If you have selected “Auto Updates”, as per the previous window, you should select this option.

The settings menu provides a full range of adjustments so that you can configure the application to more accurately meet your specific needs.

The following screen capture illustrates a security scan in progress. The full scan took under two minutes to complete.

According to the scan results, my test machine is 12% more secure compared to non-users of PSI in my local area. This is no cause for celebration though, since the test machine is running two insecure applications. One of which, VLC Media Player, has been a recent target of cyber criminals. Ouch!

The following screen capture shows the full test results and you can readily see, that both Adobe Flash Player and the previously mentioned VLC, are both insecure. Adobe Flash Player, dramatically so. Double ouch!

Additional data on an insecure program can be gathered by double clicking on the program, as shown in the following screen shot.

Quick facts:

Secunia PSI is free for private use.

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how to resolve it.

Installing this small free application will definitely assist you in identifying possible security leaks; give it a try.

System requirements: Windows 7, Vista SP 1 or later, XP SP 3 (32 & 64 bit).

Watch: How to install and use the Secunia PSI 2.0

Download at: Secunia

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

Link: Secunia Online Software Inspector. In the last 24 hours, fully 19% of applications checked by this online tool, were insecure.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Device Doctor Updates Your Drivers For Free

The following post is an updated version of a previous article published September 3, 2010.

Still running your computer with outdated system and peripheral drivers? If you are, then you’re not going to get the maximum performance out of your system, or peripherals, that’s just waiting to be unleashed.

Unfortunately, computer products/peripherals are often distributed with under tested device and system drivers which can cause real mayhem – including intermittent system crashes (one of the hardest problems to diagnose), poor system performance, or buggy peripheral performance.

Manufacturers of course, are not slackers when it comes to improving previously released drivers in order to fix bugs, errors and conflicts with other programs, (more common than you may think), or to increase peripheral functionality. For example, nVidia   has just released the second driver update this year, for my video card.

If you want to take a trip on the “Frustration Express” then you can try to update your drivers manually. But, believe me; you’ll be in for a long and frustrating ride.

You’ll start by Googling the driver name, then investigation available drivers, many of which will have a disclaimer stating that it was not written specifically for your system/device; you’ll try it – then delete it, and then your back to Googling again. Repeat the previous frustrating experience as many times as necessary, and you might get lucky.

Fortunately, there are utilities which can make this process more or less, automatic. Unfortunately, there’s more BS associated with free driver download software than virtually any other class of software, except perhaps – antimalware software.

In the last few years I’ve reviewed and rated four such applications (free, at the time of review), all of which morphed into “pay” applications, or instituted highly restrictive policies such as allowing only two driver downloads. Or worse, advising the user of available driver updates, but requiring “cash up front” to enable the download.

Since I needed to do some driver work on a personal system this week, I asked around, and got more than a few recommendations to try Device Doctor. This application proved to be a hit with me – not only because it’s free, but I liked its minimalist approach, and fast download speeds.

The developers are on the record as stating that they will continue to offer Device Doctor as a freeware application. Hopefully, we can count on this.

Running the application is a snap. The following screen capture illustrates the bare bones GUI – just click on “Begin Scan”.

The complete scan took less than 5 seconds. Now that’s impressive!

Now that you have the new device driver downloaded, you can install at your convenience.

Let me re-emphasize: Be sure to create a system restore point before installing a new driver.

Fast facts:

Provides drivers for every major computer hardware and device manufacturer.

More than 3 terabytes (3,000 GB) of drivers currently in the database.

Constantly updated to include new driver versions as soon as released.

Every driver is human reviewed using specialized compatibility tools.

Designed for Windows XP, Windows Vista and Windows 7.

Thousands of drivers coming in weekly for Windows 7.

Full support for 64-bit systems, as well as 32-bit systems

Provides device names for unknown devices before updating drivers.

Can be used offline – scan results are saved so you can move them to a connected computer and download there.

Updates WHQL (Microsoft certified) and non-WHQL drivers.

Completely free with no adware or malware!

System requirements: Windows XP, Vista and Windows 7 (32 bit and 64-bit compatible).

Download at: the developer’s site (Device Doctor).

Portable version: A portable version is also available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Secunia PSI Updated – Version 2.0 Released

Secunia has just released (December 20, 2010), Version 2.0 of their award winning vulnerability and patch scanning free application – Secunia PSI.

As important as it is, that you secure your computer by implementing a layered security approach, it’s equally as important that you keep your installed applications current and up-to-date. Insecure and unpatched applications are a common gateway used by cyber-criminals to infect unaware users’ machines.

Since PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application, when available – installing this small free application will assist you in ensuring that your software installations are relatively secure. I say “relatively”, since there is no perfect system.

The following screen captures illustrate, just how easy it is to take that extra step toward a more secure computing experience, using PSI. Click on any graphic to expand to its original size.

Following the initial scan of two Hard Drives – which took only two and a half minutes, PSI found two end-of-life applications, and one insecure application. The insecure application (VLC Media Player 1.1.14), is currently under attack by cyber-criminals. So, that was a good catch.

Updating VLC Media Player 1.1.14, was a snap – I simply clicked on “Install Solution”. Boom – done!

Quick facts:

Secunia PSI is free for private use.

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.

Improvements in Version 2.0.

• Automatic Updates: Functionality for Auto Updates is now implemented as a core feature in the Secunia PSI.
• New User Interface: A new User Interface has been implemented. The design has been updated to make it simpler and easy to use the Secunia PSI, as well as improving the overall look and feel.
• Integration with Secunia CSI: The new Secunia PSI features integration with the commercial Secunia CSI. Secunia CSI customers can learn more about this feature with the release of the Secunia CSI 4.1.
• Improved Presentation of Scan Result: The presentation of scan results have been significantly improved, using techniques that have been tested during the Technology Preview. The Scan Results are grouped according to their installation and patch state, which in turn makes it simpler to identify the programs that actually requires the latest security patches.

ZD Net, one of my favorite web sites has stated “Secunia Personal Software Inspector, is quite possibly the most useful and important free application you can have running on your Windows machine”. In my view, this is not an overstatement.

Installing this small free application will definitely assist you in identifying possible security leaks; give it a try.

System requirements: Windows 7, Vista SP 1 or later, XP SP 3 (32 & 64 bit).

Watch: How to install and use the Secunia PSI 2.0

Download at: Secunia

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

Link: Secunia Online Software Inspector. In the last 24 hours, fully 19% of applications checked by this online tool, were insecure.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Update Firefox – Firefox 3.6.13 Released – Fixes 11 Critical Issues

Firefox 3.6.13 was released by Mozilla on Thursday (December 9), which addresses 13 documented issues, 11 rated as critical – including a vulnerability which can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Since Browser vulnerabilities operate as a prime gateway for malware, immediate updating is strongly recommended.

If you haven’t updated your version of Firefox yet, then go to Help – Check for updates. Not all users allow automatic updates and installation – I’m one, as the following (older), graphic illustrates. However, I do allow the update to download.

Fixed in Firefox 3.6.13

MFSA 2010-84 XSS hazard in multiple character encodings

MFSA 2010-83 Location bar SSL spoofing using network error page

MFSA 2010-82 Incomplete fix for CVE-2010-0179

MFSA 2010-81 Integer overflow vulnerability in NewIdArray

MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver

MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh

MFSA 2010-78 Add support for OTS font sanitizer

MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree

MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element

MFSA 2010-75 Buffer overflow while line breaking after document.write with long string

MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

For an overview of Browser security add-ons you should consider installing, read – An IT Professional’s Must Have Firefox and Chrome Add-ons, here on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Firefox Update (3.6.12) Fixes Zero Day Vulnerability

Yesterday, we reported on a critical zero day vulnerability in both Firefox 3.5, and Firefox 3.6., which could have allowed remote code execution in the Browser.

Mozilla jumped on this issue immediately, and has provided a fix by releasing Firefox version 3.6.12. Firefox 3.5 users, can ensure protection is in place against this vulnerability by updating to version 3.5.15.

If you haven’t updated your version of Firefox yet, then go to Help – Check for updates. Not all users allow automatic updates and installation – I’m one, as the following graphic illustrates. However, I do allow the update to download.

For an overview of Browser security add-ons you should consider installing, read – An IT Professional’s Must Have Firefox and Chrome Add-ons, here on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

How Secure Are Your Software Applications – Not Very, It Seems

Most of us, I expect, are familiar with the expression – If you fail to plan, then you plan to fail. If you accept the findings of Veracode’s second edition of their State of Software Security Volume 2, which reports unfavorable on the security reliability of more than half of the 2,922 web applications tested, you might  wonder if application developers are familiar with this expression.

This report, coupled with the Qualys Vulnerability Report, which I receive weekly, leaves little doubt in my mind that software developers, by and large, need to focus more intently to ensure their applications are appropriately hardened against security vulnerabilities.

The following partial listing taken from the Qualys Vulnerability Report, from several weeks ago, highlights this lack of focus on this point. Frankly, I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the IT security community. It’s as if, application vulnerabilities are a dirty little secret.

Critical Vulnerabilities – Widely Deployed Software

(1) HIGH: Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability
(2) HIGH: Mozilla Firefox Multiple Vulnerabilities
(3) HIGH: Apple Safari Multiple Security Vulnerabilities
(4) HIGH: Google Chrome Multiple Security Vulnerabilities
(5) HIGH: Apple iOS Multiple Vulnerabilities
******************************************************************
Comprehensive List of Newly Discovered Vulnerabilities from Qualys
–  Third Party Windows Apps
10.37.1  – HP Operation Agent Privilege Escalation and Remote Code Execution Issues
10.37.2  – Tuniac “.pls” File Buffer Overflow issue
10.37.3  – Microsoft Internet Explorer CSS Handling Cross-Domain Information Disclosure
— Mac Os
10.37.4  – Apple Mac OS X Mail Parental Control White List Security Bypass Issue
— Linux
10.37.5  – Linux Kernel “keyctl_session_to_parent()” Null Pointer Dereference Denial of Service
10.37.6  – Linux Kernel “IrDA” Protocol NULL Pointer Dereference Denial of Service Issue
10.37.7  – oping Local Information Disclosure
10.37.8  – Linux Kernel “irda_bind()” Null Pointer Dereference
10.37.9  – Linux Kernel “SIOCGIWSSID” IOCTL Local Information Disclosure Issue 10.37.10 – Linux Kernel “XFS_IOC_FSGETXATTR” Information Disclosure Issue
— Novell
10.37.11 – Novell Netware SSH Remote Buffer Overflow Issue
— Cross Platform
10.37.12 – Blackboard Transact Multiple Insecure Password Handling Information Disclosure Issues
10.37.13 – Zope Unspecified Denial of Service Issue
10.37.14 – httpdx “h_readrequest()” Remote Format String
10.37.15 – Techlogica HTTP Server Remote File Disclosure
10.37.16 – Arno’s IPTABLES Firewall IPv6 Detection Remote Security Bypass
10.37.17 – Hitachi JP1/Desktop Navigation Unexpected Data Denial Of Service Issue
10.37.18 – Google Chrome Multiple Security Vulnerabilities
10.37.19 – LDAPUserFolder Emergency User Arbitrary Password Authentication Bypass Issue 10.37.20 – ffdshow “.avi” File NULL Pointer Dereference Denial Of Service Issue
10.37.21 – Squid Proxy String Processing NULL Pointer Dereference Denial of Service
10.37.22 – VLC Media Player “smb://” URI Handler “.xspf” File Buffer Overflow Issue

Veracode’s State of Software Security Volume 2, reveals what may well be the true state of the software we have come to rely on.

The following are some of the most significant findings:

More than half of all software failed to meet an acceptable level of security and 8 out of 10 web applications failed to comply with the OWASP Top 10.

Cross-site Scripting remains the most prevalent of all vulnerabilities.

Third-party applications were found to have the lowest security quality.

The security quality of applications from Banks, Insurance, and Financial Services industries was not commensurate with their business.

Equally as important – 57% of all applications were found to have unacceptable application security quality. Even more troublesome, more than 80% of internally developed and commercial web applications failed to comply with the OWASP Top 10 which is shown below.

OWASP Top

1. Injection – Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections.
2. Cross Site Scripting (XSS) – Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control.
3. Broken Authentication and Session Management – Flaws used against one account may be replicated against an account with higher privileges.
4. Insecure Direct Object References – Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for.
5. Cross Site Request Forgery (CSRF) –  CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases.
6. Security Misconfiguration – Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration.
7. Failure to Restrict URL Access – Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access.
8. Unvalidated Redirects and Forwards – Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information.
9. Insecure Cryptographic Storage – The most common reason for this attack is that data that should be encrypted is stored in clear text.
10. Insufficient Transport Layer Protection – Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie.

The full report in PDF format is available here.

So how do you ensure that your software installations are relatively secure? Unfortunately, there’s no perfect answer – but you can reduce your overall exposure by installing the free  Secunia Personal Software Inspector, (PSI).

PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.

Installing this small free application will definitely assist you in identifying possible security leaks.

Quick facts:

The Secunia PSI is free for private use.

Downloaded over 800,000 times

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7

Download at: Download.com

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

Link: Secunia Online Software Inspector

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Update Your Drivers With Free Device Doctor

Still running your computer with outdated system and peripheral drivers? If you are, then you’re not going to get the maximum performance out of your system, or peripherals, that’s just waiting to be unleashed.

Unfortunately, computer products/peripherals are often distributed with under tested device and system drivers which can cause real mayhem – including intermittent system crashes (one of the hardest problems to diagnose), poor system performance, or buggy peripheral performance.

Manufacturers of course, are not slackers when it comes to improving previously released drivers in order to fix bugs, errors and conflicts with other programs, (more common than you may think), or to increase peripheral functionality. For example, my HP home printer has had three improved drivers released in the past two years that have increased stability, and functionality somewhat.

If you want to take a trip on the “Frustration Express” then you can try to update your drivers manually. But, believe me; you’ll be in for a long and frustrating ride.

You’ll start by Googling the driver name, then investigation available drivers, many of which will have a disclaimer stating that it was not written specifically for your system/device; you’ll try it – then delete it, and then your back to Googling again. Repeat the previous frustrating experience as many times as necessary, and you might get lucky.

Fortunately, there are utilities which can make this process more or less, automatic. Unfortunately, there’s more BS associated with free driver download software than virtually any other class of software, except perhaps – antimalware software.

In the last few years I’ve reviewed and rated four such applications (free, at the time of review), all of which morphed into “pay” applications, or instituted highly restrictive policies such as allowing only two driver downloads. Or worse, advising the user of available driver updates, but requiring “cash up front” to enable the download.

Since I needed to do some driver work on a personal system this week, I asked around, and got more than a few recommendations to try Device Doctor. This application proved to be a hit with me – not only because it’s free, but I liked its minimalist approach, and fast download speeds.

The developers are on the record as stating that they will continue to offer Device Doctor as a freeware application. Hopefully, we can count on this.

If you decide to give Device Doctor a workout, then during the install watch out for the following two screens.

Running the application is a snap. The following screen capture illustrates the bare bones GUI – just click on “Begin Scan”.

The complete scan took less than 5 seconds. Now that’s impressive!

Clicking on a driver download will open an information screen, as the graphic below illustrates. Kudos to the developers for including this information which should prove to be valuable for new users.

This 68 MB download @ 1. 6 MB/ sec was completed in seconds. Nice to see a developer who offers high speed downloads. One criticism though – functionality would be increased significantly with the addition of a “down them all” button.

Now that you have the new device driver downloaded, you can install at your convenience.

Let me re-emphasize: Be sure to create a system restore point before installing a new driver.

Fast facts:

Provides drivers for every major computer hardware and device manufacturer.

More than 3 terabytes (3,000 GB) of drivers currently in the database.

Constantly updated to include new driver versions as soon as released.

Every driver is human reviewed using specialized compatibility tools.

Designed for Windows XP, Windows Vista and Windows 7.

Thousands of drivers coming in weekly for Windows 7.

Full support for 64-bit systems, as well as 32-bit systems

Provides device names for unknown devices before updating drivers.

Can be used offline – scan results are saved so you can move them to a connected computer and download there.

Updates WHQL (Microsoft certified) and non-WHQL drivers.

Completely free with no adware or malware!

System requirements: Windows XP, Vista and Windows 7 (32 bit and 64-bit compatible).

Download at: the developer’s site (Device Doctor).

Portable version: A portable version is also available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

If You Get A Malware Infection Who’s Fault Is It Really?

The security industry, especially security analysts, and for that matter, computer users at large, love to dump on Microsoft when they get a malware infection. If only Microsoft got their act together, the theory goes, and hardened Windows more appropriately, we wouldn’t have to deal with this nonsense.

But, what if it isn’t entirely Microsoft’s fault? What if it’s really a shared responsibility split between Microsoft, third party software developers, and the user?

From time to time, I’m accused of being “too frank”; usually on those occasions when diplomacy needs to put put aside, so that realities can be dealt with. For example, I’ve left myself open to criticism, in some quarters, by stating on more than one occasion –

It has been my experience, that when a malware infection occurs, it’s generally safe to say, the user is, more often than not, responsible for their own misfortune.

Computer users, by and large, are lackadaisical in securing their computers against threats to their Internet safety and security.

Strong statements I’ll admit, but if you consider the following, which I have repeated over and over, you’ll understand why I feel comfortable making this statement.

Not all users make use of Microsoft’s Windows Update so that they are current with operating system critical updates, and security fixes. More to the point, few users have given consideration to the vulnerabilities that exist in third party productivity applications and utilities.

Unless you monitor your system for insecure and unpatched software installations, you have left a huge gap in your defenses – it’s just plain common sense.

The just released Secunia Half Year Report – 2010, shows “an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored”, supports my view that security is a shared responsible, and blaming Microsoft simply ignores the reality.

The report goes on to conclude, “users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.”

Key highlights of the Secunia Half Year Report 2010:

Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.

A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on average for 38 percent of all vulnerabilities disclosed per year.

In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010, to 760.

During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.

A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

The full report (PDF), is available here.

Each week, I receive the Qualys Vulnerability Report, and I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the professional IT security community. It’s that scary.

There is a solution to this quandary however – the Secunia Personal Software Inspector (PSI).

PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.

ZD Net, one of my favorite web sites has stated “Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine”. In my view, this is not an overstatement.

Installing this small free application will definitely assist you in identifying possible security leaks; give it a try.

Quick facts:

The Secunia PSI is free for private use.

Downloaded over 800,000 times

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.

Download at: Secunia

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.

Link: Secunia Online Software Inspector

As an added bonus for users, Secunia provides a forum where PSI users can discuss patching, product updates, exploits, the PSI, and anything else security-related.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Firefox 3.6.3 Released – Fixes Critical Security Issue

If you don’t have Firefox’s automatic update feature turned on, then you need to manually update your version immediately, to Version 3.6.3.

According to Mozilla “A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest.” Apparently, this exploit only affects Firefox 3.6 and not earlier versions.

Since Browser vulnerabilities operate as a prime gateway for malware, immediate updating is strongly recommended.

Some time back, I took a running shot at Firefox (this was one of my very infrequent “the glass is half empty” days), when I wrote here, “For the umpteen time, in just a short time frame, Mozilla has released a patched version of Firefox ….. this is a continuing saga with Firefox and its not getting better. If anything, its getting worse.”

I felt justified in chastising Mozilla for what I perceived to be, a series of continuing flaws in Firefox, leading to very frequent updates. Until, that is, I received an email from Mozilla’s Christopher Blizzard, in which he pointed out the following –

“Our goal is to try and update as quickly as possible to get fixes into user’s hands. Sometimes this means that we update frequently. As an example 3.5.1 was turned around in 48 hours from the release of an proof of concept exploit. And we had no warning before it was public.

So we worry about the time-to-fix as opposed to the number or frequency of releases. Firefox’s userbase happens to update pretty quickly when we release an update and this often means that our users are also the safest.

The faster you can get fixes into people’s hands, the less likely they are to run into something that’s exploitable.”

We also schedule releases every few weeks to fix known problems and fix non-severe and non-critical security fixes. But sometimes we get something that causes us to release early.”

Christopher’s sensible explanation removed a certain anxiety, and a sense of worry, that I would have to give up my beloved FF, and my stable of crucial add-ons.

To paraphrase Winston Churchill – “This was not my finest hour”. In fact, my tech friends are still laughing at me over that one.

If you have ever questioned Firefox’s frequent update history, then consider Christopher’s closing statement –

“I would point out that all browsers have security problems. And it’s how you respond to them that counts. So that’s why you’re seeing frequent updates from us.”

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.