Secunia's Online Software Inspector

Secunia's Online Software Inspector (OSI) is a great free service, one that all Windows users should avail themselves of regularly. OSI is an online scan of a Windows computer (Macs and Linux are not supported) that looks for software with known security flaws. Any computer that gets a clean bill of health from OSI is better defended than one that doesn't.

As I write this, only 7,019 scans have been run in the last 24 hours. More Windows users need to be made aware of the scanner, and I hope this posting does so. That said, OSI isn't perfect.

Defining The Problem

A screenshot illustrating a portion of the OSI report is shown below. The easy-to-understand green check vs. red X indicates that Flash versions 9 and 10 are considered safe, whereas Flash version 7 is not. This illustrates a design choice made by Secunia that I disagree with.

Software with known bugs is given a green check if the vendor has not yet released a patch for the bug(s).

Secunia describes its assorted scanners as focusing "...solely on detection and assessment of missing security patches and end-of-life programs." An unpatched bug is not missing a security patch, so it's green-lighted.

This may be what large organizations need to know, but I think home users should be warned of known buggy software, patch or no patch. For example, if the Adobe Reader has a known bug, we can decide to use the Foxit PDF Reader in the meantime.

Flash version 9 is currently in this state; version 10 fixes a number of bugs. I recently blogged about installing Flash version 10 and warned that version 9 should be replaced. This resulted in an e-mail exchange with Thomas Kristensen, Secunia's CTO.

In his own words:

The OSI and the PSI reports missing security updates for supported software. Flash 9 is still supported and no security related update has been released yet, thus we don't report any missing update for Flash 9. Flash 10 is not a security update for Flash 9, since Flash 9 still is supported.
The interesting perspective here is whether Adobe is using the security issue in Flash 9 to promote Flash 10.
The real problem here is not the OSI and PSI results, the real problem is that Adobe hasn't released an update for Flash 9 (or announced "end of life" for Flash 9).

PSI refers to the Secunia Personal Software Inspector, a free Windows application from Secunia. PSI runs on Windows XP, Vista, 2003, and 2000. The big advantage of PSI is that it scans for 7,000 applications whereas the online scan only evaluates 70. At CNET's Download.com, the editor's review gave PSI five stars (out of five).

Running a scan

The online scan is a Java applet and thus requires that Java be installed. Specifically, it requires Java version 1.6.x. You can test the state of Java on your computer at my javatester.org Web site. If Java is not installed, you can download the latest version at www.java.com/en/download/manual.jsp. I prefer to use the "offline" installation which is just over 15 megabytes.

When the Secunia Java applet loads into your computer, you are asked whether to trust it. This is normal, and you need to trust it to run the scan. The question is issued by the Java runtime environment because Java, by default, does not allow applets to see the local file system. Because it's a Java applet, you can run the scan from any Web browser.

The OSI page has a red "Start Scanner" button at the bottom of the page that doesn't start the scanner. Instead it loads the Java applet and offers a choice as to the type of scan.

A default scan looks for software in the default location for each product. A "thorough system inspection" (enabled by a check box) looks everywhere. Anyone using portable software, needs to run a thorough scan. A default scan is faster and may be a good starting point the first time you use the service. However, I recommend the thorough scan. Inquiring minds want to know.

Scan results

The first thing you'll notice (see below) when the scan completes is the report on missing bug fixes to Windows itself.

Secunia did not reinvent Windows Update; instead, it calls the Windows Update software and reports the results. You see this in the system requirements which include the "Latest version of Microsoft Windows Update."

What it doesn't explicitly mention is that the underlying Windows service (called "Automatic Updates" in XP and 2000, and "Windows Update" in Vista) needs to be running. Every time I run the scan on one of my computers I get the error shown below.

This is because I keep the underlying service disabled, only enabling it once a month to install patches.

I mention this because it brings up another questionable design decision by Secunia. If it can't communicate with the Windows Update software, it nonetheless gives Windows a green check. I think a question mark would better reflect the situation.

E-mailed notifications

When the scan completes, you're prompted to subscribe to Secunia's OSI reminder service, which notifies you by e-mail of significant changes to OSI.

I've been on the list for a while and get maybe one or two notifications a week. The latest one (shown below in a slightly edited format) would have come in very handy Thursday as a warning about the latest critical bug in Windows.

Hi,
Secunia has updated the Secunia Online Software Inspector (OSI) with new rules for detecting insecure software. Run the Secunia OSI to make sure that your system is up-to-date:
What is New:
1) Inspection rules have been updated to detect a special out-of-band security patch from Microsoft.
You have received this email because you have subscribed to the Secunia OSI Reminder Service.

Each e-mail includes a link to remove yourself from the list.

Despite my nit-picking, Secunia is offering a great service to Windows users.

See a summary of all my Defensive Computing postings.