Keeping Windows applications up to date with Secunia PSI

Secunia Personal Software Inspector (PSI) identifies vulnerable outdated applications on Windows computers. Although security updates for many applications are offered at no charge, keeping abreast of them is difficult. PSI automates the task and alerts you when installed applications require updating.

BEFORE YOU BEGIN
PSI is proprietary but is available at no cost, and is intended for a single computer. If you have more than one computer to protect, consider also Secunia Small Business, which adds a central administration dashboard. At the library where I work, I find the combination of PSI and Secunia Small Business to be invaluable to keep tabs on our public kiosks.

Insure the computer has working versions of Microsoft Update and Internet Explorer (IE). Optionally, Flash for IE adds graphics to the reports.

Add Secunia to IE’s list of trusted sites: launch IE and open Tools – Internet Options – Security. Select Trusted Sites and press “Sites”. Add “https://psi.secunia.com/”. Press “Close” and then “Accept”. TODO: This fails with an error suggesting it wants psi3.secunia.com; entering it that works but won’t scale. Try simply secunia.com.

INSTALLATION, CONFIGURATION, AND USE
Download PSI. Unlike most security-related software, run the installer as a normal user, not as administrator. During installation you will be asked to confirm that PSI should automatically download and install updates to outdated applications; most users should accept this.

PSI will launch after installation and scan your system. Review flagged applications and plug-ins and deal with them as appropriate, letting PSI update those you need and uninstalling those you do not. Don’t just assume that everything installed is needed: use PSI to help you weed out what the user no longer needs.

Occasionally an application will be flagged as “unsupported”. This means that PSI is unable to determine if that application is up to date or not. You can optionally configure PSI to ignore that application in its reports. I normally prefer the default setting of leaving an unsupported application visible, to remind the end user that he will have to take other measures to keep it up to date.

PSI will periodically scan your computer, and attempt to automatically download and install application updates as needed. This does not always work, however, so occasionally check PSI’s status icon in the system tray to see if anything requires manual intervention.

UPDATING SPECIFIC APPLICATIONS
Most applications are updated in a straightforward manner. A few, however, deserve special note.

Flash
Updating Flash using the direct link provided rarely works for me. This appears to be an issue with Adobe’s download servers rather than with PSI. To work around this, I download Flash manually from Adobe’s web site and install it directly.

Windows computers commonly have two versions of Flash installed: one for Internet Explorer and PSI itself (PSI labels this as the ActiveX version) and another for all other browsers (which PSI labels as the NPAPI version). The Adobe website usually proposes the appropriate version for the browser you use to download, but double-check what you are offered to be sure. If you intend to update both versions, be sure to download them both.

If you use the Chrome browser, you might have a third version of Flash installed, called Pepper. I don’t use Chrome so I can’t confirm this.

Before running the installers, close everything that uses Flash: browsers, PSI (don’t just minimize it to the system tray), and any standalone players. Once installed, open your browsers and use Adobe’s Flash test page to insure that the latest version has been installed and is working correctly. And of course don’t forget to reopen PSI and ensure that all is well.

Flash installers often fail to remove older insecure versions. PSI detects this condition, reporting Flash as both a secure application (the updated version) and as an insecure application (older versions). Pay attention to the version numbers. Should this happen, hover the cursor over the insecure version to see the installation path of the offending file, which can be deleted manually. Be sure to fully delete it (with Shift-Del) rather than simply send it to the recycle bin.

Java
On several computers I have observed that Java cannot update (neither via PSI nor via its own auto-update system) unless the user is logged in under the main administrative account. This is an issue with Java and not with PSI.

Shockwave
Updating Shockwave using the direct link provided rarely works for me. This appears to be an issue with Adobe’s download servers rather than with PSI. To work around this, I download Shockwave manually from Adobe’s web site and install it directly.

Before running the installer, close all browsers. Once installed, open your browsers and use Adobe’s Shockwave test page to insure that the latest version has been installed and is working correctly.

Shockwave installers often fail to remove older insecure versions. PSI detects this condition, reporting Shockwave as both a secure application (the updated version) and as an insecure application (older versions). Pay attention to the version numbers. Should this happen, hover the cursor over the insecure version to see the installation path of the offending file, which can be deleted manually. Be sure to fully delete it (with Shift-Del) rather than simply send it to the recycle bin.

TIPS AND TRICKS
PSI’s version number can be found by right clicking on its tray icon and selecting “About”.

These notes were last updated 15 December 2012 using Secunia PSI 3.0.0.

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

4 Responses to Keeping Windows applications up to date with Secunia PSI

  1. Pingback: Installing Java on Windows | Warren's tech notes

  2. Pingback: Securing a Windows computer | Warren's tech notes

  3. Pingback: Lock down Internet Explorer | A maze of twisty little passages

  4. Pingback: Windows monthly security check | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s