Educause Security Discussion mailing list archives
Re: Checking for old web browsers and media plugins
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 18 Feb 2009 12:55:34 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried running Nessus scans with credentials against Windows systems? When Nessus can connect to the target system's registry and is provided administrator credentials, Nessus can see which applications are installed and find outdated 3rd party applications in need of patching(like Java, Adobe Reader/Flash, iTunes, Firefox, AOL instant messenger, RealPlayer, Quicktime, etc. and many more). Despite using BigFix for centralized patch management, we recently discovered an outdated version of the Opera web browser with it's own outdated version of Flash via Nessus and a registry connection. While BigFix does support some 3rd party applications, it doesn't claim to or try to track them all(no patching solution currently does this), so it was not surprising that BigFix hadn't patched Opera. As you've pointed out, two of the biggest challenges is knowing which 3rd party applications may be installed and which of those that are installed, need security updates. The Nessus people have done a good job of fulfilling those two requirements. They definitely don't track every application in the world, but when I was using Nessus in bank audits, I was surprised more than a few times by its ability to identify security holes in applications I had never even heard of. Running Nessus with credentials/registry access gives an order of magnitude more information about the system and can detect many more vulnerabilities than a network-only scan can gather. Your idea of using your web applications to detect outdated plugins/browsers would still work very well for external users and I would see it as complimentary to Nessus scans, but I would also encourage you to look into running Nessus with credentials since you already have purchased the software. - -Adam Bob Bayn wrote:
We've seen some drive-by compromises here lately. We run weekly Nessus scans every week against all of our active IPs but those scans don't discover things like old web browsers or missing updates on various media plugins. We are wondering if it would be productive to put some detection and reporting of obsolete browser or media plugins into some of our commonly used local web pages (access to our CMS or ERP) so we can encourage some updating before the drive-by events happen. Is anybody doing this or considering it? Bob Bayn (435)797-2396 Security Team coordinator "IT will NEVER ask for your password via email, honest!" Office of Information Technology at Utah State University
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmcdcYACgkQT0QSLt7kiaDskgCfaraOctEZZ3GU8xtFRhZYEr6N G/cAn2scxXXbUSnbwh56LHRN96xnQ8xm =pybP -----END PGP SIGNATURE-----
Current thread:
- Checking for old web browsers and media plugins Bob Bayn (Feb 18)
- <Possible follow-ups>
- Re: Checking for old web browsers and media plugins Dean De Beer (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins John Ladwig (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Bob Bayn (Feb 20)