Re: Checking for old web browsers and media plugins

[Adam Carlson <ajcarlson () BERKELEY EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried running Nessus scans with credentials against Windows
systems?  When Nessus can connect to the target system's registry and is
provided administrator credentials, Nessus can see which applications
are installed and find outdated 3rd party applications in need of
patching(like Java, Adobe Reader/Flash, iTunes, Firefox, AOL instant
messenger, RealPlayer, Quicktime, etc. and many more).

Despite using BigFix for centralized patch management, we recently
discovered an outdated version of the Opera web browser with it's own
outdated version of Flash via Nessus and a registry connection.  While
BigFix does support some 3rd party applications, it doesn't claim to or
try to track them all(no patching solution currently does this), so it
was not surprising that BigFix hadn't patched Opera.

As you've pointed out, two of the biggest challenges is knowing which
3rd party applications may be installed and which of those that are
installed, need security updates.  The Nessus people have done a good
job of fulfilling those two requirements.  They definitely don't track
every application in the world, but when I was using Nessus in bank
audits, I was surprised more than a few times by its ability to identify
security holes in applications I had never even heard of.

Running Nessus with credentials/registry access gives an order of
magnitude more information about the system and can detect many more
vulnerabilities than a network-only scan can gather.

Your idea of using your web applications to detect outdated
plugins/browsers would still work very well for external users and I
would see it as complimentary to Nessus scans, but I would also
encourage you to look into running Nessus with credentials since you
already have purchased the software.

- -Adam

Bob Bayn wrote:
> We've seen some drive-by compromises here lately.  We run weekly Nessus scans every week against all of our active 
> IPs but those scans don't discover things like old web browsers or missing updates on various media plugins.  We are 
> wondering if it would be productive to put some detection and reporting of obsolete browser or media plugins into 
> some of our commonly used local web pages (access to our CMS or ERP) so we can encourage some updating before the 
> drive-by events happen.  Is anybody doing this or considering it?
>
>
> Bob Bayn     (435)797-2396     Security Team coordinator
> "IT will NEVER ask for your password via email, honest!"
> Office of Information Technology at Utah State University

- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmcdcYACgkQT0QSLt7kiaDskgCfaraOctEZZ3GU8xtFRhZYEr6N
G/cAn2scxXXbUSnbwh56LHRN96xnQ8xm
=pybP
-----END PGP SIGNATURE-----