Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/22/2010
06:01 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Secunia Rolls Out 'One Stop' Patch Solution That Integrates With Microsoft WSUS, SCCM

Secunia Corporate Software Inspector follows a four-step

Executive Summary

For years, companies have had to deal with the threat posed by vulnerabilities in installed software. Now, help is within reach, with Secunia providing a simple solution for dealing with unpatched vulnerabilities.

Today, the Secunia Corporate Software Inspector (CSI) 4.0 will be released, after two months of beta testing (closed and public). It is the first of its kind in the market, securing all software programs (Microsoft and 3rd party programs) in a simple way, and, thereby, ending the days of time consuming, labour intensive, and troublesome patching. This novel end-to-end scanning and patching solution will enable IT departments to come full circle in their security operations, providing them with:

Simplified and automated process of securing Microsoft and third party programs, with the Secunia CSI 4.0 enabling accurate assessment and deployment of the latest security patches

Comprehensiveness and solution-orientation, with the Secunia CSI 4.0 relying on Secunia's world-leading Vulnerability Intelligence from the Secunia Advisory and Vulnerability database

[Quote: "We are in a unique position for doing this, due to the comprehensiveness and quality of our Vulnerability Intelligence (VI) and our unique scanner technology, which together with Microsoft WSUS and SCCM, allow us to provide a solution that enable companies to come full circle in relation to patch management. The value lies in the comprehensiveness, reliability, and action-ability, provided by combining the best of two solutions; Microsoft WSUS and SCCM, the most renowned and used tools for MS patch deployment, with Secunia's unique scanner technology and world-leading VI" (Niels Henrik Rasmussen, CEO Secunia)]

Companies will now be able to complete full patching cycles with just a few clicks, with the Secunia CSI 4.0 following a four step process: 1) Conduct a full scan of all hosts, 2) Review missing security patches, 3) Automatically create, approve, and deploy the patches, and 4) Re-scan hosts to verify that the patch process has completed successfully.

[Quote: The Community and the customers have actively participated in developing the Secunia CSI 4.0 solution that is being released today. We had more than 1,000 participants in the public beta, counting security professionals, techies, and enthusiasts from across sectors and industries, including the financial and governmental sectors. We are happy that so many beta testers have expressed excitement over the direct integration to Microsoft WSUS (and SCCM), as well as the ease of which the Secunia CSI is able to create and deploy third party patches to Windows based computers" (Niels Henrik Rasmussen, CEO Secunia)]

I Secunia goes simplified PM today

From today, patching will no longer be renowned as a tedious task, and unpatched vulnerabilities residing on local hosts will no longer be able to hide from the IT department.

Today, Secunia releases the newest addition to its portfolio of vulnerability management solutions, the 'Secunia Corporate Software Inspector (CSI) integrated with Microsoft WSUS and SCCM for 3rd party Patch Management' (Secunia CSI 4.0), providing a one-stop, end-to-end patching solution.

[Statement:"Future techies will be rightfully incredulous that there isn't a single software updating system for all the installed software. Imagine there were gas stations for General Motors, Toyota and Volvo cars and that owners of those cars could only be serviced at stations dedicated to them. That's the disgraceful system we all live with today." (Michael Horowitz, Columnist, Computerworld.com, December 2009)]

[Quote: "WSUS and SCCM are practically installed in all companies worldwide today, and now all these companies are given the opportunity to further ensure their IT-security and end the threat posed by vulnerabilities, including those in 3rd party programs. Further, companies can benefit from this without having to radically change their existing infrastructure or invest in learning new tools, as the Secunia CSI 4.0 integrates with WSUS and SCCM" so business as usual (Niels Henrik Rasmussen, CEO Secunia)] II Altered Threat Picture " altered protection need

Over the last few years, the IT-security industry has seen a general trend towards cyber criminals using exploitation of vulnerabilities as the vector to compromise client systems. They have to a great extent abandoned windows, and it no longer appears to represents their first choice " rather, the cyber criminals go for the masses of unpatched 3rd party programs that are not automatically updated by for example WSUS.

This trend is supported by the fact that vulnerabilities in windows are discovered and patched too fast, leaving the cyber criminal with a limited exploitation time frame and scope; that is, a limited return on their exploitation investment (ROI). This is further supported by Marcus Alldrick, head of information security for Lloyd's of London, the insurance underwriting organisation, "Organised crime is putting in significant amounts of money to develop malware, and Web applications are increasingly being targeted (Source 1).

In a recent presentation by Secunia, some of the factors in the cyber criminal's ROI calculation were elaborated, supporting that criminals evaluate targets according to:

ROI = software popularity + ease of discovery + ease and reliability (exploitation) + 'window of opportunity' (duration)

Further, a recent Secunia white paper states that profit motivated cyber criminals increasingly focus on host exploitation due to (1) the variety and prevalence of program portfolios found on typical hosts and (2) the unpredictable usage patterns of users. Considering this in relation to the complexity of corporate networks, supports the interest that cyber criminals are showing.

[Quote: "In recent Secunia research conducted by Research Analyst Director Stefan Frei and Chief Security Officer Thomas Kristensen, we found that the typical private user has to install an average of 75 patches from 22 different vendors (source 4) " with this scoping the typical private user, imagine the patching requirements facing the corporate IT environments. I would not be surprised if even more vulnerabilities would characterise corporate end-points, with even more individual updating mechanisms being needed to ensure a secure and patched network" (Niels Henrik Rasmussen, CEO Secunia)]

As the scope and form of the threat changes, so does the need for new and adapted protection mechanisms. The traditional means such as anti-virus, firewall, IDS/IPS etc. are no longer sufficient in the fight against the cyber criminals.

[Statement: "These results have once again put the spotlight on the assertion that can be heard here and there from various security experts: anti-virus products are patently inadequate, and even IDS and Web proxies that scan content are not enough to protect a network from advanced persistent threats... The security industry's going to have to think about selling solutions that actually work with this type of environment," said Alex Stamos with Isec Partners. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." (Source 3)]

[Quote: "I completely agree with the fact that the more traditional security means do serve a purpose on a corporate network, and companies should not do without these reactive security means. However, as it only takes one vulnerability for the whole network to be compromised, there is without question a need for the more pre-emptive means as well. Only relying on the reactive means provides a false sense of security, as you never know when one of the unidentified program vulnerabilities will invite a criminal into your internal network" (Niels Henrik Rasmussen, CEO Secunia)}

This supports the fact that more than ever there is a need for patching, and doing so in a structured and comprehensive way.

[Statement: "Managing the patch management process is no longer a little administrative chore that is fit In around more important work.; it has become one of the most pressing and difficult challenges facing security professionals... organisations need to accept that patching is a 'business as usual activity' part of a general maintenance regime that happens on a regular basis ." (Source 1).

[Quote: "Since we introduced the scanner technology in 2006, we have been able to see how patching has become more and more comprehensive for companies. We have interacted with the customers, understanding their pain, and evaluating potential best practise. It is the customers, as well as the community's, input to the existing scanner technology that has contributed to our understanding of the market pain and the subsequent opportunity for improvement" (Niels Henrik Rasmussen, CEO Secunia)]

However, with the existing solutions available in the market, patching remains a cumbersome task. It requires substantial resources, both in time and people, and further, the process is difficult to control, with no one knowing when patches have been successfully applied to all affected machines. This encourages companies to 'see through fingers' with the patching scope.

[Statement: "It can be difficult to get the business to accept the need for patching, because it has business consequences." Allrdick said, "Typically, companies that do patch will patch on the server side but don't give as much priority to the client side, even through that's where 95% of the vulnerabilities occur. But keeping clients up to date is hard. You have logistical issues to deal with, as well as people issues " users may delay the patch because they want to get on with their work" (Source 1)

[Quote: "Secunia has been trying to emphasise the threat posed by the vulnerabilities for the past eight years " we are pleased to see that the market is starting to digest our key message. Acknowledging it is the first step " second step is to adapt to the solutions that can deal with the more practical side of patching" (Niels Henrik Rasmussen, CEO Secunia)]

[Statement "If your security organisation says that patching all client side programs is simply too difficult, it has ceded significant territory in the internal network to the bad guys" (Source 2)]

[Quote: "This also supports why the initiative for Microsoft and Adobe to collaborate is a step in the right direction but not an alternative to continuously 'only' patch the software programs supported by Microsoft. There is a range of other third party programs, and once the cyber criminals start to realise that the vulnerabilities in Adobe are generating smaller 'windows' of opportunity' etc. they will re-direct their attention to other software" (Niels Henrik Rasmussen, CEO Secunia)]

III Simplified Patching

With the seamless Microsoft WSUS and SCCM integration with the Secunia Corporate Software Inspector, the patching process has been simplified and can literally be conducted with a few clicks - completing a full patch management cycle has never been easier and more straightforward :

1. Conduct a full scan of all hosts

2. Review missing security patches

3. Automatically create, approve, and deploy the patches

4. Re-scan hosts to verify that the patch process completed successfully.

The Secunia Software Inspector is delivering detection and vulnerability assessment of nearly all publicly known applications, plugins, and extensions in the market; it is capable of detecting software from thousands of different vendors, including Adobe Reader, Adobe Flash, Sun Java, Firefox, and practically all other Windows based programs. With Secunia Patch Management, Secunia is bringing application transparency, by a complete overview over ALL applications installed, and technology transparency by recognizing and utilising the widely used technology of Microsoft WSUS and SCCM.

Repackaging

The greatest part of the challenge, has been to repackage third party patches in an easy way. This Secunia is able to do for most programs, and more patches are added to the list every day, continuously enhancing the scope and comprehensiveness of the solution.

Existing patch management solutions require that customers use Microsoft SCUP or similar complicated tools for repackaging patches. However, due to the information gathered by the Secunia Software Inspector technology, it is possible for the Secunia Corporate Software Inspector to automatically repackage the patches.

Why WSUS and SCCM?

Microsoft WSUS and SCCM are the most widely used patch management platforms in companies worldwide, it is robust, scalable, and well documented for use in any environment whether it is a single office with 10 endpoints or a global conglomerate with thousands of branches and hundreds of thousands endpoints. Because they are so widely used, and already running in most corporate networks, Secunia decided to integrate the Secunia Corporate Software Inspector with Microsoft WSUS and SCCM for 3rd party patch management.

[Statement: "Deployment of non-Microsoft patches is often significantly slower and less organized. All Internet-based applications, especially browsers and browser plug-ins (i.e.,Adobe and Apple QuickTime), should be a top patching priority."

(Gartner, "Top10 Steps to avoid Malware infections", September 2009)]

About Secunia

Secunia is the leading provider of Vulnerability Intelligence and Vulnerability Management tools for the IT-security industry. The company is privately held, and has gone from being a very successful start-up to become an established player, operating within the Vulnerability management market. Over the years Secunia's organic growth has been higher than market average, and the company is profitable with no bearing debt. The customer base counts thousands of companies and institutions, including Global 2000 and Fortune 500 companies. Secunia holds a market leader position in the EMEA, and is experiencing great growth margins in the North American Market.

Secunia's vision statement

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
The Data-Centric Path to Zero Trust
Altaz Valani, Director of Insights Research, Security Compass,  1/13/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).