Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/22/2010
06:01 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Secunia Rolls Out 'One Stop' Patch Solution That Integrates With Microsoft WSUS, SCCM

Secunia Corporate Software Inspector follows a four-step

Executive Summary

For years, companies have had to deal with the threat posed by vulnerabilities in installed software. Now, help is within reach, with Secunia providing a simple solution for dealing with unpatched vulnerabilities.

Today, the Secunia Corporate Software Inspector (CSI) 4.0 will be released, after two months of beta testing (closed and public). It is the first of its kind in the market, securing all software programs (Microsoft and 3rd party programs) in a simple way, and, thereby, ending the days of time consuming, labour intensive, and troublesome patching. This novel end-to-end scanning and patching solution will enable IT departments to come full circle in their security operations, providing them with:

Simplified and automated process of securing Microsoft and third party programs, with the Secunia CSI 4.0 enabling accurate assessment and deployment of the latest security patches

Comprehensiveness and solution-orientation, with the Secunia CSI 4.0 relying on Secunia's world-leading Vulnerability Intelligence from the Secunia Advisory and Vulnerability database

[Quote: "We are in a unique position for doing this, due to the comprehensiveness and quality of our Vulnerability Intelligence (VI) and our unique scanner technology, which together with Microsoft WSUS and SCCM, allow us to provide a solution that enable companies to come full circle in relation to patch management. The value lies in the comprehensiveness, reliability, and action-ability, provided by combining the best of two solutions; Microsoft WSUS and SCCM, the most renowned and used tools for MS patch deployment, with Secunia's unique scanner technology and world-leading VI" (Niels Henrik Rasmussen, CEO Secunia)]

Companies will now be able to complete full patching cycles with just a few clicks, with the Secunia CSI 4.0 following a four step process: 1) Conduct a full scan of all hosts, 2) Review missing security patches, 3) Automatically create, approve, and deploy the patches, and 4) Re-scan hosts to verify that the patch process has completed successfully.

[Quote: The Community and the customers have actively participated in developing the Secunia CSI 4.0 solution that is being released today. We had more than 1,000 participants in the public beta, counting security professionals, techies, and enthusiasts from across sectors and industries, including the financial and governmental sectors. We are happy that so many beta testers have expressed excitement over the direct integration to Microsoft WSUS (and SCCM), as well as the ease of which the Secunia CSI is able to create and deploy third party patches to Windows based computers" (Niels Henrik Rasmussen, CEO Secunia)]

I Secunia goes simplified PM today

From today, patching will no longer be renowned as a tedious task, and unpatched vulnerabilities residing on local hosts will no longer be able to hide from the IT department.

Today, Secunia releases the newest addition to its portfolio of vulnerability management solutions, the 'Secunia Corporate Software Inspector (CSI) integrated with Microsoft WSUS and SCCM for 3rd party Patch Management' (Secunia CSI 4.0), providing a one-stop, end-to-end patching solution.

[Statement:"Future techies will be rightfully incredulous that there isn't a single software updating system for all the installed software. Imagine there were gas stations for General Motors, Toyota and Volvo cars and that owners of those cars could only be serviced at stations dedicated to them. That's the disgraceful system we all live with today." (Michael Horowitz, Columnist, Computerworld.com, December 2009)]

[Quote: "WSUS and SCCM are practically installed in all companies worldwide today, and now all these companies are given the opportunity to further ensure their IT-security and end the threat posed by vulnerabilities, including those in 3rd party programs. Further, companies can benefit from this without having to radically change their existing infrastructure or invest in learning new tools, as the Secunia CSI 4.0 integrates with WSUS and SCCM" so business as usual (Niels Henrik Rasmussen, CEO Secunia)] II Altered Threat Picture " altered protection need

Over the last few years, the IT-security industry has seen a general trend towards cyber criminals using exploitation of vulnerabilities as the vector to compromise client systems. They have to a great extent abandoned windows, and it no longer appears to represents their first choice " rather, the cyber criminals go for the masses of unpatched 3rd party programs that are not automatically updated by for example WSUS.

This trend is supported by the fact that vulnerabilities in windows are discovered and patched too fast, leaving the cyber criminal with a limited exploitation time frame and scope; that is, a limited return on their exploitation investment (ROI). This is further supported by Marcus Alldrick, head of information security for Lloyd's of London, the insurance underwriting organisation, "Organised crime is putting in significant amounts of money to develop malware, and Web applications are increasingly being targeted (Source 1).

In a recent presentation by Secunia, some of the factors in the cyber criminal's ROI calculation were elaborated, supporting that criminals evaluate targets according to:

ROI = software popularity + ease of discovery + ease and reliability (exploitation) + 'window of opportunity' (duration)

Further, a recent Secunia white paper states that profit motivated cyber criminals increasingly focus on host exploitation due to (1) the variety and prevalence of program portfolios found on typical hosts and (2) the unpredictable usage patterns of users. Considering this in relation to the complexity of corporate networks, supports the interest that cyber criminals are showing.

[Quote: "In recent Secunia research conducted by Research Analyst Director Stefan Frei and Chief Security Officer Thomas Kristensen, we found that the typical private user has to install an average of 75 patches from 22 different vendors (source 4) " with this scoping the typical private user, imagine the patching requirements facing the corporate IT environments. I would not be surprised if even more vulnerabilities would characterise corporate end-points, with even more individual updating mechanisms being needed to ensure a secure and patched network" (Niels Henrik Rasmussen, CEO Secunia)]

As the scope and form of the threat changes, so does the need for new and adapted protection mechanisms. The traditional means such as anti-virus, firewall, IDS/IPS etc. are no longer sufficient in the fight against the cyber criminals.

[Statement: "These results have once again put the spotlight on the assertion that can be heard here and there from various security experts: anti-virus products are patently inadequate, and even IDS and Web proxies that scan content are not enough to protect a network from advanced persistent threats... The security industry's going to have to think about selling solutions that actually work with this type of environment," said Alex Stamos with Isec Partners. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." (Source 3)]

[Quote: "I completely agree with the fact that the more traditional security means do serve a purpose on a corporate network, and companies should not do without these reactive security means. However, as it only takes one vulnerability for the whole network to be compromised, there is without question a need for the more pre-emptive means as well. Only relying on the reactive means provides a false sense of security, as you never know when one of the unidentified program vulnerabilities will invite a criminal into your internal network" (Niels Henrik Rasmussen, CEO Secunia)}

This supports the fact that more than ever there is a need for patching, and doing so in a structured and comprehensive way.

[Statement: "Managing the patch management process is no longer a little administrative chore that is fit In around more important work.; it has become one of the most pressing and difficult challenges facing security professionals... organisations need to accept that patching is a 'business as usual activity' part of a general maintenance regime that happens on a regular basis ." (Source 1).

[Quote: "Since we introduced the scanner technology in 2006, we have been able to see how patching has become more and more comprehensive for companies. We have interacted with the customers, understanding their pain, and evaluating potential best practise. It is the customers, as well as the community's, input to the existing scanner technology that has contributed to our understanding of the market pain and the subsequent opportunity for improvement" (Niels Henrik Rasmussen, CEO Secunia)]

However, with the existing solutions available in the market, patching remains a cumbersome task. It requires substantial resources, both in time and people, and further, the process is difficult to control, with no one knowing when patches have been successfully applied to all affected machines. This encourages companies to 'see through fingers' with the patching scope.

[Statement: "It can be difficult to get the business to accept the need for patching, because it has business consequences." Allrdick said, "Typically, companies that do patch will patch on the server side but don't give as much priority to the client side, even through that's where 95% of the vulnerabilities occur. But keeping clients up to date is hard. You have logistical issues to deal with, as well as people issues " users may delay the patch because they want to get on with their work" (Source 1)

[Quote: "Secunia has been trying to emphasise the threat posed by the vulnerabilities for the past eight years " we are pleased to see that the market is starting to digest our key message. Acknowledging it is the first step " second step is to adapt to the solutions that can deal with the more practical side of patching" (Niels Henrik Rasmussen, CEO Secunia)]

[Statement "If your security organisation says that patching all client side programs is simply too difficult, it has ceded significant territory in the internal network to the bad guys" (Source 2)]

[Quote: "This also supports why the initiative for Microsoft and Adobe to collaborate is a step in the right direction but not an alternative to continuously 'only' patch the software programs supported by Microsoft. There is a range of other third party programs, and once the cyber criminals start to realise that the vulnerabilities in Adobe are generating smaller 'windows' of opportunity' etc. they will re-direct their attention to other software" (Niels Henrik Rasmussen, CEO Secunia)]

III Simplified Patching

With the seamless Microsoft WSUS and SCCM integration with the Secunia Corporate Software Inspector, the patching process has been simplified and can literally be conducted with a few clicks - completing a full patch management cycle has never been easier and more straightforward :

1. Conduct a full scan of all hosts

2. Review missing security patches

3. Automatically create, approve, and deploy the patches

4. Re-scan hosts to verify that the patch process completed successfully.

The Secunia Software Inspector is delivering detection and vulnerability assessment of nearly all publicly known applications, plugins, and extensions in the market; it is capable of detecting software from thousands of different vendors, including Adobe Reader, Adobe Flash, Sun Java, Firefox, and practically all other Windows based programs. With Secunia Patch Management, Secunia is bringing application transparency, by a complete overview over ALL applications installed, and technology transparency by recognizing and utilising the widely used technology of Microsoft WSUS and SCCM.

Repackaging

The greatest part of the challenge, has been to repackage third party patches in an easy way. This Secunia is able to do for most programs, and more patches are added to the list every day, continuously enhancing the scope and comprehensiveness of the solution.

Existing patch management solutions require that customers use Microsoft SCUP or similar complicated tools for repackaging patches. However, due to the information gathered by the Secunia Software Inspector technology, it is possible for the Secunia Corporate Software Inspector to automatically repackage the patches.

Why WSUS and SCCM?

Microsoft WSUS and SCCM are the most widely used patch management platforms in companies worldwide, it is robust, scalable, and well documented for use in any environment whether it is a single office with 10 endpoints or a global conglomerate with thousands of branches and hundreds of thousands endpoints. Because they are so widely used, and already running in most corporate networks, Secunia decided to integrate the Secunia Corporate Software Inspector with Microsoft WSUS and SCCM for 3rd party patch management.

[Statement: "Deployment of non-Microsoft patches is often significantly slower and less organized. All Internet-based applications, especially browsers and browser plug-ins (i.e.,Adobe and Apple QuickTime), should be a top patching priority."

(Gartner, "Top10 Steps to avoid Malware infections", September 2009)]

About Secunia

Secunia is the leading provider of Vulnerability Intelligence and Vulnerability Management tools for the IT-security industry. The company is privately held, and has gone from being a very successful start-up to become an established player, operating within the Vulnerability management market. Over the years Secunia's organic growth has been higher than market average, and the company is profitable with no bearing debt. The customer base counts thousands of companies and institutions, including Global 2000 and Fortune 500 companies. Secunia holds a market leader position in the EMEA, and is experiencing great growth margins in the North American Market.

Secunia's vision statement

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26585
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
CVE-2021-31412
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
CVE-2021-33604
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
CVE-2020-28097
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
CVE-2020-7862
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.