Productivity Portfolio

I rarely recommend beta software. However, there are times when I think the trade-off is worth the risk. I believe you run a bigger risk by failing to update vulnerable files. While people focus on Microsoft’s woes, there are thousands of others issues that have been reported and patched by other software vendors. The problem is finding a reliable system to alert you of these issues.

Identifying Software Security Vulnerabilities

Secunia’s PSI does the research and identification for you. They maintain an extensive database of file signatures, software vulnerabilities, version numbers, web addresses and more. This program searches for more issues than their Online Software Inspector that we’ve used. This software scans your programs and compares them to their master database and provides recommendations and more information. The program won’t automatically update your system, but it provides the information you need to make an intelligent decision.

One feature I appreciate is the way Secunia PSI presents its findings. After scanning your PC, it classifies programs into several categories: Insecure; End-of-Life and Patched. These first two categories are ones you should review. You can see more about each category by clicking its tab.

Click to enlarge

In the example below, I clicked the + sign to expand the entry for an insecure program PSI noted. My computer has a version of an Adobe ActiveX control with a known vulnerability. The product often provides extra details such as informing me that older versions of this software are not always removed. In this case, Secunia provided a vendor link for a special removal tool.

Click to enlarge

You may have noticed the software inspector didn’t provide details on the vulnerability, only that the program was insecure. To get the details, I can use the large icon in the PSI Toolbox labeled Online Reference. It opens a pop up with links to Secunia’s advisory.

The Toolbox has other functional icons. In some cases, there is a wizard that steps you through the software update. Another useful feature is I can see which folder contains the problem file. One item that became apparent in my testing was how many unpatched programs are on my D:\Recovery partition. I could choose to patch these files or have the program ignore them. Secunia PSI won’t automatically take action as it leaves the decisions to you. In some cases, you may decide to keep an “Out-of-Life” program.

Installing Secunia PSI

I installed the program on 2 different PCs, one with Windows XP and the other Windows Vista. The installation was straight forward, but you do need administrative privileges. Your computer also needs access to Microsoft Windows update servers, but if you’re regularly patching Windows, this shouldn’t be an issue. Remember to be patient on the first scan.

One issue Microsoft Vista users may run into is a pop up asking you if you wish to allow the program. This is a result of Vista’s tighter security. One workaround is to create a scheduled task that executes at startup with “highest privileges”. This solution is noted in the Secunia PSI FAQ.

Click to enlarge

The default setting only shows “Easy to Patch” programs. These tend to be the well known programs. Once you’ve resolved your easy items, you might consider turning that option off. When I did this, I saw listings for more files. I was also amazed to see it spotted specific DLLs that had issues. As you can see the program looks at .exe, .dll and .ocx files.

Click to enlarge

Setting Software Expectations

The problem with security software is we want to believe it will solve all our problems so we can focus our attention elsewhere. Sorry, that isn’t going to happen as you still have the starring role in this ongoing drama. Secunia PSI does a stellar job at identifying known security vulnerabilities and gives you actionable information. Think of the program as providing you with a security patch “to do” list for your PC.

Even though Secunia’s product is thorough, it doesn’t cover all security issues. At best, it covers what has been reported as fixed or abandoned by the software vendors. It won’t cover beta software. The company stresses this product isn’t a replacement for other tools such as AV scanners, firewalls, anti-spyware programs. Instead, the tool is designed to complement these security tools.

The program also won’t address all software updates. It could be the program you’re using is not in their database. Another scenario is when a software vendor releases a new version with new functionality. If that new release didn’t fix any security vulnerabilities, you won’t be alerted. Remember, the focus is security vulnerabilities.

I’ve been testing the program for several months and have had one minor issue. Although the program spotted an old Adobe ActiveX file, when I clicked the download link, I didn’t get my expected file. The Adobe site recognized I was using the Firefox browser so didn’t offer the file. The fix was to use the download link with Internet Explorer. Ideally, it would help if the program had a note about using Internet Explorer to retrieve this ActiveX update.

Secunia PSI is a program I would suggest adding to your security software suite. The Personal Software Inspector identifies weaknesses other utilities miss. As more software vulnerabilities are identified, you need to have a way to know which files should be patched. My guess is the program will identify many issues on your PC. I know I had my share.

Product: Secunia PSI (Personal Software Inspector)
Version Reviewed: 0.9.0.4 (Beta RC3)
Product Page: https://psi.secunia.com/
Date Reviewed: July 13th, 2008
Price: Free for personal use
Rating:  ★★★★★