I failed miserably..

My own machine breezed through it, but my network machines will be challenged on everything except the MS patches. All the other patches usually require Admin privileges, which my users don't have. That leaves me to visit hundreds of machines to install the patches with my login.

Also note that you may be totally up to date with everything but then install something new which rolls you back to an earlier version.

Case in point is OpenOffice.org which recently released v2.4. Installing that version installs an older version of Java (1.6.3 from memory) which is a couple of releases old.

Considering that Sun owns/sponsors OOO, this is a pretty poor show. Mind you, as Brian notes above, Java is a bit of a nightmare to manage with old versions hanging around...so perhaps I shouldn't be so surprised & disappointed.

Nick

Winamp released 5.3.1 over the weekend...

:)

Winamp has released 5.531 even more recently...

:)

Thanks for posting this. Leaving the "lower hanging fruit" vunerable is as bad as leaving keys in the car.

The Tramp

FYI the current flash update (9,0,124,0) for both IE and Mozilla/Opera now remove old installations.

NOTE: just having "version 0.8.6" for the VLC player isn't enough. You need version 0.8.6_f_, which fixes vulnerabilities in earlier versions of VLC v0.8.6

While I realize my typical system configuration listed below is not always possible, it points out the value of reducing the amount of software installed on a system. Not only does such a practice lower your system attack surface in regards to security, but limits the amount of patching required and makes it very easy to manually stay on top of updates.

Windows XP SP2 (SP3 soon to be released)
IE7
Windows Media Player 11
Flash Player (9,0,124,0)
Office 2003 SP3
Foxit Reader 2.2
Roxio Easy CD (Creator Classic Only)
AV software

While Secunia's Software Inspector can be a useful tool... a few points of concern:

The online scan requires Java which is commonly blacklisted on many corporate networks (my personal system as well) due to security concerns. So, installing Java just to run the Software Inspector can actually increase a system's security exposure.

False positives, in particular with regard to Java and Flash versions, even though a system is updated.

Potential false sense of security, read

"Purpose of the Secunia PSI" at https://psi.secunia.com/?page=about_psi

TJ, I don't follow your logic. Why do you blame Secunia for giving a false sense of security based on that page, they just inform about what their application do and most importantly what it doesn't do.

IMHO, could a lot of other security solutions and vendors (Antivirus, personal firewall, etc) learn a lot of this, instead of those vendors just claiming and promising to be the one and only magic solution for solving all your security woes.

Speaking of multiple older versions of Java, is there a tool similar to the Flash uninstaller to remove all old instances of Java?

@Disagree

My concern is with users that will most likely never have read what is stated on the page I referenced...

"Secunia PSI is not a replacement for other security measures.."

"is a supplement to other security measures"

"it is important to understand that the process of identifying insecure software installations on any system involves many different factors and, in rare cases, may result in incorrect detections."

Of course. But what about Fedora Core 8 running under VMware Fusion?

And most important of all: NoScript is at version 1.6. http://noscript.net

Now all we have to do is get The Post to allow us to Post Comments with Javascript turned off.

Yikes, the VLC front page just says "0.8.6", so I thought I was up-to-date until I read Angus's comment. I wonder how many times I've visited VLC's site and not realized my copy was out of date.

I like Secunia's online scan, but LOVE their PSI (Personal Software Inspector). I disable all (well, most) updating checks foisted upon me by software companies (Java, Adobe, etc), and let Secunia PSI do all the work of checking versions.

It took several iterations but I now have the updated files and deleted all the old stuff. Good program!

I noticed that after updating to the latest Java, Java continues to ask to me update to that version on the user accounts where I didn't originally install it. But after I click on the message in the system tray, it says "you already have Java version 6, update 5." And then the icon appears again in a few days, just to do it all over again. FYI. Vista Ultimate OS.

Easiest way to update software is filehippo. you dont have to go searching all over a website.

TJ, you note Win Media player 11. I don't care for it vs Win Media player 10, for various reasons, so I still use version 10. Is there a security concern you know of with version 10?

Also you note Roxio Easy CD (Creator Classic Only), which I'm not sure about. Is that part of the Roxio suite?

@M in CT

I primarily use the newest versions as they have proven less vulnerable by having fewer vulnerabilities and typically lower severity ratings if one is discovered. IMO, they also perform better and have better feature sets. So, it's a win-win for me.

Creator Classic (and Disk Copier) is a small subset of the Roxio suite of software. I only install what I need from it while turning off the built-in disk burning feature in Windows XP (which isn't as feature rich). By installing only what I need, it lowers my system's potential attack surface, uses less disk space and often prevents unwanted programs from running in the background.

Unfortunately, I wish some of our customer's portals that use Java were as security conscious. Several of the web portals that use Java won't run properly on Java versions higher than 1.5. If fact they recommend on the portal website, 1.4. I've seen this in more than company...some are Auto Manufacturers and some are local hospitals. Not very smart if you ask me.

@TJ
tongue in cheek but do you also upgrade XP to Vista just because its better and will run better(hah)? I totally agree with M in CT, I use WMP 10 over 11 any day.

Although I do use winamp for streaming.

Speaking of winamp, they, like vlc, do -not- publish that the current version is actually 5.531. I had to go to the forums to find out. Not even the installer exe is named differently.

Totally forgot to add: Thanks bk! I'm assuming this is the quarterly update?

Thanks TJ, I appreciate your insight, along with BK's of course, and others on this blog. This and RP's are great helps.

@Stern

Operating Systems are a little more complex. ;) See my comment here:

http://blog.washingtonpost.com/securityfix/2008/04/windows_vista_service_pack_1_n_1.html

@TJ Hence the tongue in cheek.
And I'm afraid I need to retract what I said about winamp. I just had to re-download it. The installer is now called:
winamp5531_full_emusic-7plus_en-us.exe
rather than
winamp553_full_emusic-7plus_en-us.exe

as it was before. However on the main page it is still called winamp 5.53. Just to clarify. :) Probably far too much information for anyone to care.

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.