glee said:
Really? It does not do that here. Are you using the Advanced mode or
the Simple mode.
If advanced mode is where users are to decipher the results of this
product's scan then that should be the only mode available. Yes, I've
used Advanced mode but Simple mode is the default and obviously the mode
that most of its users will use.
Advanced mode clearly shows what if any security risk
is reported for a version of a program.
If Secunia had a report regarding a security risk for an older version
of a program then why don't they actually provide a link to that report?
All I see is it says there is a security risk, NOT *what* is that
security risk.
Sorry, but I no longer have older versions of the programs that it
complained about before to see if it reported a threat or not with those
programs. See below on why users will assume ANYTHING reported by this
product equates it to a security risk. I found no option in this
program to show a log of its previous scans. Their "Historic
Development" graph is just a graph and doesn't link to any log.
As mentioned, and even if a newer version addressed a security risk, you
may not want that newer version. Features may be lost (i.e., the author
dropped some features that you do use). The risk may be as a
vulnerability vector into your host but only if you don't apply other
security measures, like anti-virus, firewalls, HIPS, etc.
Some end of life programs
clearly show a security risk while other show that none exist. It does
not tell you a new version is a security update unless it is. I have
older versions of some programs and it shows the security updates for
those versions, it does not push the newer version.
True, as I assumed a "security" product would only report security
vulnerabilities, not "gee, there's a newer version available". As for
the remaining end-of-life products that I chose NOT to update (since it
requires uninstalling them and installing a different product that I
don't like), it says the threat level is "-". They couldn't use "None"
to make that clear? Besides, as stated, I don't expect a security
product to be WARNING me about any program that is not a security risk
and for which they provide a report.
This product should NOT prompt about any end-of-life product, or any
other product, UNLESS there is a reported security risk associated with
that program. That the user has end-of-life products is none of its
concern and it should not be issuing false alarms UNLESS there it has a
security risk.
Sounds like you did not spend much time with the utility.
Indicate where in this program it provides any help files. The user has
to guess only from its GUI and the text therein as to how to use this
product. "?" hotspots for bubble help does NOT equate to a structured
document, such as a user's manual (separately provided or as a Help menu
in the program).
Why would a security product that detects NO security risks in an
end-of-life product, for example, then shove a prompt in the user's face
to strongly influence them to review those end-of-life products? If
there was no security risk in anything scanned then the product
shouldn't lead the users around as if there were security risks. I
don't expect the oil light in my car to start flashing when my garage
light turns on. A security product should remain focused on *security*.
End-of-life programs, or any programs, that have no security risk should
NOT be reported by this product or even included in any list. I can
reproduce the end-of-life false alarm since I kept those defunct
versions. I have no log to prove or disprove that the minor versions it
reported for other programs had security risks or not. You get a bar
chart but nothing to tell you its specifics regarding its "rating".
Something else to mention is that this is an HTA (HTML Application; see
http://en.wikipedia.org/wiki/HTML_Application). That means it is
affected by the settings you establish for Internet Explorer. If, for
example, you have disabled Adobe's Flash Player (or don't have it
installed) then their history bar chart won't display. Right-click on
the bar chart and you'll see it is a Flash AX object. If you have
scripting disabled, this HTA won't run at all and instead you get a text
page telling you to enable scripts. Their system requirements
(
http://secunia.com/vulnerability_scanning/personal/system_requirements/)
make no mention regarding the need for Flash, IE, and scripting enabled
in IE. I don't care for HTAs because they often fail to function
properly if the user has chosen to lockdown Internet Explorer with
settings that affect HTAs.
It's an okay tool but it has its quirks. Be sure that any program it
alerts on actually has a security risk, and that upgrading to remove the
security risk can encumber a new security risk in the new code along
with bugs, loss of features, or incompatibilities. Just because a
program has a security risk doesn't mean it can be harvested on YOUR
computer setup.