Shockwave and Flash Player

[glee]

If advanced mode is where users are to decipher the results of this
product's scan then that should be the only mode available. Yes, I've
used Advanced mode but Simple mode is the default and obviously the
mode
that most of its users will use.


If Secunia had a report regarding a security risk for an older version
of a program then why don't they actually provide a link to that
report?
All I see is it says there is a security risk, NOT *what* is that
security risk.

Sorry, but I no longer have older versions of the programs that it
complained about before to see if it reported a threat or not with
those
programs. See below on why users will assume ANYTHING reported by
this
product equates it to a security risk. I found no option in this
program to show a log of its previous scans. Their "Historic
Development" graph is just a graph and doesn't link to any log.

As mentioned, and even if a newer version addressed a security risk,
you
may not want that newer version. Features may be lost (i.e., the
author
dropped some features that you do use). The risk may be as a
vulnerability vector into your host but only if you don't apply other
security measures, like anti-virus, firewalls, HIPS, etc.


True, as I assumed a "security" product would only report security
vulnerabilities, not "gee, there's a newer version available". As for
the remaining end-of-life products that I chose NOT to update (since
it
requires uninstalling them and installing a different product that I
don't like), it says the threat level is "-". They couldn't use
"None"
to make that clear? Besides, as stated, I don't expect a security
product to be WARNING me about any program that is not a security risk
and for which they provide a report.

This product should NOT prompt about any end-of-life product, or any
other product, UNLESS there is a reported security risk associated
with
that program. That the user has end-of-life products is none of its
concern and it should not be issuing false alarms UNLESS there it has
a
security risk.


Indicate where in this program it provides any help files. The user
has
to guess only from its GUI and the text therein as to how to use this
product. "?" hotspots for bubble help does NOT equate to a structured
document, such as a user's manual (separately provided or as a Help
menu
in the program).

Why would a security product that detects NO security risks in an
end-of-life product, for example, then shove a prompt in the user's
face
to strongly influence them to review those end-of-life products? If
there was no security risk in anything scanned then the product
shouldn't lead the users around as if there were security risks. I
don't expect the oil light in my car to start flashing when my garage
light turns on. A security product should remain focused on
*security*.
End-of-life programs, or any programs, that have no security risk
should
NOT be reported by this product or even included in any list. I can
reproduce the end-of-life false alarm since I kept those defunct
versions. I have no log to prove or disprove that the minor versions
it
reported for other programs had security risks or not. You get a bar
chart but nothing to tell you its specifics regarding its "rating".

Something else to mention is that this is an HTA (HTML Application;
see
http://en.wikipedia.org/wiki/HTML_Application). That means it is
affected by the settings you establish for Internet Explorer. If, for
example, you have disabled Adobe's Flash Player (or don't have it
installed) then their history bar chart won't display. Right-click on
the bar chart and you'll see it is a Flash AX object. If you have
scripting disabled, this HTA won't run at all and instead you get a
text
page telling you to enable scripts. Their system requirements
(http://secunia.com/vulnerability_scanning/personal/system_requirements/)
make no mention regarding the need for Flash, IE, and scripting
enabled
in IE. I don't care for HTAs because they often fail to function
properly if the user has chosen to lockdown Internet Explorer with
settings that affect HTAs.

It's an okay tool but it has its quirks. Be sure that any program it
alerts on actually has a security risk, and that upgrading to remove
the
security risk can encumber a new security risk in the new code along
with bugs, loss of features, or incompatibilities. Just because a
program has a security risk doesn't mean it can be harvested on YOUR
computer setup.

It's a good tool, it's not perfect. It has quirks, it occasionally
insists there's an update available for a program when there
isn't...that's why it's good to provide feedback to Secunia when a quirk
pops up. For example, I have WinZip 9.0 SR-1 installed, along with SR-1
of its commandline tool.....yet PSI insists I need to install SR-1 to
make it secure!

It informs you if there is a security risk in an app and if there is a
patch. It does not suggest upgrading to a newer available version if
there is a patch for the version installed. If an upgrade is required
to patch a security risk, it informs the user. That is as it should be.
Just because an upgrade *might* cause incompatibilities or changes in
features is not a reason not to report it. ANY upgrade of any app for
any reason may cause incompatibilities or changes in features. That's
part of installing software. If PSI did not suggest the upgrade when
needed for security, it would not be performing the job it was designed
for.

As for reporting End-of Life apps, your take on that is dead wrong,
IMHO. An EOL app is no longer supported. As such, just because it may
not show a particular vulnerability reported does not mean one does not
exist. That's the nature of EOL programs...once support ends, so does
testing for vulnerabilities. So an EOL app that shows no *known* vulns
may still have major security holes. That's exactly why PSI should most
definitely be reporting them.

 

[VanguardLH]

As for reporting End-of Life apps, your take on that is dead wrong,
IMHO. An EOL app is no longer supported. As such, just because it may
not show a particular vulnerability reported does not mean one does not
exist. That's the nature of EOL programs...once support ends, so does
testing for vulnerabilities. So an EOL app that shows no *known* vulns
may still have major security holes. That's exactly why PSI should most
definitely be reporting them.

So it reports on all EOL products as risky whether it knows there is a
security risk or not. How wonderful: an electronic equivalent to the
Magic 8 Ball toy.

 

[glee]

So it reports on all EOL products as risky whether it knows there is a
security risk or not. How wonderful: an electronic equivalent to the
Magic 8 Ball toy.

It is exactly what it should be doing. An EOL app is always a
*potential* security risk because it is no longer being checked for
vulnerabilities...so it should be reported as being EOL. I don't know
why you would have a problem with that. It would be irresponsible for
PSI to ignore EOL apps.