System admins know the importance of keeping up with operating systems patches on their workstations and servers, and making sure their antivirus definitions are kept up to date. We plan for and test regularly Microsoft’s monthly releases, and ensure 100% compliance on all our systems. But unless we’re using a commercial patch management solution, there are probably a myriad of third party applications that are installed on our workstations that are unfortunately not getting patched. Many of these applications are some of my favorites and I consider some of them to be ‘official’ applications for use on the network, but they don’t have their own central patch management capability, and cannot be managed using WSUS.
Trying to manually update applications on more than a handful of systems is a Sisyphean task. Just as you get to the end of the process, more updates come out as new vulnerabilities are discovered, or bugs are squashed. Ignoring these applications is dangerous though, as many could become the source of a system compromise. Many do have their own automated method for checking for updates, but require the end user to acknowledge and install the update. These generally also require that the user have administrative rights to the operating system. Relying on end users to patch is neither practical, nor safe. Here are sixteen of the most popular applications that you might not be currently patching.
Browsers can be especially dangerous to leave unpatched, as they are what users view websites with, and with their extensions, can include even more code that might inadvertently execute malware from a compromised site.
1. Mozilla Firefox
Many users swear by Firefox, which also has a rich portfolio of extensions and plugins. Users can check for updates manually by clicking Help, Check for Updates.
2. Google Chrome
Increasing in popularity, Google Chrome also has a growing number of plugins. Chrome checks for updates at each launch.
Opera also checks for updates automatically, and will prompt the user to install them when a recommended update is available.
4. Apple Safari
Apple’s Safari uses the Apple Software Update service to check for updates, and can be configured to install them automatically.
Some may consider media players as not for business use, but between blended learning, content rich web based applications, and smart phone management, you will undoubtedly find most if not all of these on many workstations in your environment.
5. Apple iTunes
Apple’s iTunes application is required for the initial setup and ongoing management of iPhones and iPads. As these devices permeate the corporate environment, keeping these applications up to date will become more and more important. Like Safari, iTunes uses the Apple Update Service to check for updates, but the user must download and install the latest version.
6. Apple Quicktime
If you have iTunes, you have Quicktime, and just like iTunes, the Apple Update Service can check for updates, but the user must install them.
7. Adobe Flash Player
Flash is almost the de facto format for content-rich websites, and dynamic content on web based applications. Flash will check for updates automatically, but again, the user must download and install the update. Corporate users can register to download a network redistributable package, but must work out how to install that on their own.
8. Adobe Shockwave Player
Like Flash, Shockwave is frequently installed on laptops to access rich content on websites. It too has a redistributable package that can be deployed through a script.
9. Real Player
Many corporate training solutions use Real Player to deliver required courses to all users. RealPlayer has an auto update feature which requires that the user have admin rights.
Runtimes provide great functionality for application development, but come with the risk that malicious applications can be downloaded and executed.
10. Adobe Air
Adobe Air’s auto-update feature checks every two weeks to see if updates are available and then will prompt the user to install them. This requires that the user close any open Air apps, and that they have admin rights.
11. Java Runtime Environment
The Java Runtime will also check periodically for updates, and prompts the user to download and install them. As with the others in this list, it requires the user to have administrative rights.
12. Adobe Reader
Adobe’s PDF Reader software is frequently updated. Current versions do check for updates and prompt the user to install them.
13. BlackBerry Desktop Software
The management application for BlackBerries checks for updates when launched, and will prompt the user to download and install the latest version.
One of the two most common compression utilities, there is no setting in the program for automatically checking for updates.
The other of the two most common compression utilities, again, there is no setting in the program for automatically checking for updates.
The Pidgin Instant Messaging application includes a plug-in called Release Notification that, when enabled, will check for updates and notify the user that they should download and install the latest version.
Fortunately, most of these (and many more) can be updated by commercial patch management software such as GFI LANguard. Others may require a manual install method like a login script or batch file. If you have these applications deployed on your network, make sure you are updating them on your workstations and servers.