June 29, 2012

Vulnerability management firm Secunia has shipped a new version of its auto-patching tool — Personal Software Inspector 3.0 – a program for Windows users that can drastically simplify the process of keeping up-to-date with security patches for third-party software applications.

The final release of PSI 3.0 supports programs from more than 3,000 software vendors, and includes some key changes that address shortcomings identified in the beta version that I highlighted back in February.

The 3.0 version of PSI still keeps auto-patching on by default at installation, although users can uncheck this box and choose to manually install all available updates for third-party programs. Unlike the beta version — which was radically devoid of tweakable options and settings — the version released this week provides a more configurable interface that should be more appealing to longtime users of this tool.

Users also can review the history of installed updates, and select which hard drives should be scanned, options absent from the beta release. PSI 3.0 also lets users create rules that tell the software to ignore updates for particular programs.

Overall, the new PSI strikes a fair balance between configurability and ease-of-use, and is a notable improvement over the beta version. However, I had trouble with the program after installing it on my test machine — a Windows 7 64-bit machine with 8 GB of memory. The program seemed to get stuck on scanning for updates, and for an excruciating eight minutes or so the software sucked up most of my machine’s available memory and processing power. The only way I could get my system back to normal was to reboot the system.

I thought I’d give it a second try, but I could not replicate the problem after removing and reinstalling PSI 3.0. Neither could Secunia, apparently, even after I shared with them the program’s event logs.

“From the log file it seems that the application stopped for about 8 minutes and then continued scanning, but we have not been able to reproduce this behaviour at our end,” wrote Morten R. Stengaard, director of product management and quality assurance at Secunia.  “And despite +100,000 users trying the product during the beta, we have not had this type of issue reported before, so we are struggling a bit here. But perhaps we will see more users with the same issue now that we have launched the final product, and have more users signing up.”

Secunia also released some updated stats on the most commonly outdated pieces of software for Windows, based on a random sample of PSI scans from May 2012. According to Secunia, the top three most exposed programs by risk exposure (calculated by percent of market share x the average percentage of unpatched users) are:

Java JRE 1.6/6.x (31% unpatched)(83% market share)(51 CVE)
Apple QuickTime 7.x (35% unpatched) (60% market share)(46 CVE)
Adobe Shockwave Player 11.x (67% unpatched) (31% market share) (50 CVE

The latest version is available here. I’d be interested in hearing from other readers who have installed this updated version of PSI. How did it go? What were your overall impressions? Please sound off in the comments.


54 thoughts on “Secunia’s Auto-patching Tool Gets Makeover

  1. JCitizen

    Downloaded Secunia PSI v. 3 and installed no problems so far, on Vista Ultimate x64. It uninstalled the old one with little prompting. The new GUI looks like it is geared for my clients who don’t understand all that geeks stuff version 2 had anyway. I got to admit, I liked that geek stuff – but I want to see if this “auto-updating” really works or not.

    It will be a boon to clueless users, if it works across all versions of Windows. So far it seems to run faster, opens quicker, and seems more stable that the older version.

  2. Alister Wm Macintyre

    In summary, I am very pleased with what I have seen so far. I have some suggestions for future upgrade consideration.

    I have Windows XP pro, on two PC in my home, personal, and supplied by my employer.

    I finished my day job end-fiscal June weekend updates, via VPN, before doing any updates this weekend.

    I studied info about 3.0 from Secunia and Krebs before upgrading July-1 afternoon, on home PC first, and also jotted down some concerns as I went thru the process. I was happy to see that it remembered my 2.0 settings, and the History showed problems which I had not previously been able to access.

    I hope history in future will help with the annoyance of me leaving PC powered up while I sleep, set to do anti-virus updates, scan, Microsoft, and other stuff update in wee hours, then next morning I find that SOMETHING has rebooted my PC, and it is darn near impossible to figure out what got changed, caused reboot.

    I selected MANUAL install of updates, because I like to make a Sys Config Backup before any patching. This is because occasionally a patch screw things up, and I want to go back to a previous version. Very few vendors provide such safety in the automated patch process. If PSI does so, it is not yet clear to me.

    It told me that one of the 41 applications, which it knows about, was in need of manual upgrade, made if very easy for me to do so. I know I can add more applications, but have chosen not to do so for my IBM Access to AS/400 because I know I have a version of that which is over 10 years old. My employer cannot upgrade to latest IBM because of extortion practices of vendor software we run on the IBM platform.

    For security reasons, I do not use Pay Pal, or credit card over Internet.
    Hopefully there will be a link to an address to which we can send $ via check or money order to show our appreciation for this fine work.

    There is an option to share with friends via Facebook + Twitter.
    I suggest adding RSS Reader, e-mail, G+, Linked-In

    Traditionally, PSI tells me about software on my PC, not add-ons to my browser, for which I use QUALSYS Browser Check.

    I went to Secunia first, to try to comment. I had a hell of a time logging in, but after having it send the “forgot password” it let me reassert my original password, and I got on Ok. Then it offered me screen to subscribe to whatever, input refused because my identity already belongs to me.

    My post there says July-2, which I guess may be Europe Time, but my time is still July-1.

  3. Robert Goth

    I installed version 2 again and it is working okay. Not sure if I want to try 3 at this time.

  4. john

    This is a spyware/adware soft
    from their EULA:
    “You agree to ensure that your registration details are true and accurate at all times. Specifically, you must notify us of any change to the registration details as originally supplied. ”
    “By registering you provide acceptance that Secunia may use data on applications installed on your system and may provide you with additional information, like product offers etc.”

    1. john

      I mean, what they do: they scan your PC and send gathered data about all the installed apps, browser history and whatnot (they don’t state what exactly they gather) to their server. Then they send back to your PC a list of upgrades.
      They have your registration details so they can uniquely associate gathered data with particular citisen – with you. What they do later with this data noone knows. Usually such data is sold to marketing agencies, and could used by governement agencies against you.
      Yet another surveillance/spyware/adware app.

      1. Uzzi

        This is not the Wild West, it’s Europe: Due to european regulations Secunia has to ask you to notify them of any change to the registration details because they could be sued for spamming if you delete email address or give it to someone else without notice.
        Futhermore they have to ask your acceptance for THEIR OWN product offers. That’s different from third party offers in Europe they didn’t ask your acceptance for. As they didn’t ask your to aggree to any third party use they’re not allowed to do so by law. (And their community is so big you can bet they don’t gamble with their good reputation.)

        1. JCitizen

          I find the whole thing about spam curious – I have never had spam from Secunia; I might hear from them maybe once a year. People seem to get so anal about the subject, but they are getting a “free” service. Seems like a lot of whining to me.

  5. Heiki

    I tried v3 Beta but was not tooooo happy with it. In the current version one can at least see what has been updated and add programs.
    On all private PC’s I support I have installed Heimdal agent https://www.heimdalagent.com/en/home – it also does the trick.

    The v3 beta version would sometimes hang while updating, it does seem that this is fixed along with the UAC popping up.

    Updating from the beta version was easy, the update process uninstalled the beta, installed itself and asked if it should run a scan. Nice. Running Win7 x64

  6. George G.

    Did not realize 3.0 was available.
    Thanks.

    Installed it. Set it for auto update (had the same for V 2).
    I figure that the early protection supplied by auto update outweighs any disadvantage.

    When installation was finished I said yes to whether I wanted to launch it. It was “loading” for quite a while, then I got “not responding”. Could X-click out of it.

    Started it again from the system tray.
    It came up and loaded, took a while for “determining files to scan”. (Machine is W Vista x32 laptop, with about 79G of the hard disk with data on it).
    Scan finished.
    Tells me that one program needs to be updated manually.
    Scanning itself was faster.

  7. Bill

    I prefer to use a program’s own auto updating feature, which ensures I am asked before the program is updated. There are sometimes reasons to stick with an existing version rather than to update.

    For example, I told PSI to exclude T-bird and F-fox, because I don’t want to update until after certain add-ons are also ready with updates. Other programs were equally easy to exclude.

    Microsoft Win 7 had all the options greyed out. But IE was also available. It took me to the MS update page, so I could omit unwanted MS downloads/updates (such as Bing). Worked flawlessly, and I was even offered the chance to restart now or later.

    Afterwards, all 71 programs on a near new and very clean Thinkpad w/Win 7 Pro were pronounced up to date. Rather remarkable, I think.

    Overall, I found PSI 3.0 to be a useful and easy to use program. It’s espec. valuable on this laptop that I use only for travel, and obviously offered a quick update of all programs when I fired up the machine after a two months of non use.

  8. George G.

    Now, 4 hours after my first post, V3 still says for the only one for which update is needed :
    “Preparing to update”.
    Of course, previously it said one program needed to be updated manually.

  9. chicken in the kitchen

    @john | July 2, 2012 at 3:01 am

    “This is a spyware/adware soft
    from their EULA:
    “You agree to ensure that your registration details are true and accurate at all times. Specifically, you must notify us of any change to the registration details as originally supplied. ”
    “By registering you provide acceptance that Secunia may use data on applications installed on your system and may provide you with additional information, like product offers etc.””

    How amusing. Can you expect anything less than back doors and/or data collection/mining from proprietary software? It’s hilariously bad but people will thumb you down when you point out the faults in proprietary software.

    My philosophy is this: Closed source (proprietary) software, even if offered as free, is a potential trojan horse on a person’s system which, even if the EULA never states it, could be root kitting, bot ting, or anything else and you can’t do a damn thing about it because YOU CANNOT SEE THE SOURCE CODE!

    I believe anyone with half a brain would use *nix and update programs with one simple program with signed repositories.

    Those with a smaller brain will continue to use a proprietary OS, and use proprietary software to lead them into the false belief their computer is clean/secure.

  10. Matthew

    Tried 3.0 and system (XP) hung. Tried various fixes such as disabling anti-virus, online armor, all start-up apps., etc. Also tried not having 3.0 start with OS – no luck. Will try on Windows 7 laptop . . . maybe . . . may just wait until 3.1! Until then it’s back to BETA 2.0 for me.

  11. chesscanoe

    A modification to my prior comment re PSI3: I tried it on my laptop Win7x64 Home previously running PSI2 for 6 months. The design philosophy of PSI3 scare me, even if it worked as advertised. Contrary to the video, after install I could not change most options. If PSI3 can’t work correctly I sure don’t want it to mess with program updates they didn’t write. PSI2 with manual install kept me 100% updated, but I don’t trust PSI3 – it thinks it’s too smart for its own good. When a program update has a problem, I want to know when and how it was installed. The EULA concerns me too; I won’t even go back to the unmaintained PSI2.

  12. Dalhia

    Installed PST v 3.0 w/ no problem. Ran w/ no problem.
    On Dell Dimension 4550 w/ Windows XP.

  13. Andreas Havsberg

    I think the whole concept of PSI3 is great, both for me as an experienced computer user and friends and family who are not so experienced. Many malware infections could have been avoided in the past if software was patched on computers which are used by casual users not interested in updating software all the time. Consequently, I’ve needed to help “fix the problem”. Therefore, a relatively slient, easy-to-understand PSI3 is great for me too.

    Self-updating software is good, but far too few programs actually do this.

    I installed PS3 on a clean 64-bit Windows 7 machine with 4GB ram without any hassles at all.

  14. John B

    Install worked smoothly for my 32 bit Win PC. However, I was very disappointed to find that the detailed information available in Secunia 2.0’s user interface was removed from the new version. While the simplified user interface is terrific for non-technical users that I support, I personally prefer the more detailed information that more fully explained what Secunia was trying to do. The data is still there so I hope that they reinstate a detailed view as an option in a future release. Without that option, this version seems to be a step backward.

  15. james

    On the strength of your blog posting I have tried Secunia PSI 3.0 under Windows XP. I am a longtime user of 2.0 and 1.0 before that.

    I hate 3.0. It is heavy, ugly, has stupid “social” share options which I loathe, and really offers no more control than 2.0 (whose auto updating on/off you can control at install time).
    Worst, the program list is a massive list of HUGE UGLY graphic icons which are hard to read on a 14″ monitor and will be impossible on netbooks.
    This 3.0 looks like a serious mistake and I am going to advise my clients not to upgrade from 2.0 until they are forced to.
    Secunia PSI 3.0 has no positives, and many negatives.

  16. GrifiN

    Upgraded to PSI3 on one of my Win7 x64, without Auto-Update, just like I had on PSI2, didn’t seem to scan and detect properly, I reverted back to PSI2 after a few days.

Comments are closed.