Soooo Secunia entered the vulnerability assesment market last week with a free tool they call the 'Software Inspector' . . . the concept is you download this Java applet and run it on your machine and it will report what software is vulnerable and needs to be updated according to the large vulnerability database Secunia maintains. Sort of like a vendor neutral version of MBSA if you will. I dunno - I haven't actually used it - Vista complains about my lack of JVM'dness whenever I visit their site and I'm not all that interested in installing the Java runtime so I'll take their word for it. :)
I have to admit though - I like the idea . . . And apparently so do other people . . . http://secunia.com/blog/4/
I find some of their statistics very intriguing . . . namely that only 4% of IE 6.x users were below acceptable patch levels (I dunno why - but I was pleasantly surprised to read that) - while 35% of FireFox 1.x users were below acceptable patch levels (I wasn't surprised with this one <G>).
The scariest statistic though (for me) has to be this one: "For Adobe Flash 9.x users, over 53% were running insecure versions; a testament to both the popularity of Flash-based web content, and the lack of awareness on Flash vulnerabilities."
This is truly scary stuff . . . if you've read my previous blog posts you'll know that one of my fundamental beliefs is that the attackers exploit the software that is the most widely deployed - they don't care who writes it. Apache / PHP are the most hacked / defaced / malware infested web servers on the planet - because they run 85% of all web sites . . . IE has traditionally been the most targetted browser - again because it is the browser used by 85% of all web servers. The hackers go where the biggest ROI is. As attackers start working their way up the stack (we've already seen IE specific exploits falling out of favor - with attackers going after frequently / commonly used ActiveX controls) they're eventually going to figure out that next to IE - there is lots of other widely deployed software that is ripe for the picking. Speaking of ActiveX controls - how about those ActiveX controls from Adobe, Apple and other vendors? At the time of this writing - Flash is up to 9.something . . . how many people do you think are still using crusty old Flash 6, 7 or 8 versions?
Think about it . . . but apparently at least 53% of the population is . . . and that to me - is scary.