Forum Thread: Suggested Improvement on PSI

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as resolved.
tristanguiheux Suggested Improvement on PSI
Member 14th Oct, 2013 22:19
Ranking: 0
Posts: 3
User Since: 14th Oct, 2013
System Score: N/A
Location: FR
My first post a post about some improvement that can be done on Secunia PSI. I'm using it for personal purpose and I've seen some problematic because it can give a false sense of security.
The example is with putty and PSI 3.0.0.4001.
- I've got and old version of putty 0.62.1.0 installed with GNS3.
- So PSI asked me to update the version to the 0.63.0.0
- If I just download the version and put it on the disk (for example in "downloads" folder), PSI says me I'm okay with the update.

But the fact that the program is present and up to date doesn't mean that the one I will use is up to date.
And If I have a look at the state of Putty compliance, status is Up-To-Date. I have to see details to validate that I've 2 occurences of putty, one ok the other one not. But no real "red flag" mention that one is not up to date.
To conclude. A brief look gives you the impression that you have no risk. And this is not true.

Tristan

--
Just want to help if possible

Post "RE: Suggested Improvement on PSI" has been selected as an answer.
This user no longer exists RE: Suggested Improvement on PSI
Secunia Official 15th Oct, 2013 12:01
Last edited on 15th Oct, 2013 12:03 Thank you for your feedback regarding the PSI. What you describe is generally not how the PSI is supposed to function. If you have both a vulnerable and a patched version of a program installed, then both versions should be detected.

There are exceptions however. If your PuTTY came bundled with another program, then it is considered a component of that main program. If it should be possible to exploit a vulnerability in your version of PuTTY that came bundled with another program, then it is the main program that will be detected as vulnerable, not PuTTY. The vendor of the main program will then need to release a patch with updated components that closes the vulnerability.
tristanguiheux RE: Suggested Improvement on PSI
Member 15th Oct, 2013 20:48
Score: 0
Posts: 3
User Since: 14th Oct 2013
System Score: N/A
Location: FR
Thank you for the answer. In fact, the product is not fully bundled. So I have really two occurences of the putty.exe. And there's no detection. But I understand the concept.
I will continue my investigations.

Tristan

--
Just want to help if possible
Was this reply relevant?
+0
-0
This user no longer exists RE: Suggested Improvement on PSI
Secunia Official 16th Oct, 2013 09:13
If an instance of PuTTY is not detected on your system then you are welcome to send us a software suggestion and point to this thread in the comments. That will enable us to investigate the issue.

Our FAQ describes the procedure.
http://secunia.com/vulnerability_scanning/personal...

This thread has been marked as locked.