In the past, I’ve recommended Secunia PSI as a way to keep your systems up to date. I know from my own experience that it helps, but I also know it doesn’t work 100 percent of the time.
When it comes to security, nothing is more critical than making sure your updates are applying correctly. That’s where my employer comes in, with Qualys Browser Check.
Yes, let me get the disclaimer out of the way: I work for Qualys. I spent more than half my career dealing with patches, and Qualys’ tools are more thorough than any others I found. So I’m happy to be working for them, but I wrote this blog post on my own time and received no compensation for writing it.
When I worked day to day as a threat and vulnerability analyst, I preached about browser and plugin updates with a fervor that would make a televangelist jealous. I won’t apologize for it, because that’s where your attacks are going to come from. But in my (presumably) final role as a security analyst, I watched five–count’em, five!–ransomware attacks bounce right off because their browsers and plugins were up to date enough.
Browser Check can work two ways: You can scan your current browser and its plugins without installing anything at all, just by clicking a link. But a more thorough check requires you to install a plugin and a host application, then restart your browser. Then you merely use the extension to scan your machine for missing updates. The technology is similar to what Qualys sells to large companies.
When you launch the plugin, you can choose between a basic scan (your current browser–not much different from what you get with the link alone), an intermediate scan (all browsers), or a thorough scan that also adds the operating system. I recommend the thorough scan most of the time. Don’t get too upset if it finds missing updates–automatic updates are designed to be reliable enough, not 100% reliable. If it finds anything missing, it provides links so you can download and install it.
It doesn’t make it automatic like Secunia PSI does, which is why I still recommend keeping Secunia PSI around, but if Secunia PSI or Windows Update miss anything, Qualys Browser Check will find it for you, and that’s a good thing.
You can use Qualys Browser Check at work as well–the commercial version is free, but adds some centralization. If you’re not doing any vulnerability scanning right now, Browser Check is a free way to start doing some of it and getting an idea of how many of your automated deployments are failing–and I guarantee some are.
And if you are doing vulnerability scanning, whether you’re using Qualys VM or a competing product from a company like Tenable or Rapid7, I still recommend having Browser Check installed, because if something important fails to install, Browser Check provides the end user a way to see it and call the helpdesk for help before something bad happens. In my brief stints on the incident response side of security, I can tell you I never encountered a user who was aware that something bad was happening on their machine. And some will ignore a warning, regardless of where it comes from–but not all. You’ll probably be surprised how many will call when they get the visual feedback.
If I’d known about Browser Check two years ago, my life would have been much easier. We concocted a scheme using a bunch of bubblegum and duct tape to keep users from being able to get online if their systems weren’t getting updates, but we needed collaboration from the network team to get it done and the network team didn’t want to do it. Browser Check would have accomplished essentially the same thing we were trying to do, with minimal effort and no cost.
Try it out at home, then if you like it, try it at work. I really want you to use it, even if you never buy any Qualys product.