“Take older versions of Adobe’s software, which don’t have an update component,” Kandek says. “Users on these will just stay at whatever version they’re using, and never update.” Alan Paller, director of research for the Bethesda, MD-based SANS Institute, a computer security training group, says Microsoft considered pitching its Windows Update service to third-party software vendors as an update conduit many years ago, but ultimately abandoned the idea because of legal liability concerns.
Secunia’s Kristensen says his company’s tool will avoid any liability issues by downloading patches in exactly the same way for each application as a regular user would. Still, he says, not all software vendors are likely to make it easy.
“The liability issues arise if we were to start modifying the patches or putting them in our own repository of updates,” Kristensen says. “One thing we can guarantee is that it won’t work for 100 percent of software. We’d love it to do that, but that would require 100 percent cooperation from a lot of vendors who don’t have a good history of this.”
According to Paller, Secunia’s chief challenge is appealing to users who don’t know enough about security to know they need to deploy third-party updates. “That’s why I think that a service like this–if it is going to have a decent impact–needs to be offered through the [Internet service providers],” he says. “My goal would be to say if you’re going to be an ISP, you need to provide a service like this.”
Secunia’s patch tool likely will need some serious testing before it can be deployed on such a broad scale. Secunia has already adapted the corporate version of PSI to deploy third-party updates, but doing the same for consumer computers would be a far greater challenge, particularly in making the software work on all of the various foreign language implementations of these third-party products.
“The goal is to make this scalable and legal, and to do that we will need to–at least at first–prioritize the products we patch based on those that are most widely installed, because there is no way we will be able to do 13,000 applications at once,” Kristensen says.
Secunia is aiming to have a preview version available in April for expert PC users, and a beta version for more public consumption a few months after that.