Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Exceeding CIS and NIST Benchmarks - Third Party Patch Auditing

For organizations that actively keep track of and manage their base operating system patches and configurations, a somewhat lofty goal is to try and tighten down third party patches. Organizations can have all Microsoft patches installed and their systems hardened to NIST, CIS and vendor recommendations, and still have major exposure and security issues issues tracking down open source, freeware and third party applications.

This blog entry discusses some of the pain points in managing these third party applications and some ways to scan for them with Nessus and the Passive Vulnerability Scanner.

The Pain Of Non-Standard Patching

I recently went through a security audit and patch upgrade on a personal Microsoft laptop. It had no Microsoft flaws or security issues and was locked down fairly tightly. Having said that, it still had major security issues with a variety of third-party applications. When scanned with Nessus using credentials, it found:

  • VMWare Server was out of date a few releases
  • Several versions of the JAVA Runtime environment were enabled
  • My favorite FTP client (FileZilla) was a full major version out of date
  • Quicktime had not been updated in long while
  • An ActiveX control in FLEXnet Connect was also exploitable
  • The APSB07-12 advisory for Flash

The upgrade process was anything like my typical smooth and silent Microsoft upgrades that happen during shutdowns and on Tuesdays. If you want to avoid my long list of things that were required to get the laptop secured, feel free to skip to the next section.

With VMware, I needed to reboot the laptop, and then reconfigure the virtual NAT environment after wondering why I couldn't ssh into my Linux VMs.

With the JAVA vulnerabilities, even though live updates had been enabled, multiple older versions of the JAVA runtime environment had been installed and were vulnerable to a variety of exploits.

When upgrading to FileZilla 3 from FileZilla 2, the older version was not uninstalled. Even though I ran the upgrade process, it didn't uninstall the older version and I had to manually check the 'About' link within the application to realize that the laptop treated these like two separate applications and not an upgrade.

The Quicktime install was very old, even though live updates were supposedly enabled. Performing a manual download from Apple fixed all vulnerabilities detected by Nessus. I was very tempted to try and figure out why the updates were not occurring, but there were other issues to patch.

Nessus plugin 25371 had also detected an issue with a FLEXnet ActiveX control. This is a vulnerability in InstallSheild. I didn't have time to figure out which application actually installed this issue, and the available patch from Macrovision seemed to focus more on developers than end-users. In the end, I had to manually set a registry setting as recommended by CERT.

And lastly, I had my biggest issue patching the Adobe APSB07-12 Flash bug. Our Nessus plugin checks for both a Flash plugin as well as an Active X control. Simply downloading the patch within Firefox isn't enough. To get the latest Active X control, you need to actually visit Adobe's update site with Internet Explorer.

The point of this exercise was that I was just one user. On an enterprise with dozens or 100s of users, if third party applications are in use, it can become very difficult to keep normalized configurations, let alone secure laptops and desktops.

Active Scanning with Nessus

With more than 17,000 plugins in its database of vulnerabilities it can check for, Nessus looks for a wide variety of non-Microsoft vulnerabilities on Microsoft platforms. These security issues include, but are not limited to:

  • Issues with popular email and web clients such as Opera, Mozilla and Thunderbird
  • Vulnerabilities in security specific products such as anti-spyware, anti-virus and even Secure Shell clients
  • Backup and network management software from EMC, CA
  • Media players from Apple and Real Networks
  • A wide variety of Internet chat, video conferencing, FTP and other common applications such as Skype, Goggle Talk and FileZilla.

If these services have a "server" component of them (such as iTunes which does listen on certain ports even though it is a client application) Tenable's research team will attempt to write a Nessus plugin that can recognize these services and attempt to see what patch level they are.

However, the most reliable way to identify this type of software is with administrator credentials. Most modern Microsoft environments, an IT audit group can leverage the administrator account on Windows XP Pro, and Windows 2003 systems to audit all installed software and configurations with Nessus.

Another byproduct of auditing system with credentials with Nessus is the ability to enumerate all software installed on the network. When managed by the Security Center, the list of enumerated and discovered software can be analyzed with a variety of tools and even be used to categorize systems based on the type of software installed.

Continuous Network Monitoring with the PVS

Tenable's research group also focuses on the type of network traffic generated by these third party applications. The Passive Vulnerability Scanner rules are typically in lock-step with the type of client-side vulnerabilities discovered by a Nessus credentialed audit.

In the above example of third-party patching I went through, the PVS detected most of the issues with the exception of the Flex licensing security hole.

The PVS has the advantages of not requiring credentials to audit a host and being able to run 24x7, but does have a disadvantage that the software needs to be used on the target platform. This is not a large disadvantage when looking for software in use in your organization. Users who download these tools will likely use them at least once, which the PVS can see and record.

Some of our customers actually prefer to use what the PVS finds because those are the clients that are actually in use on the network.

Putting it All Together

The main advantage of exceeding a compliance standard is that your network configurations can have much more leeway before coming "non compliant". A more practical benefit of focusing on third party security issues is that your network will also be more secure and uniform.

We've blogged before about how Nessus and the PVS can be used to audit your patches (as well as your patching process). If this article was interesting to you, the following Tenable blog entries will also likely be of use:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.