Large companies have IT personnel responsible for tracking software users have on their computers. For the small business, the task generally falls to end-users and one IT person already burdened with a long to-do list. If the user doesn't keep up with updates and IT doesn't notice, that is a security risk. Considering the amount of Web-based threats out there, the free BrowserCheck scanner from Qualys is a quick way to ensure Web browsers and installed plug-ins are up-to-date.
Cyber-criminals have a choice between buying?or creating?attacks targeting either zero-day vulnerabilities or older security flaws. The latter type is much cheaper and readily available. ?Recent research has shown a significant number of computers run outdated software. Targeting older software can be pretty lucrative.
Qualys offers BrowserCheck (three stars) for personal use and BrowserCheck Business Edition, both for free. The personal version scans the end user's computer and generates a security profile right away. BrowserCheck Business Edition collects the scan results from each computer and displays them in a dashboard. At one glance, the administrator can tell what browsers and plug-ins have been installed. For Windows machines, administrators can also check the status of antivirus and firewall protection, as well as the latest security updates via Windows Update. Thanks to automated scanning, BrowserCheck Business Edition allows administrators to schedule future scans to monitor any changes to the computer's software security profile.
I signed up for a BrowserCheck Business Edition on the Qualys site with a non-webmail account, as Qualys does not accept addresses from Web providers such as Gmail, Yahoo and Hotmail. Businesses that don't have their own domain name and rely on these email services are blocked from using the scanner, unless they have some other email address to use instead.
The dashboard's tables and graphs offer a bird's-eye view of how many insecure browsers and plug-ins are in the organization. I viewed detailed scanning results for each system and historic reports, as well as platform statistics, such as the most frequently installed plug-ins and browsers.
BrowserCheck supports server and desktop Windows versions all the way from Windows 2000 to Windows 8, Mac OS X, and Linux. I ran a basic scan using the stock Web browser for Android but not for Firefox, and I didn't test on iOS. Qualys can also analyze alternative Web browsers, such as Maxthon, Seamonkey, and Rockmelt.
The administrator controls all the BrowserCheck settings, such as scanning all the browsers installed on the computer at the same time, checking if the antivirus, firewall, and Windows Update are turned on (Windows only), looking for missing Microsoft Security Updates (also Windows only), and setting up an automated scheduler.
The administrator can send the customized Quick Scan URL listed under account settings to users. When someone clicks on this link, BrowserCheck scans the computer and saves the results back to the dashboard. The no-install scanner can check the plug-ins and version number for that browser only. This is a nice and simple way for the administrator to see all the results of all the machines in one place. Even so, the BrowserCheck plug-in is the better option.
Administrators can email the link to the plug-in and ask users to install it manually, or push out the MSI agent onto the computers via a software distribution tool or a script. If the organization didn't already have a software distribution tool that can push out files to user computers, administrators would have to rely on users, or take the time to make the rounds and install the plug-in themselves.
BrowserCheck can also be silent, where the user doesn't get to see the results of the scan as it is sent directly to the dashboard.
All the end-user has to worry about is clicking on the Quick Scan link from IT to run the no-install scanner or downloading and installing the plug-in. The administrator determines what to scan and how often, making the process really simple for the user.
The plug-in-based scanner collects machine information, such as the operating system and the machine name, and associates the scan results with the machine name in the dashboard. The no-install scanner results are saved without any machine-identifying information. It's more helpful to tell the administrator which computer has the outdated Java plug-in, rather than just saying one computer needed to be updated.
If "silent mode" wasn't on, the user would see the results, a list of all installed plug-ins and their statuses. BrowserCheck has 13 different types of statuses, such as Obsolete and Retired. Outdated ones appear first, with red "Insecure Version" and blue "Fix It" buttons, followed by yellow "Update Available" buttons to indicate the updates were non-security related. Up-to-date plug-ins have green buttons, and all the ones BrowserCheck doesn't recognize have gray "Unknown" buttons.
Clicking on "Fix It" or "Update Available" buttons downloads the latest versions, but there's no way to automate getting the latest updates.
The scan results page look very similar to Mozilla's own plugin check.?With BrowserCheck, though, I could view the status of the plugins for each browser, along with system-specific data for Windows machines. I was concerned that nearly half of the plug-ins were flagged as "unknown" by BrowserCheck. While great for Windows OS and for common plug-ins, there is quite a lot the scanner doesn't recognize.
BrowserCheck for Security
For small businesses falling behind on patch management and regular software updates, BrowserCheck Business Edition is a great first step. There is nothing worse in security than not doing anything at all, so being able to see which computers have unsafe browsers or are missing security updates is a positive move.
If you just want a quick system that will tell you the state of your browsers and operating systems across your Windows network, BrowserCheck is sufficient. If you don't have a way to automatically deploy the MSI across all the computers, BrowserCheck will not be as effective as you depend on the users to install the plug-in. BrowserCheck Business Edition is the easiest way to ensure browsers and plug-ins within your organization are up-to-date with the latest security patches. If you need a little bit more, such as automated patching, investing in a more robust platform such as Panorama9?may be the way to go.