Listen to Ed's tip Download Ed's to your PC or favorite MP3 player. Good for you, but what about all of those third-party applications running on your Windows machines?

I'm talking about tools like Acrobat Reader, QuickTime, iTunes, Flash Player, Real Player, Java Runtime Environment, Firefox and the rest of the software zoo likely installed on every single desktop and laptop in your company. The sad truth is that most organizations don't bother patching these apps at all, and the many unpatched flaws they contain often leave systems wide open to attack.

When performing penetration tests, our consulting team always tries to incorporate client-side exploitation. During the process, we have customers use one of their own stock laptops to access our lab sites.

From there, we serve up exploits for common Microsoft client software, including IE, Word and PowerPoint, as well as third-party applications. Likewise, we then check the patch status of the various programs on the laptop, as well as run Microsoft's free Baseline Security Analyzer (MBSA), which checks patches on Microsoft's own software. Even for those clients who claim to patch their Windows machines diligently every month, we usually find that between one and five critical Microsoft patches are not installed.

While the Microsoft-related issues are serious enough, we always find vulnerable, outdated versions of third-party programs, through which we can almost always gain access. Acrobat Reader is the most commonly unpatched application. Regardless of the applications in question, users can't be counted on to manually activate update functionalities; they will invariably skip critical updates.

Furthermore, some third-party apps only offer patch notifications when the program is actually activated. If a user doesn't run the program for months, it'll be months behind. And, many programs never check their own patch versions, running blissfully out-of-date forever.

In the past three years, the majority of released exploits have focused on compromising client-side applications. Attackers regularly use these exploits to spread bots, install spyware and steal enterprise secrets. If your security organization says that patching all client-side programs is simply too difficult, it has ceded significant territory in the internal network to the bad guys. How to begin patching third-party applications First, double-check the efficacy of your for Microsoft software, especially Windows and Office. MBSA does a good job checking locally for such patches, so grab one of your organization's sample, standard-build laptops and verify that all critical patches are installed.

Log into Facebook to start sharing and connecting with your friends, family, and people you know.

To get a comprehensive review of which Microsoft software is installed and how well it is patched, run MBSA locally on the sample laptop. In a Microsoft Knowledge Base article, the software giant sorts out those. The list includes some versions of Outlook, PowerPoint, Project, and Visio, all of which are important enterprise applications.

If MBSA shows that Microsoft software patches are missing, troubleshoot the reasons why patches haven't made it to the laptop and check other systems as well. Next, review the status of third-party products on the box. Shavlik Technologies provides a great. Check the version number of each of these by hand, or use a third-party management tool such as the.

Introduction To Genetic Principles Pdf Creator. For more patch management information: See how attackers used. Michael Cobb explains whether every should be addressed. Vulnerability researchers recently suggested that. Three patch management strategies Once you have determined the patch status of your sample laptop's applications, there are then three options for addressing a vulnerability.

One is to try to rely on existing Microsoft infrastructure to deploy patches for both Microsoft and third-party apps., but such an approach is limited because it can only push patches that are bundled up in.MSI,.MST and.MSP format. A second method is to try to write your own script. You could push.EXE patches to machines across a domain, running them automatically as a start-up/logon script or using the Microsoft Sysinternals PsExec command to run a program remotely. The downside of this approach, however, is that it is labor-intensive and requires tweaking to make sure everything gets installed correctly. A third approach is more expensive, but it is far simpler than the two methods above: Use a commercial product that allows for deploying third-party patches, and as a bonus, possibly Microsoft's own patches. Microsoft's Systems Management Server (SMS) 2003 can patch both Microsoft and non-Microsoft products. Using the built-in SMS Inventory Tool for Custom Updates (ITCU), it's possible to determine the patch level for various applications on managed systems.

Then, with the SMS Custom Updates Publishing Tool (CUPT), you can create packages to push via SMS. If your organization already relies on SMS, start using ITCU and CUPT to handle third-party applications. Besides SMS, a variety of other patching products are available. Shavlik's NetChk Protect, for example, can not only check which patches are installed, but can also manage and apply patches for a variety of applications. The inventory of patches that the Shavlik product can handle is constantly updated as well. Other patching tools that I've used in the enterprise effectively include those from BigFix, PatchLink and Symantec's Veritas Patch Manager. Regardless of your chosen product, make sure that you embark on a program that thoroughly patches your client machines from all sides.

Remember, attackers don't discriminate; they will use whatever application flaws they can find to victimize your organization. About the author: Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code.

He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to.

The old design and functions were great. Now it is really confusing. It takes longer to add a bill. Before I added a new member with typing the name it showed all possible people for my phone book. Now I need to search the phone book by accessing it separately. At the End sending it as email it took the email for every member from the phone book. Now I habe to type all the addresses again!

Before I could add photos of the receipt. And now it's an add-on! Alle the receipts I had are gone! I Have to search them in the receipts folder on my SD card. I don't want to search all pictures to find the right one! I'm really disappointed and started looking for another app.

Loved the old version, the new one is quite annoying though. Too many additional clicks necessary, which makes it a bad user experience.

It takes way longer to insert a new bill and its harder to add a tip. In the old version you could just insert what each person had to pay and then add a tip - the weights then were kept and all was fine.

Now I dont see a way to do that. Also, for me there is no need to have all groups easily available. It just increases the risk of adding bills to the wrong group. Adds are annoying but I geht it, the developers need to make a living. The new design is good looking though.

GOOD ALTERNATIVE APP DUE TO NEW LAYOUT: Splitwise. Unfortunately the new design is not more intuitive and easy at all. 1) The step-by-step input takes MUCH longer than the earlier interface with everything in one activity.

2) Several features gone that worked before. 3) Autocompletion for payment subjects doesn't work. 4) Negative payments not possible any more. 5) No Multi Currencies any more 6) Less responsive: If you try to add a payment right after starting, it may even happen on quick devices that settle up hasnt recognized the payers yet. Sad to see such a good app being destroyed.

One of the main strenghts of the app was the lightweightness and at the same time great functionability. Dear Developers: I read trough the current reviews of your app. From my Dev experience I know one thing for sure: If you have to explain to lots of users why an UI is better, it isn't. You write in your answer on my comment that the new interface is easier for new users why at the same time might be harder for existing ones. This suggests the new interface should have been a new 'beginners mode' that disappears after a while, and not scare away existing users, who will probably look for an alternative now.