How to Make Users Patch Their Own Applications

You keep up with all of your Microsoft patches right? You go through the usual Black Tuesday dance of testing and deploying your patches like any good System Admin would. What about your non-Microsoft applications? Are you keeping those up to date? They can be just as critical as your Microsoft patches.

Patching your Windows OS and Office environments is easy thanks to Patch Management Solution.

What about all of those other applications that people download on their own without going through IT? Programs like Firefox, Chrome, and Skype. These programs are not necessarily bad but they do need to be managed. They will sneak into your network and before you can stop it they are must have programs that people cannot live without. Now what do you do? How do you make sure you keep these programs up to date? You know that your users are not going to make sure they have the latest version of Skype installed or all the Firefox patches loaded.

You could choose the hard method for keeping these programs up to date. Go out and research what the vulnerabilities are, download the update file and then build a deployment package for it that you will deploy with Software Delivery. Then you would have to go through this tedious task of building packages every time some update comes out for an application that may only be installed on 20-30 PCs.

Since you have not been managing this program so far there are probably 20 different versions of it installed. All of these might require a different upgrade script. Seems like a big waste of time right? How can you save time and still keep your environment fully patched?

Here is how our company uses Application Metering to meet the challenge.

Think about when the program is actually vulnerable. If it is just installed there really is nothing that is going to be able to exploit it. The security holes happen only when someone is using the program or when the programs processes are running.

I will be using Firefox for this example. Currently Firefox version 3.x is the latest version available. All of the previous versions have known vulnerabilities and should not be used. In the end we want all of our computers that are using Firefox to be at version 3.x without us having to test and deploy an update. Since the vulnerability is not going to matter until the person tries to use Firefox we can use Application Metering to block the old versions that we do not want to allow.

Here is a sample of an Application Metering policy for Firefox.

Click to view.

As you can see in the screenshot you can get very granular as to what versions you do not want to allow. You could add in rules to block all 1.x and 2.x versions and then add in any 3.x versions that might be vulnerable.

The great part about Application Metering is that it not only blocks applications but it can also notify the user why the application has been blocked. On the denial message we state something like “This is an old unsupported version of Firefox and is no longer allowed to be used. Please upgrade to the latest version.” You have now put the work back on to the user who originally downloaded and installed the program. If they still want to use this program then they can upgrade it themselves. Since they already installed it once, surely they can install it again if they really need it.

We have found two outcomes in using this process. Both have proven success for using this process. We find that people will either upgrade the program to the latest fully patched version or they will just stop using the program and use something that is supported. Not only have we had great success with this but it also has yet to generate a call to our help desk.

Now you have a very reliable patching process for something that takes very little management on your part.