[Work in progress] Hide bundled applications
Some applications come bundled within other applications.
For example: 7-Zip that is found 4 times on my system:
- 3 times in the folder of the NVIDIA drivers and NVIDIA GeForce Experience
- 1 times in the folder of StarCitizen
For these versions of 7-Zip are not listed in the list of installed applications in the Windows 10 Settings.
These versions are updated by the bundled product, the user must not update these instances manually.
The problem is that VulnDetect offers download links also for these installations.
That is true.
However, it is still the responsibility of the parent program to report this and fix it. You are likely to break many programs if you just replace the DLL.
We will keep an eye out for this and add detection for DLLs when we become aware of programs that bundle vulnerable versions and "provide" a vector to exploit it (very often Java and AIR vulnerabilities can't be exploited, because there is no feasible vector, the same is the case for many DLLs).
@Tom ok, but: if you have a vulnerability in the exe file, you also have it in the dll. And often applications bundles the dll and not the exe.
@Anselm Currently, we will limit it to the products that we already detect.
The detection of libraries / DLLs is not within our current scope. Though we may create a few exceptions, when there is major issues like with "unacev2.dll".
@Tom do you talk about exe or dll? I think you have a lot of programs bundled together e.g. with 7zip.dll or unrar.dll.
Cool, @Tom that VulnDetect now supports Bundled Apps.
The UI has been updated two days ago, to support bundled applications. This means that most bundled applications can be viewed in the UI.
Any feedback on bundling is welcome.
When you see detections of e.g. 7-Zip, curl, Java and so on, that are actually part of other programs, please post it, send it via email or in the chat and we will create both the parent product and create the bundling specification that relates the two pieces of software.
Finally, we are getting ready to launch this new feature. We have run the first tests in the test environment and are ready to update the backend either tomorrow or Monday.
The first iteration will hide (disregard) the bundled apps.
However, we expect to make an update for the UI very soon, that will allow you to view the hidden bundled applications.
Please, do start to report bundled applications, in most cases, all we need is a copy of the path of e.g. Java, Flash, curl or whatever program that is part of another parent installation.
We will not hide them completely, but they will be reported more subtle and in a way where only experts would want to spend that extra click or two to get the details.
While this is work in progress, then it is not something you should expect very soon.
I would like to now about those applications. Experts like me often update those packages as a workaround, if the "main" application does not do it (e.g. the main application is eol).
Yes, I perfectly agree. That is work in progress and once the tech has been implemented then we will start reviewing all the cases. I'll let you know, and then we need those reported as well.