Interesting Secunia Patch Maneuver

On my home network, I use Secunia Personal Software Inspector (PSI) on all of my Windows machines to make sure they keep up with the latest and greatest updates to the OS, Microsoft Office, and other applications — especially those from Adobe (all kinds of tools and browswer add-ins), Sun (Java), Firefox, and Google (Chrome) all of which have been subject to frequent and sometimes dramatic security updates of late. Lots of companies I know and work with use the business equivalent, Secunia Corporate Software Inspector (aka Secunia CSI) for the same purpose.

Last night, I got a notification to check on my PCs from Secunia, which sends out notification e-mails any time a registered machine’s known software components or OS require updates to maintain proper security. Because yesterday was Patch Tuesday for December, 2009, this came as no surprise at all. What did comes as a surprise this morning when I got around to checking was that a handful of unexpected items popped up in the alert list. I’m pretty serious about fixing such things because ultimately, the goal is to maintain a solid set of green bars across the entire Secunia Historic Development chart, which looks like this:

I aim for all-green, all the time, but work and travel sometimes interfere

As usual, I tackled the numerous items whose status changed from secure to insecure since my last regular weekly scan to bring my system back into full compliance. This morning, there were five such alerts: one for Adobe Air, two for Adobe Flash, one for Google Chrome, and one for the MS Office PowerPoint Viewer 2007. I was able to dispatch all of them pretty quickly by installling the upgrades or patches for which Secunia helpfully provides links in its item detail info, except for PowerPoint Viewer 2007. That link took me to Microsoft Update which cheerfully informed me that no updates were needed. Hmmm…

I immediately jumped up onto the Secunia forums (staffed by a crack group of staffers and volunteers) and found a thread that prescribed the right approach to this apparent mystery:

1. Visit the Microsoft Download Center and download the PowerPoint Viewer 2007 version .
2. Install that version, then re-run Windows Update. Presto! Five new downloads appear: a PPT Viewer SP1 plus various miscellaneous updates (KB954038, KB951550, KB951955, and KB934395). I selected all of them for installation, but KB934395 came up as “unnecessary, not installed” in the aftermath.
3. Re-run Windows Update again. This time, you’ll get PPT Viewer SP2, plus another set of patches (KB970059, KB969618, and KB972581).

Only then will Secunia give a clean bill of health to PPT Viewer. Of course, I’m grateful to get secure and stay that way, but I’m a little irked that my inclusion of MS Office Updates in my Windows Update configuration turned up nothing on its own beforehand. I’m also a little puzzled as to why downloading the PPT Viewer from Microsoft triggered additional Windows Update activity even though it purports to be the same version I already had installed on my Office-equipped machines.

But because this situation took me by surprise, and so many enterprises run MS Office and probably also haven’t gone through this maneuver, I wanted it to broadcast it to the largest possible audience. Consider this blog a notification that PowerPoint Viewer 2007 (included by default with most versions of MS Office 2007) needs a security update, and a description of what’s involved in adressing this not-completely-straightforward maneuver. Even Secunia didn’t do that directly, so I hope this qualifies as a “public service.” As a devoted Windows-head, I found it interesting and unusual enough to be worth figuring out and fixing in any case.