Attackers increasingly target third-party apps—browsers, Java, PDF readers, and productivity suites—because they're patched less frequently than the OS. A 2022 Ponemon study found that 60% of breaches involved an unpatched vulnerability in a third-party application. This lesson explores the tools and strategies to bring third-party applications under the same automated patch governance as your OS.
Chocolatey is a package manager for Windows that can automate installation and updating of hundreds of popular applications via its community repository. For enterprise, Patch My PC integrates with Microsoft Intune or Configuration Manager to publish third-party updates as native update objects, with approval workflows and reporting. Both can keep browsers, runtimes, and plugins current. Use the 'choco upgrade all' command or scheduled tasks.
This simple command updates all apps managed by Chocolatey. Integrate it into your configuration management or run as a daily scheduled task.
Munki is the de-facto macOS software management tool. It uses a manifest-based approach to install and update applications from a local repository. Combined with AutoPkg, you can automatically download the latest versions, import them into Munki, and test before deployment. This provides a true CI/CD pipeline for third-party app updates on macOS, ensuring apps like Zoom, Chrome, and VLC are always current.
# AutoPkg recipe run to download latest Firefox and import into Munki
autopkg run Firefox.munki
# This downloads, packages, and imports; then Munki clients see the update💡 Use Munki's 'install_types' feature to differentiate between managed installs (forced) and optional installs (available in Managed Software Center). Force security-critical apps like browsers.
| Platform | Tool | Strengths |
|---|---|---|
| Windows | Chocolatey | CLI package manager, community packages, simple automation |
| Windows | Patch My PC | Native integration with ConfigMgr/Intune, approval workflows, reporting |
| macOS | Munki + AutoPkg | Flexible manifest-based deployment, CI/CD for app updates |
| Linux | Flatpak/AppImage/snap | Sandboxed app updates, can integrate with system update |
Using community repositories (Chocolatey community feed) introduces supply chain risk. Always validate checksums and use internal package repositories for high-security environments. For Chocolatey, use a private feed with approved packages. For Munki, scan imported packages with antivirus and maintain code signing verification. Never blindly trust public package sources for production.
⚠️ A compromised package in a public repository can infect your entire fleet. Implement a private, curated repository with security scanning as a gate.
Verify exercises to earn ★ 160 XP and unlock next lab level.