Customers lose when vendors refuse to patch

Qualcomm will not close exploit hole, so Eudora WorldMail users are on their own

I can’t believe my eyes. Eudora WorldMail Mail Management Server has an open exploit hole and Qualcomm says they have no plans to patch.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Tipping Point and the Zero Point Initiative reported last week that Eudora WorldMail 3.1.x Mail Management Server has a remote exploit accessible over TCP port 106. As the report states, “This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Eudora WorldMail. Authentication is not required to exploit this vulnerability. The specific flaw exists during the parsing of successive delimiters within the Mail Management Server, MAILMA.EXE.”

According the report, Qualcomm has no plans to patch this hole. Instead, the vendor apparently encourages end users to use alternate defense-in-depth techniques and block TCP port 106 access from unauthorized computers to affected servers at the network layer.

I had a “You’ve got to be kidding me!” moment when I read this. The company’s response to the exploit hole is unfortunate for Qualcomm’s past, existing, and future customers.

Essentially, Qualcomm is saying that it is leaving its customers open to malicious exploitation on purpose, hoping that additional layers of defense-in-depth security will protect them instead.

This is pre-Blaster thinking. In August 2003, when the MS-Blaster worm was first detected, most corporate defenders initially relaxed because the port affected (RPC TCP port 135) was not typically reachable over the Internet because of blocking network perimeter firewalls. Microsoft had a month-old patch out that closed the vulnerability, but hardly anybody was rushing install it. "The firewall will protect us," we all thought.

Then the center of the network became exposed. VPN users from home got infected and spread the worm through remote connections that bypassed normal firewall rules. Unprotected laptops got infected on the road and came home to roost when plugged back into the corporate LAN. Extranet business partner networks got infected; CEOs got infected picking up non-corporate HTML e-mail; and vulnerable consultant computers plugged into the network.

The number of MS-Blaster infections on Days 1 and 2 wasn’t bad, but by Day 3, every unpatched corporate computer was infected and rebooting over and over again. Computing literally came to a standstill that week for many enterprises; it was impossible to install a new Windows PC and patch it before it was exploited. It took some companies months to fully eradicate MS-Blaster.

This single malicious event led to the default enabling of Windows Firewall in the XP Pro Service Pack 2 upgrade and the strengthening of many core Windows services. Today, when you install Windows Server 2003 and Windows Vista, Microsoft disables all non-essential networking services until after all patches have been downloaded and applied.

MS-Blaster proved that network firewalls have never been enough to prevent malicious attacks and never will be. The “soft, chewy,” hypothetical network center that Bill Cheswick warned us about in 1990 became a practical reality overnight. That’s why Qualcomm’s decision not to fix the WorldMail vulnerability is unsettling.

There must be a valid reason why Qualcomm is not planning to fix a WorldMail exploit, right? Of course there is: Qualcomm no longer sells or supports WorldMail. WorldMail was just rebranded as Rockcliffe MailSite SE. And Rockcliffe doesn’t support WorldMail. Rockcliffe wants WorldMail users to upgrade to new versions of its MailSite SE product.

Qualcomm first started selling WorldMail 3.x in May 2005, as evidenced by its original press release. The WorldMail bug was reported to Qualcomm in September 15, 2006. So, 16 months later, existing WorldMail 3.x customers are stuck with an exploitable product. It makes you wonder how long WorldMail 3.x was supported before falling off the table. A year, maybe?

If Qualcomm (or Rockcliffe) wants to make this right, one of them needs to stop pointing fingers, take ownership of the problem, and assign a programming team to fix the bug to protect customers. Or I’m hoping that maybe the vulnerability report is incorrect and one of the two vendors is planning a fix — although I couldn’t find any information on either Web site, so I doubt there’s a fix in progress.

I’m a firm believer in free markets and voting with consumer dollars. The next time Qualcomm pitches your company a software product, don’t expect them to support it for even two years.