Customers lose when vendors refuse to patch

I can’t believe my eyes. Eudora WorldMail Mail Management Server has an open exploit hole and Qualcomm says they have no plans to patch.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Tipping Point and the Zero Point Initiative reported last week that Eudora WorldMail 3.1.x Mail Management Server has a remote exploit accessible over TCP port 106. As the report states, “This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Eudora WorldMail. Authentication is not required to exploit this vulnerability. The specific flaw exists during the parsing of successive delimiters within the Mail Management Server, MAILMA.EXE.”

According the report, Qualcomm has no plans to patch this hole. Instead, the vendor apparently encourages end users to use alternate defense-in-depth techniques and block TCP port 106 access from unauthorized computers to affected servers at the network layer.

I had a “You’ve got to be kidding me!” moment when I read this. The company’s response to the exploit hole is unfortunate for Qualcomm’s past, existing, and future customers.

Essentially, Qualcomm is saying that it is leaving its customers open to malicious exploitation on purpose, hoping that additional layers of defense-in-depth security will protect them instead.

This is pre-Blaster thinking. In August 2003, when the MS-Blaster worm was first detected, most corporate defenders initially relaxed because the port affected (RPC TCP port 135) was not typically reachable over the Internet because of blocking network perimeter firewalls. Microsoft had a month-old patch out that closed the vulnerability, but hardly anybody was rushing install it. "The firewall will protect us," we all thought.

Then the center of the network became exposed. VPN users from home got infected and spread the worm through remote connections that bypassed normal firewall rules. Unprotected laptops got infected on the road and came home to roost when plugged back into the corporate LAN. Extranet business partner networks got infected; CEOs got infected picking up non-corporate HTML e-mail; and vulnerable consultant computers plugged into the network.

The number of MS-Blaster infections on Days 1 and 2 wasn’t bad, but by Day 3, every unpatched corporate computer was infected and rebooting over and over again. Computing literally came to a standstill that week for many enterprises; it was impossible to install a new Windows PC and patch it before it was exploited. It took some companies months to fully eradicate MS-Blaster.

This single malicious event led to the default enabling of Windows Firewall in the XP Pro Service Pack 2 upgrade and the strengthening of many core Windows services. Today, when you install Windows Server 2003 and Windows Vista, Microsoft disables all non-essential networking services until after all patches have been downloaded and applied.