MS-Blaster proved that network firewalls have never been enough to prevent malicious attacks and never will be. The “soft, chewy,” hypothetical network center that Bill Cheswick warned us about in 1990 became a practical reality overnight. That’s why Qualcomm’s decision not to fix the WorldMail vulnerability is unsettling.
There must be a valid reason why Qualcomm is not planning to fix a WorldMail exploit, right? Of course there is: Qualcomm no longer sells or supports WorldMail. WorldMail was just rebranded as Rockcliffe MailSite SE. And Rockcliffe doesn’t support WorldMail. Rockcliffe wants WorldMail users to upgrade to new versions of its MailSite SE product.
Qualcomm first started selling WorldMail 3.x in May 2005, as evidenced by its original press release. The WorldMail bug was reported to Qualcomm in September 15, 2006. So, 16 months later, existing WorldMail 3.x customers are stuck with an exploitable product. It makes you wonder how long WorldMail 3.x was supported before falling off the table. A year, maybe?
If Qualcomm (or Rockcliffe) wants to make this right, one of them needs to stop pointing fingers, take ownership of the problem, and assign a programming team to fix the bug to protect customers. Or I’m hoping that maybe the vulnerability report is incorrect and one of the two vendors is planning a fix — although I couldn’t find any information on either Web site, so I doubt there’s a fix in progress.
I’m a firm believer in free markets and voting with consumer dollars. The next time Qualcomm pitches your company a software product, don’t expect them to support it for even two years.