Errata: ISS Ships Vulnerable Products, Uses as Pitch for More Products

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13

ISS RealSecure 7.0 and ISS Internet Scanner are both vulnerable to the W32.SQLExp.Worm alias W32/SQLSlammer vulnerability/worm. Chris Rouland of ISS acknowledged that ISS products contain the vulnerable SQL code, but explained that ISS vulnerability checkers would have flagged it as an issue that needed to be patched, so customers should have known to fix it themselves.

"Sure, our event collector uses SQL server and our Workgroup Manager uses MSDE," Rouland said. "We don't patch those, but our vulnerability assessment software would have flagged those and we certainly would hope that folks would have done that."

So we have software vendors who tell their customers to patch yet don't do it themselves (Microsoft). Now we have security product vendors (ISS) who don't let their customers know about vulnerabilities that they delivered to them in one product (RealSecure), yet use the vulnerabilities in other vendors products to sell their own additional product (Internet Scanner). Worse than this underhand sales tactic, ISS lied to their customers about being vulnerable at one point.

January 31, 2003

Dear Valued Customers,

Internet Security Systems is re-emphasizing the importance of patching vulnerable SQL and MSDE servers to prevent SQL Slammer Worm infection.

As ISS first highlighted in our SQL Slammer X-Force Security Alert, and in subsequent communications, it is very important to patch all of your SQL and MSDE servers vulnerable to this attack. Microsoft SQL Server customers should refer to the following address for more information and to download the applicable patches: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

Please remember that while your ISS security applications are not vulnerable to this attack, the servers they operate on may be vulnerable. As part of your patching effort related to the SQL Slammer worm, remember to include critical servers or local MSDE databases running ISS security applications.

ISS Customers can use Internet Scanner to identify vulnerable hosts and patch them accordingly. For more information regarding how ISS solutions can help protect you against SQL Slammer worm propagation, please refer to the following:

[snip...]

If you need additional assistance remediating this vulnerability, please contact ISS Professional Security Services at: consulting@iss.net

Thank you and best regards,

Sally Foster
Vice President, Customer Support and Client Services
Internet Security Systems

This customer mail specifically states "Please remember that while your ISS security applications are not vulnerable to this attack, the servers they operate on may be vulnerable." ISS applications install MDSE as one of the components, which renders the system vulnerable. On the same ISS X-Force Advisory in fact, it specifically says:

Recommendations:

ISS X-Force recommends that system administrators immediately take steps to protect their networks. To remove the infection, apply the necessary patches listed below and restart the server. This action will remove the worm from memory.
RealSecure Network Sensor XPU 20.4 and XPU 5.3 (available 9/17/02) or greater.
SQL_SSRP_StackBo - (http://www.iss.net/security_center/static/10031.php)

Internet Scanner XPU 6.15 (available 7/25/02).
MssqlMs02039Patch - (http://www.iss.net/security_center/static/9666.php)
MssqlMs02038Patch - (http://www.iss.net/security_center/static/9667.php)

Internet Scanner XPU 6.25 (available 1/28/02).
MssqlResolutionServiceBo - (http://www.iss.net/security_center/static/9661.php)

Systems Scanner Service Release 3.10 (available 12/19/02).
MS02-039
MS02-038

This contradicts their statement of ISS security applications not being vulnerable.