ISS slammed for 'selling' security patches

ISS's security products were last week attacked by the Witty worm but the company is refusing to provide patches to customers who do not have a valid maintenance contract

Security vendor ISS has been slammed for only providing security patches to customers who have purchased a maintenance agreement from the company. Last week, this left about 12,000 computers vulnerable to the Witty worm, which has proved one of the most destructive worms to be released for a number of years.

The Witty worm started to spread less than two days after a flaw in Internet Security Systems (ISS) RealSecure and BlackIce products was disclosed. The worm is unusual in that it is one of the first worms in recent years to have a physically destructive payload -- it was designed to regularly write small amounts of data to random places on an infected machine's hard drive, which causes loss of data and eventually crashes the computer.

Johan Beckers, director of technology solutions at ISS EMEA, told ZDNet UK that all of ISS's "legal" customers could have updated their systems to avoid Witty but he admitted that the 12,000 systems affected by Witty were most likely to be companies that had let their maintenance agreements expire: "All our products had an update available to prevent the attack from happening -- this was available to all customers that had paid their maintenance and were legal customers. If you don't pay maintenance, you are not allowed to use the products any more," he said.

ZDNet UK suggested to Beckers that this could be interpreted as irresponsible behaviour because the company's customers that had let their contracts expire were originally sold flawed products. At this point, he said that the company would investigate the matter further and clarify the situation. At the time of writing, ISS had not provided a subsequent response.

Unsurprisingly, ISS customers and security experts have criticised the company for not providing protection against known vulnerabilities to all customers, regardless of their maintenance contracts.

On the NTBugtraq mailing list, Marcio Vieira from Southeast Missouri State University said he was denied a patch for BlackIce because he hadn't purchased a service plan this year: "They don't even have 'patches', only full product upgrades. If a customer doesn't want the extra bells and whistles, and extra bugs, that come with the new version, then the only solution is to find another product -- I hope most ISS customers eventually will," he said.

Richard Starnes, vice president of ISSA UK, which is a non-profit organisation of security professionals, told ZDNet UK that this is the first time that he has heard of a company trying to sell security patches: "Until now, I had not heard of a single software vendor doing this. The practice is a third rail for software vendors," he said, meaning that it could prove a fatal move.

Starnes acknowledged that software produced by humans is unlikely to ever be 100 percent bulletproof, making patches inevitable, but he said he would like to see developers taking more responsibility for their code, especially if it is flawed.

ISS could be pressured into agreeing to patch all users' systems because the Witty worm's source code has already been published on the Internet, which makes many people believe the worm was created by someone with a "grudge" against the company.

John Cheney, chief executive of email security firm BlackSpider Technologies, said that although viruses and worms are destructive, most users expect them to steal a computer's resources rather than attempt to destroy the infected machine's hard drive: "Viruses have come full circle. They have historically been destructive -- MyDoom launched a DDoS attack against SCO and Sobig distributed spam -- but this seems like it was written by someone with a grudge against ISS or BlackIce," he said.

Mikko Hyppönen, director of antivirus research at F-Secure, said he has examined the source code of the Witty worm and unlike the Bagle, MyDoom and NetSky worms, Witty does not have any secret messages to prove that it was written by someone with a grudge. But he said that that doesn't mean the opposite is true: "We don't know what the author's agenda is. There was nothing indicating a grudge in text within the virus -- it could be just a lunatic that is attacking any exploit he can find," he said.

The Witty worm's source code appeared on a controversial French Web site on Sunday. The same site -- ZDNet UK has been asked not to disclose its name and URL -- was criticised in February for publishing source code that could be used to launch a DDoS attack on unpatched Microsoft Windows systems. This week, the site also published exploits for flaws in some Cisco products.

Blackspider's Cheney said the practice of publishing of attack code is common and could force companies into changing their security policies: "This trend can only continue. The fact that only two days were required between the publication of an exploit and the generation of a worm using it, should cause vendors to revisit their procedures and IT administrators to review the protection they require from their network security providers," he said.

Although it is standard practice to only providing updates to customers with a maintenance contract, firewall vendors Cisco and Check Point both said they would issue free updates for "specific issues" and in "unusual circumstances".

A Cisco spokesperson said: "As a special customer service, and to improve the overall security of the Internet, Cisco may offer from time to time, to customers, software updates free of charge to address security problems."

Niall Moynihan, Check Point's northern European technical director, said: "In some unusual instances, the product's organisation may decide to issue a patch that is available for all customers regardless of whether they have software subscription or not. But, for the most part, a customer needs to have valid software subscription in order to keep their software fresh and current."