Tipping Point and the Zero Point Initiative that Eudora WorldMail 3.1.x Mail Management Server has a remote exploit accessible over TCP port 106. As the report states, "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Eudora WorldMail. Authentication is not required to exploit this vulnerability. The specific flaw exists during the parsing of successive delimiters within the Mail Management Server, MAILMA.EXE."

According the report, Qualcomm has no plans to patch this hole. Instead, the vendor apparently encourages end users to use alternate defense-in-depth techniques and block TCP port 106 access from unauthorized computers to affected servers at the network layer.

I had a "You've got to be kidding me!" moment when I read this. The company's response to the exploit hole is unfortunate for Qualcomm's past, existing, and future customers.

Essentially, Qualcomm is saying that it is leaving its customers open to malicious exploitation on purpose, hoping that additional layers of defense-in-depth security will protect them instead.

This is pre-Blaster thinking. In August 2003, when the MS-Blaster worm was , most corporate defenders initially relaxed because the port affected (RPC TCP port 135) was not typically reachable over the Internet because of blocking network perimeter firewalls. Microsoft had a month-old patch out that closed the vulnerability, but hardly anybody was rushing install it. "The firewall will protect us," we all thought.