The #1 source of frustration and anger with ExchangeDefender is directly related to the way it handles executable content – with a shotgun. Through the years, we’ve seen executable email content damage so many computers and networks that we outright ban that content at the gate, nothing executable comes in or goes out. We go a few steps further too – You can’t zip it, you can’t rename it, you can’t rename it and zip it. We eval the file not just for the filename pattern but for the filetype MIME match as well. Then we check if it has multiple extensions trying to hide the .exe at the end. Then we check the length of the filename, then… Well, let’s just say we’re thorough.

Yet every Monday morning there are the unfortunate few customers that will have an urgent, critical business need to receive an executable file. The reason? You’ve guessed it:

My vendor distributes the software updates through email.

While ordinary ExchangeDefender users have a right and even an excuse to be ignorant of this, software vendors do not. Let me explain the ginormity (new word of the day) of this stupidity in somewhat plainer terms. Your software vendor is trying to behave like 98.3% of all worms and viruses out there. And after years and years of “Here is your Microsoft update, attached.” exploits there are still people under the rock about this. Here is how we like to translate your business need to patch applications that only receive updates through email:

My pharmaceutical distributor only sells this drug in a dark alley between 2 and 6 am.

My butcher will only sell that piece of meat after hours, and always locks the door after I come in.

My electronics dealer has the cheapest and newest stuff around, but only seems to have one piece of each model. He also only takes cash payments and asks me if I’ve seen any cops around on my way in.

Please, end this stupidity. There is no circumstance, whatsoever, under which we will ever allow executable content that we cannot validate through our network. Even if you’ve spent last 260 years in network security, have written books on it, have a pending Nobel prize in World Peace category for helping save starving African villages through your ability to keep orphanages running with software that only distributes patches via executable email attachments… even then we will block your ability to receive refuse to hand you a loaded gun to play Russian roulette with.

In closing, if this software vendor absolutely cannot deliver their software through anything but email…. Go get a gmail, yahoo, hotmail, etc account and have your patches sent there. Then download those directly onto the box running the said software, but ask yourself this:

If this software vendor has put so little thought into the distribution of their patch management and cannot even figure out how to put up an authenticated web page for their file distribution, which is a job of a jr system administrator…. what other holes have they left in their application if they can’t grasp these simple concepts?

The preceeding Monday morning rant is brought to you curtesy of Own Web Now Corp support.

Both comments and pings are currently closed.