Today at around 5:30 pm, I received an email from one of our software vendors (I won’t mention their name so that their other customers can apply the software patch) notifying us of a critical security vulnerability. The message looked very official from their support department. It was quite detailed about how to patch it and described the different versions that are still being used. As I’m a bit paranoid about security, I checked the email headers and then became quite concerned about the message.
The vendor made the following mistakes in sending out this vulnerability:
- The message was sent from a third party mailing list provider so the return address couldn’t be verified.
- There was a direct download link in the email message; since the message was sent through the third party provider, the link was actually back to the mailing list provider so that it could be tracked. I did click the link and downloaded the file, but didn’t run it. It did come from the vendor.
- There was no link to a support site to directly download the patch.
- There was no mention of the vulnerability on the web or in their support forums.
After a frantic message to their support folks, I was advised that it was legitimate and was able to verify that the message came from the vendor. In addition, I was told I could download the patch from the support site (I had never logged into the site before). At the same time that I sent a message to their support, I posted a message on their forums asking about this and before they deleted my message, I received a response with the same concern.
I chatted with the person that sold us the software (a reseller for the vendor) and he indicated that I should apply the patch ASAP which I did. He agreed that this could have been better handled.
I hope in the future, this vendor learns a lesson about how to notify its customers. I’m probably one of handful of people that didn’t just click the link and apply the patch; I guess it’s part of my job to be paranoid about security.
All I can say is wow!