Qualys™ First to Deliver Immediate Solution to Detect and Provide Remedies Against Latest Cluster of Severe Microsoft IIS Vulnerabilities Offers Free Network Scan to All Microsoft IIS Users

Redwood City, CA — April 16, 2002 — Qualys™, Inc., the leader in the emerging category of Managed Vulnerability Assessment, today announced it is offering a free network scan to companies concerned about the Microsoft IIS vulnerability warning recently issued by CERT® in its Advisory CA-2002-09. CERT identified a cluster of IIS vulnerabilities, some of which may allow an intruder to execute arbitrary code on vulnerable systems, and strongly encourages all sites running IIS to take appropriate action as soon as practical. The free QualysGuard™ scan empowers companies to detect and eliminate this cluster of threats. It can be accessed at https://www.qualys.com/iis.

CERT notified the information technology industry about 10 new vulnerabilities affecting Microsoft Internet Information Server (IIS) versions 4.0, 5.0 and 5.1 in its most recent advisory, http://www.cert.org/advisories/CA-2002-09.html. This latest cluster of severe IIS exposures includes denial of service vulnerabilities, cross-site scripting vulnerabilities, and buffer overflow vulnerabilities. Attackers may exploit these vulnerabilities to crash a target system, execute arbitrary commands, or gain complete control of an IIS server. Microsoft [NASDAQ: MSFT] has released a cumulative security patch at http://www.microsoft.com/technet/security/bulletin/MS02-018.asp to address these issues.

“These exploitable IIS vulnerabilities have the potential to breed new worms, similar to what we have seen in CodeRed and NIMDA,” said Gerhard Eschelbeck, Vice President of Engineering at Qualys. “It is critical for everyone on the Internet to take immediate action by identifying and fixing their vulnerable systems.

“Qualys’ dedicated security research team constantly monitors various sources of vulnerability intelligence,” Eschelbeck continued. “Our proven process-including rigorous testing, benchmarking, and verification of remedies-consistently produces new vulnerability tests for highly reliable, accurate audits. Within 24 hours following CERT’s April 11th alert, we had developed and tested these 10 new vulnerability signatures. Then we automatically pushed these updates out to our global scanners, transparently and with no impact on the systems they assess, so that our subscribers’ reports are constantly up-to-date.”

Because QualysGuard is a globally distributed Web service available 24x7, Qualys customers are instantly and automatically alerted to new vulnerabilities without having to download any software or updates. IT managers avoid the time- and cost-intensive burden of vulnerability detection; instead, they can focus on fixing security issues and improving network reliability.

“Qualys has been immensely cost-effective in identifying security holes for us,” said Kevin Ertell, Director of Internet Technologies and Systems Administration at Tower Records. “We run scheduled scans as well as on-demand scans whenever new device settings are introduced. Our security team reviews Qualys’ assessment reports to address vulnerabilities as quickly as possible, prioritizing fixes according to the level of severity defined by the service. QualysGuard has helped us drastically reduce network vulnerabilities.”

Designed to work on any size network and delivered over the Internet, QualysGuard uses advanced vulnerability detection techniques to assess a network’s security exposures and suggest remedies before intruders can take advantage of them. Via a simple Web-based interface, users can pre-schedule a QualysGuard audit or initiate an on-demand audit whenever they choose. Upon completion of the security audit, network administrators receive a near-instantaneous report detailing vulnerabilities identified, severity level of each, and potential consequences, with suggested remedies to fix each vulnerability. Qualys’ KnowledgeBase-the most comprehensive, constantly updated database-contains more than 1500 vulnerability signatures covering over 300 applications on more than 20 different platforms.

All Microsoft IIS users can take advantage of the free QualysGuard scan, with a seven-day trial, to check their systems and take action for the newly identified vulnerabilities as well as for any other existing vulnerabilities. The free scan is available at https://www.qualys.com/iis.

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com