Qualys Launches Service To Detect And Remedy Microsoft Internet Explorer Vulnerabilities That Leave Computers Open To Hacker Attacks

Redwood City, CA — May 6, 2002 — Qualys™, Inc., the leader in the emerging category of Managed Vulnerability Assessment, today announced the availability of a free browser vulnerability service, available at http://browsercheck.qualys.com. Run interactively and in real time, this Web service allows Microsoft Internet Explorer users to immediately identify their browser vulnerabilities and patch them with validated fixes. This service provides system administrators with a tool to educate users and make them aware of security holes embedded within their browsers before intruders can exploit them. Harnessing technology from the company’s QualysGuard™ Managed Vulnerability Platform, the browser checkup impersonates a hacker to perform a series of tests against Microsoft’s Internet Explorer to detect vulnerabilities and reveal information that could potentially be exposed to attackers.

Internet Explorer’s security vulnerabilities have been widely exposed in the media, and Microsoft has provided security bulletins and downloadable patches. But many Internet Explorer users may not be aware of the risks to which their browsers expose them every time they conduct routine activities, such as browsing the Internet or shopping online, and system administrators are challenged with keeping the corporate user up-to-date with the latest browser technology that addresses serious security flaws.

“Most Internet users do not realize the number of security risks they face every day from basic Web browsing, and browser vulnerabilities are just the tip of the iceberg,” said Allan Carey, Senior Research Analyst for Information Security Services at IDC. “Qualys has leveraged the capabilities of its Managed Vulnerability Assessment Platform beyond the corporate environment to educate all users about the potential risks associated with their browsers and the remedies needed to fix them.”

The installed base of Internet Explorer-more than 400 million users worldwide-can run any or all of the checks offered by Qualys to determine if they are vulnerable to browser weaknesses such as:

• Cookie Disclosure: Cookies act to identify users returning to a certain site. Attackers can gain access to these cookies, stored within the browser, and then take advantage of the information to pose as the user to obtain personal information through the site.

• Clipboard Reading: Some Web browsers allow Web applications access to data copied to a computer’s clipboard. Attackers can take advantage of this vulnerability to steal the contents of the clipboard, which may contain sensitive information, such as passwords or confidential documents.

• Program Execution: Through the use of maliciously crafted programs, attackers can launch

• File Execution: Remote attackers can execute random files on a computer by tricking a browser into thinking the file is safe to open. If the browser opens the file without a prompt, an executable file that may contain a virus could be downloaded.

• Security Zone Spoofing: Microsoft’s Internet Explorer has four “security zones.” The My Computer and Trusted Sites security zones typically have the highest privileges. If attackers gain these privileges, they can perform other attacks on a computer, such as installing malicious programs without user knowledge.

• Web Page Spoofing: Attackers can create Web pages that impersonate well-known Web sites. If the browser is vulnerable to this attack, users could potentially enter confidential information on it, such as a password or credit card number, allowing the attacker to steal that information.

• Hard Drive Access: Through the browser, attackers can access a computer’s hard drive, enabling them to read, write or modify data saved on that computer.

All of these Qualys browser checks can be run simply with a click of the mouse. While the tests illustrate how a hacker can download malicious applications, nothing will be downloaded onto users’ computers, making the tests completely safe to run. If vulnerabilities are found, Qualys offers suggestions on how to remedy the problems with validated patches from Microsoft when available.

“Opening your browser to the Internet is like opening the door to your home for anyone to enter. Every time users connect, they place their computers, their personal information, and even their corporate networks at risk,” said Philippe Courtot, Chairman and CEO of Qualys. “The number of vulnerabilities that can be found through this simple check is astonishing, and today’s firewalls and security products are not sufficient any more. By providing the free browser check, we hope to educate the public on the prevalence of vulnerabilities found in their browsers and provide a friendly tool to remedy them before any damage occurs.”

Designed to work affordably on any size network, and delivered over the Internet, QualysGuard uses advanced vulnerability detection techniques to assess a network’s security exposures and suggest remedies before intruders can take advantage of them. Via a simple Web-based interface, users can pre-schedule a QualysGuard audit or initiate an on-demand audit whenever they choose. Upon completion of the security audit, network administrators receive a near-instantaneous report detailing vulnerabilities identified, severity level of each, potential consequences, and suggested remedies to fix each vulnerability. Qualys’ KnowledgeBase-the most comprehensive, constantly updated database-contains more than 1500 vulnerability signatures covering over 300 applications on more than 20 different platforms.

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com