Cupertino, Calif.-based antivirus giant Symantec Corp. has patched an authentication bypass vulnerability in Veritas NetBackup PureDisk, a backup system for remote offices. In an advisory sent to customers of its DeepSight Threat Management Service, Symantec said attackers could exploit the flaw to bypass the management interface authentication and gain elevated privileges to the affected server.
Attackers could exploit the flaw to gain administrative access to the vulnerable application. "This may allow an attacker to gain administrative privileges on the underlying operating system," Symantec said.
The vendor said the specific problem is that the application fails to properly enforce authentication requirements. However, an attacker must have valid network authentication credentials in order to exploit the flaw.
The security hole affects version 6.0 for all platforms. Danish vulnerability clearinghouse Secunia has rated the flaw "moderately critical," while the French Security Incident Response Team (FrSIRT) has rated it "high risk."
This is Symantec's second fix in as many weeks for products it acquired when it purchased storage vendor Veritas Software Corp. in late 2004. Last week, the company addressed security holes in its Backup Exec for Netware Servers.
Two MySQL database flaws are fixed
Researchers have found and fixed two security holes in MySQL, a free SQL database that's available for multiple platforms. Attackers could exploit the flaws to get extra user privileges and bypass security restrictions.
The first problem is that someone who has access to a database but isn't granted the privileges to create new databases can bypass this restriction using the "create database" function. "An attacker can use the name of the database that they have access to but modify it slightly such as using a capital letter in the name to create a new database," Symantec said in a DeepSight Threat management Service advisory. "This bypasses the restriction that prevents the user from creating new databases."
The second problem is that the application incorrectly calculates arguments to the SUID routines in the context of the routines' definer instead of the caller. "A user with privileges to call SUID routines may be able to execute certain commands and code with the privileges of the definer, which can lead to privilege escalation," Symantec said.
The flaws affect MySQL versions 5.0.24 and earlier, have been fixed in the CVS repository and will also be fixed in the upcoming 5.0.25 version.
Study finds many companies have lost laptops
A recent study conducted by Elk Rapids, Mich.-based Ponemon Institute LLC and San Francisco-based security firm Vontu Inc. found that missing laptops with sensitive data are a far more common problem in corporate America than some might have expected.
Eighty-one percent of respondents admitted losing one or more laptops housing sensitive data in the past year. Nearly 500 IT security professionals participated in the survey.
Many companies are vulnerable to data breaches because they often don't know where their sensitive or confidential data resides within the network or enterprise systems, Ponemon Institute Chairman Larry Ponemon said in a statement.
The study also found that portable devices and laptops ranked highest among storage devices that posed the greatest risk for sensitive data, followed by Universal Serial Bus (USB) keys, desktop systems and shared file servers. Meanwhile, 64% of respondents admitted they've never conducted an inventory of sensitive data.
VA upgrades computer encryption
Following recent data breaches involving the U.S. Department of Veterans Affairs (VA), the organization has announced it will upgrade all the agency's computers with a new encryption technology.
The VA plans to have its laptop computers using encryption technology within four weeks, followed by encryption of data on desktop computers, VA Secretary Jim Nicholson told The Associated Press. "A system-wide encryption program will be a tremendous step forward in improving the safety and security of sensitive veteran information," he said.
The encryption follows the award of a $3.7 million contract to Syracuse, N.Y.-based SMS, the AP noted. The VA will also use GuardianEdge Technologies Inc.'s and Trust Digital LLC's products. Final testing of the software is underway with actual encryption should begin by Aug. 18.