Security Bytes: Symantec patches Veritas NetBackup PureDisk flaw

By SearchSecurity.com Staff 17 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers could exploit the flaw to gain administrative access to the vulnerable application. "This may allow an attacker to gain administrative privileges on the underlying operating system," Symantec said.

The vendor said the specific problem is that the application fails to properly enforce authentication requirements. However, an attacker must have valid network authentication credentials in order to exploit the flaw.

The security hole affects version 6.0 for all platforms. Danish vulnerability clearinghouse Secunia has rated the flaw "moderately critical," while the French Security Incident Response Team (FrSIRT) has rated it "high risk."

This is Symantec's second fix in as many weeks for products it acquired when it purchased storage vendor Veritas Software Corp. in late 2004. Last week, the company addressed security holes in its Backup Exec for Netware Servers.

Two MySQL database flaws are fixed
Researchers have found and fixed two security holes in MySQL, a free SQL database that's available for multiple platforms. Attackers could exploit the flaws to get extra user privileges and bypass security restrictions.

The first problem is that someone who has access to a database but isn't granted the privileges to create new databases can bypass this restriction using the "create database" function. "An attacker can use the name of the database that they have access to but modify it slightly such as using a capital letter in the name to create a new database," Symantec said in a DeepSight Threat management Service advisory. "This bypasses the restriction that prevents the user from creating new databases."

The second problem is that the application incorrectly calculates arguments to the SUID routines in the context of the routines' definer instead of the caller. "A user with privileges to call SUID routines may be able to execute certain commands and code with the privileges of the definer, which can lead to privilege escalation," Symantec said.

The flaws affect MySQL versions 5.0.24 and earlier, have been fixed in the CVS repository and will also be fixed in the upcoming 5.0.25 version.

Study finds many companies have lost laptops
A recent study conducted by Elk Rapids, Mich.-based Ponemon Institute LLC and San Francisco-based security firm Vontu Inc. found that missing laptops with sensitive data are a far more common problem in corporate America than some might have expected.

Eighty-one percent of respondents admitted losing one or more laptops housing sensitive data in the past year. Nearly 500 IT security professionals participated in the survey.

Many companies are vulnerable to data breaches because they often don't know where their sensitive or confidential data resides within the network or enterprise systems, Ponemon Institute Chairman Larry Ponemon said in a statement.

The study also found that portable devices and laptops ranked highest among storage devices that posed the greatest risk for sensitive data, followed by Universal Serial Bus (USB) keys, desktop systems and shared file servers. Meanwhile, 64% of respondents admitted they've never conducted an inventory of sensitive data.

VA upgrades computer encryption
Following recent data breaches involving the U.S. Department of Veterans Affairs (VA), the organization has announced it will upgrade all the agency's computers with a new encryption technology.

The VA plans to have its laptop computers using encryption technology within four weeks, followed by encryption of data on desktop computers, VA Secretary Jim Nicholson told The Associated Press. "A system-wide encryption program will be a tremendous step forward in improving the safety and security of sensitive veteran information," he said.

The encryption follows the award of a $3.7 million contract to Syracuse, N.Y.-based SMS, the AP noted. The VA will also use GuardianEdge Technologies Inc.'s and Trust Digital LLC's products. Final testing of the software is underway with actual encryption should begin by Aug. 18.

Tags: Database Security Management,  Disk Encryption and File Encryption,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary