CA backup bug exploitable on Vista

By Michael S. Mimoso, Editor, Information Security magazine 06 Feb 2007 | Information Security magazine

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The announcement, made today at RSA Conference 2007, came immediately following the opening keynote by Microsoft Chairman Bill Gates.

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Core Security director of product management Max Caceres told Information Security this is the first exploit for a third-party app running on Vista.

CA Inc. reported Jan. 11 multiple buffer overflow vulnerabilities in versions 9.01 through 11.5 of its backup software. A patch was immediately available for the flaw, which could enable an attacker to remotely compromise and control a Vista server hosting the CA software.

CA said in a release that it has not specified that its customers use those versions with Vista. The vendor also said that its first general release of BrightStor ARCserve Backup for Vista (r11.5 SP3), due in a few weeks, will include a patch for the vulnerability.

The discovery seems to suggest that third parties -- in a rush to market software compatible with Vista -- may not be taking advantage of some of the new operating system's security features. Microsoft has said Vista is its most secure OS to date, and features like Address Space Layout Randomization (ASLR) are meant to harden Vista from malware attacks.

"Vendors have to add this code to their applications," Caceres said. "When Microsoft has a new OS, ISVs want to say their software runs on the new OS. The standard thing is to port the application to do that, and in subsequent releases, catch up to take advantage of the new features."

Additional coding can be substantial for an ISV, Caceres said.

"One of the key features that Vista provides is backwards compatibility; you'll have apps that just happen to work on Vista, which means the transition will be easier for customers who want to install it. But it's important for those customers not to get a false sense of security, believing they've installed Vista and all of the security features have been applied to third-party applications."

Enterprises should press third-party vendors and understand exactly what they mean when they say their products run on Vista.

"This highlights the need to continually test the security of a network," Caceres said. "Just because there's a better version of the OS doesn't mean all of the apps have taken advantage of the new security features."

<< Return to our special coverage of RSA Conference 2007

Tags: Software Development Methodology,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary