CA backup bug exploitable on Vista

By Michael S. Mimoso, Editor, Information Security magazine 06 Feb 2007 | Information Security magazine

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The announcement, made today at RSA Conference 2007, came immediately following the opening keynote by Microsoft Chairman Bill Gates.

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Core Security director of product management Max Caceres told Information Security this is the first exploit for a third-party app running on Vista.

CA Inc. reported Jan. 11 multiple buffer overflow vulnerabilities in versions 9.01 through 11.5 of its backup software. A patch was immediately available for the flaw, which could enable an attacker to remotely compromise and control a Vista server hosting the CA software.

CA said in a release that it has not specified that its customers use those versions with Vista. The vendor also said that its first general release of BrightStor ARCserve Backup for Vista (r11.5 SP3), due in a few weeks, will include a patch for the vulnerability.

The discovery seems to suggest that third parties -- in a rush to market software compatible with Vista -- may not be taking advantage of some of the new operating system's security features. Microsoft has said Vista is its most secure OS to date, and features like Address Space Layout Randomization (ASLR) are meant to harden Vista from malware attacks.

"Vendors have to add this code to their applications," Caceres said. "When Microsoft has a new OS, ISVs want to say their software runs on the new OS. The standard thing is to port the application to do that, and in subsequent releases, catch up to take advantage of the new features."

Additional coding can be substantial for an ISV, Caceres said.

"One of the key features that Vista provides is backwards compatibility; you'll have apps that just happen to work on Vista, which means the transition will be easier for customers who want to install it. But it's important for those customers not to get a false sense of security, believing they've installed Vista and all of the security features have been applied to third-party applications."

Enterprises should press third-party vendors and understand exactly what they mean when they say their products run on Vista.

"This highlights the need to continually test the security of a network," Caceres said. "Just because there's a better version of the OS doesn't mean all of the apps have taken advantage of the new security features."

<< Return to our special coverage of RSA Conference 2007

Tags: Software Development Methodology,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary