CA backup bug exploitable on Vista

Core Security Technologies has announced today that it has found a working exploit for a previously patched vulnerability in CA's BrightStor ARCserve Backup for Microsoft's Windows Vista operating system.

The announcement, made today at RSA Conference 2007, came immediately following the opening keynote by Microsoft Chairman Bill Gates.

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Core Security director of product management Max Caceres told Information Security this is the first exploit for a third-party app running on Vista.

CA Inc. reported Jan. 11 multiple buffer overflow vulnerabilities in versions 9.01 through 11.5 of its backup software. A patch was immediately available for the flaw, which could enable an attacker to remotely compromise and control a Vista server hosting the CA software.

CA said in a release that it has not specified that its customers use those versions with Vista. The vendor also said that its first general release of BrightStor ARCserve Backup for Vista (r11.5 SP3), due in a few weeks, will include a patch for the vulnerability.

The discovery seems to suggest that third parties -- in a rush to market software compatible with Vista -- may not be taking advantage of some of the new operating system's security features. Microsoft has said Vista is its most secure OS to date, and features like Address Space Layout Randomization (ASLR) are meant to harden Vista from malware attacks.

"Vendors have to add this code to their applications," Caceres said. "When Microsoft has a new OS, ISVs want to say their software runs on the new OS. The standard thing is to port the application to do that, and in subsequent releases, catch up to take advantage of the new features."

Additional coding can be substantial for an ISV, Caceres said.

"One of the key features that Vista provides is backwards compatibility; you'll have apps that just happen to work on Vista, which means the transition will be easier for customers who want to install it. But it's important for those customers not to get a false sense of security, believing they've installed Vista and all of the security features have been applied to third-party applications."

Enterprises should press third-party vendors and understand exactly what they mean when they say their products run on Vista.

"This highlights the need to continually test the security of a network," Caceres said. "Just because there's a better version of the OS doesn't mean all of the apps have taken advantage of the new security features."

<<Return to our special coverage of RSA Conference 2007