CA backup bug exploitable on Vista
In what appears to be the first exploit for a third-party app running on Vista, a previously patched buffer overflow vulnerability in CA BrightStor ARCserve Backup has been exploited. One security firm says ISVs aren't taking advantage of Vista's new security features.
The announcement, made today at RSA Conference 2007, came immediately following the opening keynote by Microsoft Chairman Bill Gates.
 |
||||
|
|
|||
|
||||
CA Inc. reported Jan. 11 multiple buffer overflow vulnerabilities in versions 9.01 through 11.5 of its backup software. A patch was immediately available for the flaw, which could enable an attacker to remotely compromise and control a Vista server hosting the CA software.
CA said in a release that it has not specified that its customers use those versions with Vista. The vendor also said that its first general release of BrightStor ARCserve Backup for Vista (r11.5 SP3), due in a few weeks, will include a patch for the vulnerability.
The discovery seems to suggest that third parties -- in a rush to market software compatible with Vista -- may not be taking advantage of some of the new operating system's security features. Microsoft has said Vista is its most secure OS to date, and features like Address Space Layout Randomization (ASLR) are meant to harden Vista from malware attacks.
"Vendors have to add this code to their applications," Caceres said. "When Microsoft has a new OS, ISVs want to say their software runs on the new OS. The standard thing is to port the application to do that, and in subsequent releases, catch up to take advantage of the new features."
Additional coding can be substantial for an ISV, Caceres said.
"One of the key features that Vista provides is backwards compatibility; you'll have apps that just happen to work on Vista, which means the transition will be easier for customers who want to install it. But it's important for those customers not to get a false sense of security, believing they've installed Vista and all of the security features have been applied to third-party applications."
Enterprises should press third-party vendors and understand exactly what they mean when they say their products run on Vista.
"This highlights the need to continually test the security of a network," Caceres said. "Just because there's a better version of the OS doesn't mean all of the apps have taken advantage of the new security features."
