Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development
    • Storage

    Testers Shine Light on CA-Vista Vulnerability

    Written by

    Matt Hines
    Published February 6, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      SAN FRANCISCO—Vulnerability researchers at penetration testing software maker Core Security claim that a well-known vulnerability existing in CAs BrightStor backup software can be exploited when the program is running on Microsoft Windows Vista, essentially defeating the purpose of the operating systems much-publicized security features.

      Officials with Core, which is based in Boston, announced the flaw here at the ongoing RSA Conference just as Microsoft Chairman Bill Gates delivered his keynote address. The issue illustrates the fact that unless third-party application vendors go to great lengths to integrate their products with Vistas security features, the technologies cannot take advantage of the operating systems malware-defense tools, Core officials said.

      Core contends that a previously disclosed vulnerability in CAs BrightStor ARCserve Backup software, dubbed CVE-2007-0169, can be exploited to compromise systems running the new Vista operating system.

      By exploiting the buffer overflow vulnerability in versions 9.01 through 11.5 of the CA software, along with its Enterprise Backup 10.5 and CA Server/Business Protection Suite r2 products, attackers could remotely execute arbitrary code on computers and potentially gain access to other systems, the automated penetration testing company said.

      /zimages/2/28571.gifMicrosoft executives Bill Gates and Craig Mundie kick off the RSA Conference. Click here to read what they said.

      To craft an attack that takes advantage of the flaw, hackers need only manipulate slightly exploits designed to attack the same problem on systems running Microsofts earlier Windows XP and 2000 operating systems, Core maintains.

      CA already has a security patch available that will allow users of the software to block the loophole.

      One of the most significant benefits being touted by Microsoft in Vista is the products many security features, which claim stronger protection of the softwares kernel, on-board malware-fighting tools and the programs User Account Control system—meant to keep viruses from escalating privileges on infected machines to prevent them from proliferating themselves onto other devices.

      However, unless application vendors such as CA go to great lengths to integrate with those features, the tools can easily be defeated, as in the case of the BrightStor exploit, said Max Caceres, director of product management at Core. Part of the problem is that building products that can tap into the Vista security protections is not an easy task, according to the vulnerability expert.

      “Application vendors need to be diligent about making sure that their products take advantage of Vistas security features—they dont integrate with them by default—and as long as developers do not make the necessary adjustments, their products will remain vulnerable to the same issue we saw in Windows XP,” Caceres said. “The exploit we found demonstrates that even if companies are running Vista, they can easily be exposed to third-party flaws.”

      The CA vulnerability specifically circumvents Vistas ALSR (Address Space Layout Randomization) technology, which is meant to prevent buffer overflow exploits, a common mode of malware attack. The technique is also widely used in by developers to secure open-source software programs.

      Most independent software vendors are porting their products to run on Vista but would need to completely rewrite sections of the programs to take advantage of the feature, Core maintains.

      /zimages/2/28571.gifWhos inflating Vista security expectations? Click here to read more.

      CA representatives challenged Cores report, calling the information “misleading” and pointed out that the company has specifically instructed customers not to run the products in question on Vista systems.

      “CA goes to great lengths to certify and test its products in a variety of real-world configurations,” company officials said in a statement. “Core made reference to a so-called security vulnerability that could occur if IT organizations use certain versions of a CA product—but this is precisely why CA has not specified that its customers use those software versions with Vista.”

      CA said that its first general release of BrightStor ARCserve Backup for Microsoft Vista (ARCserve Backup r11.5 SP3) will arrive in several weeks, and that it will include a patch for the vulnerability mentioned in Cores report.

      Ben Fathi, corporate vice president of development of Microsofts Windows Core Operating System Division, said that Core is attempting to make a mountain out of a molehill with its report and defended the argument that making the ASLR feature a default setting for every application integrating with Vista would break some older third-party products—which would not benefit their users.

      “This is an old version of a third-party product that is being updated from what were told. I dont see the big deal,” Fathi said. “And I dont see why this company is forwarding the idea that its hard to integrate with Vista security. Thats certainly not what were hearing from our partners.”

      Editors Note: This story was updated to include comments from Microsofts Ben Fathi.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis.

      Matt Hines
      Matt Hines

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×