reviews, buying guides, and more... |
reviews, buying guides, and more... |
Some CA products containing antivirus components have "inherent code problems," according to vulnerability-testing company Secunia, which published its annual report on security vulnerabilities on Monday.
One CA product particularly criticized by Secunia was ARCserve Backup, which the security company said was poorly coded.
"ARCserve is inherently insecure," Thomas Kristensen, Secunia's chief technology officer, told CNET News.com sister site ZDNet UK on Tuesday. "It's poor code, with a poor design. An internal code review should have revealed problems in the code that needed to be fixed before the product was launched."
In a statement sent to ZDNet UK, CA said that it was improving its quality-assurance procedures.
"CA takes software security very seriously," said the statement. "CA works continuously to prevent and proactively identify and address vulnerabilities. We have rigorous quality-control measures in place for our software, and we continue to improve those measures."
ARCserve Backup, a CA data-protection product with built-in antivirus and encryption functionality, had multiple vulnerabilities reported in June 2007, said Secunia. These included flaws that could have led to stack-based buffer overflows, enabling attackers to compromise systems, according to a Secunia advisory.
Those errors were reported to CA, which pushed out a patch that fixed some of the code problems, said Secunia.
However, when Secunia researchers analyzed the patched product, they discovered that approximately 60 reported vulnerabilities were still present, according to the Secunia 2007 Report (PDF).
Secunia claimed its analysis revealed these vulnerabilities were partly due to the nature of the product code itself, and that vulnerabilities remain.
"Unless an overhaul of the code is undertaken, then the product remains susceptible to similar types of vulnerabilities," stated the report.
Kristensen said it was "surprising" to see 60 vulnerabilities in one product alone, but that it was more surprising that a patched product contained some of the same vulnerabilities, especially as it was patched by a security vendor.
"It's bizarre to see a patched product with vulnerabilities coming from a security vendor," said Kristensen. "It's not very smart to have vulnerabilities in a backup solution, as it's deployed on every workstation on a system, making the system more vulnerable."
CA declined to comment on how effective its ARCserve patch had been.
Security vendor Symantec was also criticized in the Secunia report, for its use of the third-party Autonomy KeyView software development kit in Symantec Mail Security. According to a Secunia advisory, Autonomy KeyView, which is used in Symantec Mail Security as a Lotus 1-2-3 file viewer, can be exploited to cause buffer overflows when a specially crafted file is checked. Labeled "highly critical" by Secunia, the flaw could allow remote execution of arbitrary code.
Although the issue was reported on December 12, the vulnerability remains unpatched, according to Secunia. Kristensen said that the problem faced by Symantec was that it was reliant on a third party to provide a patch.
"Vendors buy software from third parties to add functionality. The problem with KeyView is it is third-party software (that) Symantec can't control--they rely on someone else to get the update," said Kristensen.
Kristensen added that there doesn't seem to be a well-established communication channel among Symantec, Autonomy, and IBM, which is also affected.
"Ideally IBM, Symantec, and Autonomy would push out patches on the same day," said Kristensen.
Symantec said that its product-security team "has identified an issue with a third-party component that is included in some versions of Symantec Mail Security." The company added that it is working on a solution.
"Because we take the security of our products very seriously, we published detailed mitigation instructions to protect customers immediately and have subsequently issued product updates (for some of the vendors affected) as well," said Wayne Periman, director of development for Symantec Security Response.
Tom Espiner of ZDNet UK reported from London.
No discussion exists, click here to start it.
Featured gallery
New Web-based application for editing, organizing, and sharing images is free, and an account includes 2GB of storage.
View this gallery.
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed.
Get a FREE trial today!
Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans
Win a Trip to Space!*Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.
FREE Trial!Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed
Norton Safe Web NEW!A community-based system that rates web site safety
Norton Labs NEW!Users can download new security technologies and share input directly with developers. Help us shape our future products!
Market news, charts, SEC filings, and more
| DJIA | 8,451.19 | -128.00 | (-1.49%) |
| S&P 500 | 899.22 | -10.70 | (-1.18%) |
| NASDAQ | 1,649.51 | 4.39 | (0.27%) |
| CNET TECH | 1,128.73 | -10.37 | (-0.91%) |
Discover your moment on Lufthansa.
RSS Feed
