Wednesday, March 19, 2008 8:15 AM
cmosby
Reported Zero-Day in CA Software - McAfee Avert Labs Blog
Reported Zero-Day in CA Software
Tuesday March 18, 2008 at 3:18 pm CST
Posted by Karthik Raman
Trackback
Here’s a quick post about a claimed zero-day vulnerability in CA BrightStor ARCserve Backup, software that provides backup functionality for Windows systems. Proof-of-concept exploit code for this vulnerability is public.
A specially crafted Web page could trigger a stack overflow in the AddColumn() method in the ListCtrl Active X Control. For an attack to occur, a user would have to be tricked into visiting a malicious Web site. The exploit writer states that he has successfully run his attack code against CA BrightStor ARCserve Backup r11.5, with Internet Explorer 6 running on Microsoft Windows XP SP2 (the Polish edition).
McAfee Avert Labs is analyzing the flaw. As an aside, our research database reveals that the last known vulnerability in CA BrightStor ARCserve Backup was disclosed on November 26, 2007: CVE-2007-5328. CA worked with the discloser to release a patch for the vulnerability on the same day.
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Patch Management, Security, Enterprise Applications, Software Vulnerabilites