News

Vista Vulnerable Through Third-Party Programs

• By Stephen Swoyer
• 02/07/2007

Microsoft Corp.'s Vista operating system might well be Redmond's most secure client operating environment to date, but that doesn't -- and couldn't -- mean Vista is completely unassailable.

Security researchers have already identified a potential Speech Recognition exploit in Vista, for example, and this week another new vulnerability came to the fore -- in this case, one which targets third-party software running on Vista. While the new exploit doesn't actually stem from a flaw in Vista itself, it does illustrate that Vista, even with next-gen features such as its User Access Control (UAC) technology, is nonetheless pregnable.

Security specialist Core Security Technologies, a developer of security testing and assessment software, claims that an attacker can successfully take control over a Vista machine by exploiting any of several buffer overflow vulnerabilities in the BrightStor ARCserve Backup product set from Computer Associates International Inc. (CA).

The vulnerabilities affect BrightStor ARCserve Backup versions 9.01 through 11.5, and Enterprise Backup 10.5, along with CA Server/Business Protection Suite r2, Core Security says. An attacker who successfully exploits these vulnerabilities on any Windows system, including Vista, can execute arbitrary code possibly gain access to network systems, too.

Core Security, for its part, says this proves that Vista -- for all its out-of-the-box impregnability -- is only as secure as the weakest link in its application chain.

There are a few mitigating factors, of course. First off, BrightStor ARCserve Backup 11.5 SP3 (the latest version) doesn't natively support Vista; CA has promised to deliver a Vista update (consisting of a client agent and an open file backup agent) by the end of Q1 of this year. BrightStor ARCserve Backup for Windows XP, on the other hand, can apparently be installed on Vista, at least according to CA's Vista product readiness plan (PDF here), which doesn't list any conflicts.

Core Security researchers concede that their test exploit does involve pre-Vista versions of CA's ARCserve software, but argue that such a scenario could very easily take place in the enterprise wild.

"These were pre-Vista versions of the software that run on Vista. You need admin rights to install the software and it runs as SYSTEM," confirms Max Caceres, Core Security's director of product management. "While it is reasonable to assume that 'Vista-ready' versions of third-party applications will take advantage of its new security features, in reality this does not just happen magically. The ISV needs to take specific steps to make this possible. End-users don't necessarily know such a problem might exist."

The point, says Russ Cooper, director of publishing with security specialist CyberTrust and a Windows bug-tracking veteran, is that pre-Vista software can't take advantage of security niceties such as UAC or Vista's Mandatory Integrity Confirmation (MIC) routines.

"Vista is built so that services that need to have elevated privileges don't run constantly with those elevated privileges," he commented. "If it was written properly for Vista -- as opposed to a [case where a] researcher, for example, upgrades Windows XP to Vista and then says 'Look, the [ARCserve] software still runs!' -- it shouldn't pose a significant problem."

In the Vista model, Cooper said, ARCserve would run under MIC, instead of in the local security context. This would mitigate potential damage if an attacker did succeed in exploiting the ARCserve vulnerabilities, he said. "If CA had done a Vista version, and they were still running it under local control, as opposed to MIC, then they would not have written a very good Vista version," he concludes.

There are a couple of other mitigating factors, too. Firstly, these are known vulnerabilities, and CA has already patched them. Secondly, and more to the point, some of the selfsame vulnerabilities were first identified last November, by researchers with IBM Corp.'s ISS X-Force and 3Com Corp.'s TippingForce teams. At the time, both vendors updated their firewall products to block potential exploits; even on firewalls that haven't been specifically updated, it's likely that restrictive policies could deflect potential attacks, too. Nevertheless, BrightStor ARCserve Backup users are urged to obtain and apply the relevant patches, if they haven't done so already.