Want CNET to notify you of price drops and the latest stories?

Secunia: CA backup product 'inherently insecure'

In annual report on security flaws, vulnerability-testing company strongly criticizes CA's ARCserve Backup product, as well as Symantec Mail Security.

3 min read
Some CA products containing antivirus components have "inherent code problems," according to vulnerability-testing company Secunia, which published its annual report on security vulnerabilities on Monday.

One CA product particularly criticized by Secunia was ARCserve Backup, which the security company said was poorly coded.

"ARCserve is inherently insecure," Thomas Kristensen, Secunia's chief technology officer, told CNET News.com sister site ZDNet UK on Tuesday. "It's poor code, with a poor design. An internal code review should have revealed problems in the code that needed to be fixed before the product was launched."

In a statement sent to ZDNet UK, CA said that it was improving its quality-assurance procedures.

"CA takes software security very seriously," said the statement. "CA works continuously to prevent and proactively identify and address vulnerabilities. We have rigorous quality-control measures in place for our software, and we continue to improve those measures."

ARCserve Backup, a CA data-protection product with built-in antivirus and encryption functionality, had multiple vulnerabilities reported in June 2007, said Secunia. These included flaws that could have led to stack-based buffer overflows, enabling attackers to compromise systems, according to a Secunia advisory.

Those errors were reported to CA, which pushed out a patch that fixed some of the code problems, said Secunia.

However, when Secunia researchers analyzed the patched product, they discovered that approximately 60 reported vulnerabilities were still present, according to the Secunia 2007 Report (PDF).

Secunia claimed its analysis revealed these vulnerabilities were partly due to the nature of the product code itself, and that vulnerabilities remain.

"Unless an overhaul of the code is undertaken, then the product remains susceptible to similar types of vulnerabilities," stated the report.

Kristensen said it was "surprising" to see 60 vulnerabilities in one product alone, but that it was more surprising that a patched product contained some of the same vulnerabilities, especially as it was patched by a security vendor.

"It's bizarre to see a patched product with vulnerabilities coming from a security vendor," said Kristensen. "It's not very smart to have vulnerabilities in a backup solution, as it's deployed on every workstation on a system, making the system more vulnerable."

CA declined to comment on how effective its ARCserve patch had been.

Security vendor Symantec was also criticized in the Secunia report, for its use of the third-party Autonomy KeyView software development kit in Symantec Mail Security. According to a Secunia advisory, Autonomy KeyView, which is used in Symantec Mail Security as a Lotus 1-2-3 file viewer, can be exploited to cause buffer overflows when a specially crafted file is checked. Labeled "highly critical" by Secunia, the flaw could allow remote execution of arbitrary code.

Although the issue was reported on December 12, the vulnerability remains unpatched, according to Secunia. Kristensen said that the problem faced by Symantec was that it was reliant on a third party to provide a patch.

"Vendors buy software from third parties to add functionality. The problem with KeyView is it is third-party software (that) Symantec can't control--they rely on someone else to get the update," said Kristensen.

Kristensen added that there doesn't seem to be a well-established communication channel among Symantec, Autonomy, and IBM, which is also affected.

"Ideally IBM, Symantec, and Autonomy would push out patches on the same day," said Kristensen.

Symantec said that its product-security team "has identified an issue with a third-party component that is included in some versions of Symantec Mail Security." The company added that it is working on a solution.

"Because we take the security of our products very seriously, we published detailed mitigation instructions to protect customers immediately and have subsequently issued product updates (for some of the vendors affected) as well," said Wayne Periman, director of development for Symantec Security Response.

Tom Espiner of ZDNet UK reported from London.