Core Security Technologies Demonstrates Exploitability of Third-Party Software Running on Vista

Business Wire, Feb 6, 2007

Penetration Testing Software Leader Releases First-Known Working Exploit for Applications Running on Vista; Unveils Support for Testing Systems Running Vista

BOSTON -- Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today announced that it has discovered a vulnerability that could affect companies running Microsoft's new Vista operating system. Engineers from Core Security discovered that, by exploiting a previously known vulnerability in CA's BrightStor ARCserve Backup, a third-party application that runs on Vista, an attacker could remotely compromise and take over a target machine. This demonstrates that companies running Microsoft's new Vista operating system could remain exposed to code execution attacks through vulnerable third-party applications. In addition, Core Security announced the availability of support for testing the Vista operating system, continuing its efforts to offer the broadest range of attack vectors and platforms.

"Microsoft has made great strides by creating a more secure version of Windows with Vista, but our continuing work with CORE IMPACT demonstrates that the new operating system is only as secure as the third-party applications that run on it. As they say, 'a chain always breaks at the weakest link,' and unfortunately a new operating system is no exception to this rule," said Ivan Arce, CTO at Core Security Technologies. "To enable customers to take full advantage of Vista's new security mechanisms, independent software vendors must be diligent in updating their products. Security-conscious users and organizations evaluating the adoption of the new operating system should make sure that Vista's new security features are properly configured and used by the third-party applications."

Vulnerability Specifics:

Core Security's engineers uncovered that a previously disclosed vulnerability in CA's BrightStor ARCserve Backup software (CVE-2007-0169) can be exploited to compromise systems running the new Vista operating system. Exploiting this buffer overflow vulnerability in CA's BrightStor ARCserve Backup versions 9.01 through 11.5, Enterprise Backup 10.5 and CA Server/Business Protection Suite r2 would allow an attacker to remotely execute arbitrary code on target machines and potentially gain access to other critical systems in an organization.

To address this vulnerability, users of these products should immediately apply the appropriate patches provided by CA, which are available at: http://supportconnectw.ca.com/public/storage/infodocs/ babimpsec-notice.asp (Due to the length of this URL, it may be necessary to copy and paste it into your Internet browser's URL address field. You may also need to remove an extra space in the URL if one exists.)

"Core Security is dedicated to providing the most relevant tools and technologies available to enable its customers to efficiently identify real security threats," said Paul Paget, CEO of Core Security Technologies. "As companies upgrade to Vista, CORE IMPACT will continue to offer them leading-edge capabilities for assessing the security of their IT systems."

The enhancements to CORE IMPACT that support Vista, as well as the updated exploit, are immediately available at no charge to all customers with a current subscription to the product. As additional exploits for testing target systems running Vista become available, CORE IMPACT users will receive them as part of their regular updates to the product.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.