In-Depth

A Vista Divided Against Itself

Windows Vista might be Microsoft's most secure client operating environment to date, but that doesn''t mean it's completely unassailable.

• By Stephen Swoyer
• 02/01/2007

Microsoft's Windows Vista operating system might be Redmond's most secure client operating environment to date, but that doesn't—and couldn't—mean Vista is completely unassailable.

Security researchers have already identified a potential Speech Recognition exploit in Vista, for example, and another new vulnerability has recently come to the forefront—in this case, one that targets third-party software running on Vista. While the new exploit doesn't actually stem from a flaw in Vista itself, it does illustrate that Vista, even with next-generation features such as its User Access Control (UAC) technology, is nonetheless pregnable.

Security specialist Core Security Technologies, a developer of security testing and assessment software, claimed that an attacker can successfully take control over a Vista machine by exploiting any of several buffer overflow vulnerabilities in the BrightStor ARCserve Backup product set from Computer Associates International Inc. (CA).

The vulnerabilities affect BrightStor ARCserve Backup versions 9.01 through 11.5, and Enterprise Backup 10.5, along with CA Server/Business Protection Suite r2, Core Security said. An attacker who successfully exploits these vulnerabilities on any Windows system, including Vista, can execute arbitrary code and possibly gain access to network systems.

Core Security, for its part, said this proves that Vista—for all its out-of-the-box impregnability—is only as secure as the weakest link in its application chain.

There are a few mitigating factors, of course. First BrightStor ARCserve Backup 11.5 SP3 (the latest version) doesn't natively support Vista; CA has promised to deliver a Vista update (consisting of a client agent and an open file backup agent) by the end of Q1 of this year. BrightStor ARCserve Backup for Windows XP, on the other hand, can apparently be installed on Vista, at least according to CA's Vista product readiness plan, which doesn't list any conflicts (see Resources).

Core Security researchers concede that their test exploit does involve pre-Vista versions of CA's ARCserve software, but argue that such a scenario could very easily take place in the enterprise wild.

"These were pre-Vista versions of the software that run on Vista. You need admin rights to install the software and it runs as SYSTEM," confirmed Max Caceres, Core Security's director of product management. "While it is reasonable to assume that 'Vista-ready' versions of third-party applications will take advantage of its new security features, in reality this does not just happen magically. The ISV needs to take specific steps to make this possible. End-users don't necessarily know such a problem might exist."

The point, said Russ Cooper—director of publishing with security specialist CyberTrust and a Windows bug-tracking veteran—is that pre-Vista software can't take advantage of security niceties such as UAC or Vista's Mandatory Integrity Confirmation (MIC) routines. "Vista is built so that services that need to have elevated privileges don't run constantly with those elevated privileges," he remarked. "If it was written properly for Vista—as opposed to a [case where a] researcher, for example, upgrades Windows XP to Vista and then says 'Look, the [ARCserve] software still runs!'—it shouldn't pose a significant problem."

In the Vista model, Cooper said, ARCserve would run under MIC, instead of in the local security context. This would mitigate potential damage if an attacker did succeed in exploiting the ARCserve vulnerabilities, he said. "If CA had done a Vista version, and they were still running it under local control, as opposed to MIC, then they would not have written a very good Vista version," he concluded.

There are a couple of other mitigating factors, too. First these are known vulnerabilities. CA has already patched them. Second, and more to the point, some of the selfsame vulnerabilities were first identified last November, by researchers with IBM Corp.'s ISS X-Force and 3Com Corp.'s TippingForce teams. At the time, both vendors updated their firewall products to block potential exploits. Even on firewalls that haven't been specifically updated, it's likely that restrictive policies could also deflect potential attacks. Nevertheless, BrightStor ARCserve Backup users are urged to obtain and apply the relevant patches, if they haven't done so already.