Symantec flaw found by TippingPoint bounty hunters

A security flaw in Veritas's NetBackup application has been found and patched through an initiative run by TippingPoint that pays security researchers who find and report bugs.

TippingPoint, a subsidiary of 3Com, announced the first fruits of its Zero Day Initiative (ZDI) on Thursday. Through ZDI, TippingPoint rewards security researchers who inform 3Com of vulnerabilities and do not publicly disclose them before the vendor has issued a patch.

3Com reported the potential threat to Veritas parent company Symantec on 12 September. Symantec went public with the flaw and issued a patch a month later, on 12 October.

But according to TippingPoint, 3Com customers using its intrusion prevention systems were issued protection against the Symantec vulnerability almost immediately, and -- unlike other Symantec customers -- have been protected against the flaw for the past month.

TippingPoint says it was was tipped off about the vulnerability by an independent researcher. It affects NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions.

An attacker could potentially remotely exploit a format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients. The attacker could then execute arbitrary code.

"The problem with this vulnerability is it's not only running on all the desktops, but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information," said Johannes Ullrich, chief research officer for the SANS Institute.

Under ZDI, 3Com will reward security researchers who inform them about "zero day vulnerabilities". These are vulnerabilities "that are unknown and for which there is no patch," 3Com said.

CNET News.com's Dawn Kawamoto contributed to this report.