A security flaw in Veritas's NetBackup application has been found and patched through an initiative run by TippingPoint that pays security researchers who find and report bugs.
TippingPoint, a subsidiary of 3Com, announced the first fruits
of its Zero Day Initiative (ZDI) on Thursday. Through ZDI,
TippingPoint rewards security researchers who inform 3Com of
vulnerabilities and do not publicly disclose them before the vendor has
issued a patch.
3Com reported the potential threat to Veritas parent company Symantec on 12 September. Symantec went public with the flaw and issued a patch a month later, on 12 October.
according to TippingPoint, 3Com customers using its intrusion
prevention systems were issued protection against the Symantec
vulnerability almost immediately, and -- unlike other Symantec
customers -- have been protected against the flaw for the past
TippingPoint says it was was tipped off about the vulnerability by
an independent researcher. It affects NetBackup 4.5, 5.0, 5.1 and 6.0,
running on all platforms and all versions.
An attacker could potentially remotely exploit a format string
overflow vulnerability in the Java authentication service, bpjava-msvc,
running on NetBackup servers and clients. The attacker could then
execute arbitrary code.
"The problem with this vulnerability is it's not only running on all
the desktops, but, even worse, if a malicious hacker gets into the
backup server, they have access to all your backup information," said
Johannes Ullrich, chief research officer for the SANS Institute.
Under ZDI, 3Com will reward security researchers who inform them
about "zero day vulnerabilities". These are vulnerabilities "that are
unknown and for which there is no patch," 3Com said.
CNET News.com's Dawn Kawamoto contributed to this report.