In association with heise online

29 February 2008, 10:38

Symantec closes holes in Backup Exec for Windows Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Symantec has released a hotfix to resolve several vulnerabilities in its Backup Exec for Windows Server. According to the advisory, a scheduler or calendar included in the installation incorporates an ActiveX control (pvcalendar.ocx). This control is vulnerable to buffer overflows that can be exploited to inject and execute arbitrary code. The control also contains an unsafe method which allows files to be overwritten or created anywhere on the system.

For a successful attack a victim has to use Internet Explorer to visit a specially crafted web page. Since the vulnerable systems are servers, Symantec classifies the risk of exploitation as low – assuming that administrators don't normally use servers to browse the web.

The affected versions are:

  • Symantec Backup Exec for Windows Server 11d build 11.0.6235
  • Symantec Backup Exec for Windows Server 11d build 11.0.7170
  • Symantec Backup Exec for Windows Server 12.0 build 12.0.1364

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-734369
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit