In-Depth

In Brief

Data Storage Security a Concern; Symantec’s 64-Bit Antivirus; Multiple Mozilla, Netscape Vulnerabilities

• By Mathew Schwartz
• 05/04/2005

Data Storage Security a Concern

When it comes to managing storage environments, IT managers’ two biggest challenges are data protection and security.

So says a poll conducted in the first quarter of 2005 by the Computing Technology Industry Association (CompTIA), a trade association. It surveyed over 660 of its members about storage and security.

Respondents detailed various challenges and fears beyond protecting and securing data. For example, 17 percent of respondents say stored-data management and administration is their biggest challenge; one in 10 say they most need faster access to their data; and eight percent say improved data accessibility is their chief concern. For six percent of respondents, regulations are the primary worry.

When it comes to storing data, John Venator, president and CEO of CompTIA, says respondents’ “emphasis on security is not surprising,” especially in light of recent high-profile cases of corporations losing—or attackers stealing—sensitive information related to consumers. Furthermore “the security landscape is made even more complicated by the massive amount of data that needs to be stored, the increasing scale and complexity of storage systems, and the requirements for record retention to comply with government regulations.”

To cope, he says, “it is absolutely essential for every organization to have in place a well-designed, well-managed, and well-secured IT infrastructure.” He advises all organizations to maintain security policies for authenticating access to stored data. Beyond that, to better secure stored data, he recommends spending the time and money to categorize confidential information as such, and then automatically restrict access to it.

Symantec Releases 64-Bit Antivirus

Symantec Corp. says a new version of its Symantec AntiVirus Corporate Edition 10.0 will run on the just-released versions of Windows XP Professional x64 and Windows Server 2003 x64.

According to Symantec, “both Windows XP Professional and Windows Server 2003 x64 Editions allow customers to easily run both 32-bit and 64-bit applications and make the gradual shift to 64-bit computing at their own pace while preserving current investments in 32-bit applications. When running memory-intensive applications, customers can also expect substantial performance improvements compared to 32-bit product versions.”

Corporate edition customers with a current maintenance contract will get a free upgrade.

Multiple HP-UX Mozilla Vulnerabilities

Vulnerability-information provider Secunia reports multiple “highly critical” vulnerabilities in Mozilla for HP-UX, the only browser HP now supports for that operating system. HP-UX versions B.11.00, B.11.11, B.11.22, and B.11.23 are affected.

The Mozilla flaws “can be exploited by malicious people to cause a denial of service, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system,” says Secunia.

HP advises users to upgrade to Mozilla 1.7.3.02 (or later) to protect against exploitation of the vulnerability.

Another new vulnerability also affects HP-UX, though this one is only rated “moderately critical” by Secunia. Successful exploitation of it could cause a denial of service. HP-UX versions B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23 are vulnerable provided they’re running TCP/IP (IPv4).

“The vulnerability is caused due to an unspecified error in the PMTU [Path Maximum Transmission Unit] discovery processing when receiving a specially crafted packet on any open connection,” says Secunia. “Successful exploitation causes a denial of service and requires a reboot of the system to regain functionality.”

As a workaround, HP recommends setting the "ip_pmtu_strategy" parameter to 0 or 3.

Highly Critical Netscape Vulnerability

A “highly critical” vulnerability in Netscape versions 6.x and 7.x could be exploited to compromise a user’s system, warns Secunia.

The vulnerability relates to how Netscape processes GIF images. A successful attack could use a buffer overflow to execute arbitrary code on a user’s system.

Dubbed the “Netscape GIF Image Netscape Extension 2 Buffer Overflow,” the vulnerability is similar to a previously reported Mozilla vulnerability—which also affected Firefox versions prior to 1.0.2—in which a specially crafted image is used to launch an attack.

For Netscape, “the vulnerability has been confirmed in version 7.2 and has also been reported in version 6.2.3,” says Secunia, though other versions may also be affected. It recommends switching to another product.

Related Articles:

Database Security Requires a Multi-Pronged Approach
http://www.esj.com/Security/article.aspx?EditorialsID=1347

From One Security Nightmare to Another
http://www.esj.com/Security/article.aspx?EditorialsID=1339