Code to drill CA holes found on Web?

A security group has discovered exploit code that could enable attackers to take advantage of flaws in Computer Associates International's licensing software.

eEye Digital Security said Thursday that exploit code for the buffer overflow vulnerabilities has been published on the Web by the Hat-Squad Security Group, a band of computer security enthusiasts.

eEye executives marveled at the speed with which the malicious code appeared, given that the CA problem was first reported last week.

"This is another example of how the window of opportunity for remediating unpatched machines continues to shrink, often to a few hours or less," Firas Raouf, chief operating officer of eEye, said in a statement.

eEye, which was one of two security companies credited with unearthing the CA flaws, said the malicious code provides a usable point of entry for a worm or virus designed to take advantage the software glitch.

The security software maker also reported that the program could threaten anyone who has recently evaluated CA's business applications, as the vulnerabilities in the software maker's License Manager tool could remain live on systems, even after the product had been manually removed.

That factor makes fixing the flaw more of a challenge for network administrators, according to eEye's Raouf.

"The CA flaws are particularly tricky, as even those that diligently removed any CA products they may have evaluated are still at risk," he said.

CA has posted security patch updates that it said eliminates the vulnerability. Company representatives said the software maker worked with eEye and iDefense, the other discoverer of the glitch, to verify the patches, available at CA's Web site.

"CA has taken immediate action in response to the vulnerabilities discovered in a licensing component of certain CA software products, including the development and distribution of the necessary code patches," Bob Gordon, a company spokesman, said in a statement Thursday.

Gordon said that CA also continues to work closely with its customers in addressing the vulnerabilities.

If exploited, the flaws could enable malicious third parties to run code on a compromised machine. eEye is offering a free tool that scans for vulnerabilities, and it promises to test systems to see if they are open to such attacks.

News of the flaws comes as CA attempts to expand its presence in the security market. Over the last year, it has been building out its own antivirus and anti-spyware tools, and most recently announced plans to add identity and access management applications to its existing eTrust security product line.