A stack of vulnerabilities has surfaced in Windows versions of CA's BrightStor ArcServe backup software. The holes are rated 'moderately critical' by Secunia, and CA has now released patches for them.

Although CA does have its own security team, all these flaws were discovered by researchers at other security groups, including ISS X-Force, which is now part of IBM, 3Com's TippingPoint, iDefense and others.

Some of the vulnerabilities were first reported as long ago as last November, when ISS X-Force and TippingPoint updated their firewalls to block them.

A CA spokeswoman was unable to say why it took the company so long to issue a public advisory that might have enabled other users to apply firewall rules to protect themselves in the interim, while patches were being developed. She added, "In this specific case we have not been made aware of any customers who have been affected by this vulnerability."

However, other researchers have seen at least one proof-of-concept exploit, according to ISS senior technical specialist James Rendell.

"These vulnerabilities are extremely serious - we rate them a 10," he said. "They are remotely exploitable, they give you administrator access and you don't need to authenticate - those are the three most deadly traits of any vulnerability."

ISS said the vulnerabilities it found involved using specially-crafted RPC requests to cause a stack-based overflow in Windows versions of the widely-used backup program. It added that ArcServe users need to apply the CA patches, even if any attack should in theory be stopped by their firewall.

Applications such as backup software have been under increasing scrutiny from security researchers in the last couple of years, as would-be hackers turn from traditional targets such as operating systems and user-facing applications to look for new avenues of attack.