Another good reason for using the SQL Server built-in backup functionality
rather than a third-party tool

> From: "Geo" 
> CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow
> iDEFENSE Security Advisory 08.02.05
> www.idefense.com/application/poi/display?id=287&type=vulnerabilities
> August 2, 2005
> I. BACKGROUND
> BrightStor ARCserve Backup for Windows delivers backup and restore
> protection for all Windows server systems as well as Windows, Linux,
> Mac OS X and UNIX client environments.
> http://www3.ca.com/Solutions/ProductFamily.asp?ID=115
> II. DESCRIPTION
> Remote exploitation of a buffer overflow in the Backup Agent for
> Microsoft SQL Server within Computer Associates' BrightStor ARCserve
> Backup Agent for SQL allows an attacker to execute arbitrary code with
> SYSTEM privileges.
> BrightStor ARCserve Backup Agent for Microsoft SQL Server is a component
> of the BrightStor ARCserve Backup system for handling backups of
> Microsoft SQL server data. When a string with a length over 3168 bytes,
> is sent to the listening port, 6070 by default, a stack based buffer
> overflow occurs.
> III. ANALYSIS
> Successful exploitation allows remote attackers to execute arbitrary
> code with SYSTEM level privileges. This allows for complete system
> compromise including the installation or removal of software and access
> to any file on the system.
> IV. DETECTION
> iDEFENSE has confirmed the existence of this vulnerability in Computer
> Associates BrightStor ARCserve Backup Agent for Microsoft SQL Server
> version 11.0. It is suspected that all versions are vulnerable.
> V. WORKAROUND
> Restrict remote access at the network boundary, unless remote parties
> require service. Access to the affected host should be filtered at the
> network boundary if global accessibility is not required. Restricting
> access to only trusted hosts and networks may reduce the likelihood of
> exploitation.
> VI. VENDOR RESPONSE
> A vendor advisory for this vulnerability can be found at:
> http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CAN-2005-1272 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 04/25/2005  Initial vendor notification
> 04/25/2005  Initial vendor response
> 08/02/2005  Coordinated public disclosure
> IX. CREDIT
> The discoverer of this vulnerability wishes to remain anonymous.
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> Free tools, research and upcoming events
> http://labs.idefense.com
> X. LEGAL NOTICES
> Copyright (c) 2005 iDEFENSE, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice{at}idefense.com for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.

--- BBBS/NT v4.01 Flag-5