Veritas may have been taken over by security giant Symantec, but end users have been left wanting better notification in the wake of a critical vulnerability with its backup software.
The University of NSW Educational Development and Technology Centre's IT and research manager Patrick Stoddart was dismayed at receiving a marketing newsletter but not a security alert.
"I received an e-mail from Veritas dated August 12. It was just general news [with] the principal point about the Symantec-Veritas merger and there was no specific security alert," Stoddart told Computerworld. "We heard about it from internal IT security lists. Other IT support officers at UNSW posted information and resolution steps."
The centre is running Veritas' BackupExec 9.0 on Windows 2000 with a number of remote agents which were vulnerable to the flaw.
"We just didn't get it [an alert] and we have maintenance agreements. It's just not good enough and I don't know if it is to do with the Symantec merger," Stoddart said, adding that the licence agreement had not changed.
"Does Veritas have a subscription list and, if so, is it actively pushed like the Microsoft ones are?" he said. "Veritas has me on a list so I got the marketing guff but not the security advisories. I've received nothing since."
Stoddard's team took action by downloading and applying the patch last week (Monday), but he said he could have taken action over the weekend "like I do with Windows," if notified.
The centre has also been unhappy with Veritas issues in Exchange backups for "some time now."
"There is also a lack of information from Veritas about Mac OS X support," he said. "I'd be lying if I didn't say we were looking at alternatives to Veritas to address our specific issues."
Along with Backup Exec users, Symantec's NetBackup customers were also given no warning.
An IT security manager at a state government department who requested anonymity said he "got no warning at all."
"I don't know who holds the ball," he said, adding that the department has been using Veritas NetBackup for two years and buys it through Sun, its main systems vendor.
"Symantec should follow through with its customer base and advertise in IT journals," he said. "Some sort of push [like] a letter as e-mail tends to get discarded. For example, CA tends to send written confirmation of a vulnerability and if there is a new product release or upgrade."
The source said even if a vulnerability only affects an application on one platform it is good practice for the vendor to notify customers using it on all platforms.
"More information is better than no information," he said. "Veritas should pick up its act a bit. It's a bit ironic that Veritas is now owned by a security company."
The department has also had "some problems" with Veritas file systems.
A spokesperson for Symantec said the company provided, in less than 24 hours, hotfixes and technical support documentation for supported versions of Veritas Backup Exec for NetWare and Veritas NetBackup for NetWare Media Server Option that are subject to an authentication vulnerability made public on August 11.
"And in less than 48 hours of being notified, Symantec provided the hotfix for all supported versions of Veritas Backup Exec for Windows Server," the spokesperson said.
Symantec was invited to comment on the level of communication with its customers but did not respond before deadline.