This is slightly off topic, but I thought this info might be of some use to
the group.  Maybe someone can post it to the appropriate BackupExec forum.

Thanks,
Matt


-----Original Message-----
From: Marcus Beaman [mailto:marcus.beaman AT state.or DOT us] 
Sent: Tuesday, April 15, 2003 4:42 PM
To: bugtraq AT securityfocus DOT com
Subject: Veritas BackupExec 9.0 may ship with upatched MS SQL Desktop Engine


I don't know if this is worth posting, but I've not seen it run across
bugtraq yet, and we at the state found out the hard way:

-Marcus

<snip>
Veritas BackupExec 9.0 that recently shipped out on CD to registered owners
(like us)
is vulnerable to the SQL Slammer worm. 
http://seer.support.veritas.com/docs/254244.htm
For some reason, Veritas shipped the CDs with an old, unpatched version of
MS
SQL Desktop Engine that is vulnerable.  It took the worm less than two hours
to find the box I upgraded to BackupExec 9.0 on this morning and have it
spewing 20mb/sec onto the network (impressive for an old dual PPro 200).  
If you know of anyone else running BackupExec on their servers, you may want
to warn them before they try to upgrade to the new version.  BackupExec 8.x
is
apparently not vulnerable unless it's also running the Network Storage
Executive.
-Greg
</snip>