The researcher, only identified as "EMendoza," also published exploit code for the vulnerability, which conceivably could result in systems protected by CA products being hijacked, then controlled, from afar.
According to the same mailing list, where someone identified as Ken Williams, director of vulnerability research, posted a reply, CA is "currently investigating the issue."
On Friday, CA responded to a request for confirmation, saying that it "promptly responds to all vulnerability reports," but in the next breath said the likelihood of any customer suffering from this bug was "extremely slim."
"It exists on a very limited number of platforms, occurs only if patches have not been applied for two years, and only affects CA products that are intentionally modified to run in a very uncommon configuration," a spokesperson said in a statement e-mailed to TechWeb.
Until patches are available, CA said it was telling customers to make sure that the debugging option in the iGateway component was disabled. Because that mode is rarely enabled by users, "just about all users will have no action required to remain protected. Clients running in debug mode can remediate the issue by simply turning debug off," said the spokesperson in a follow-up message.
CA products have been hit by vulnerabilities before. In early March, a pair of security firms announced a bug in the licensing software used in virtually every Windows, Macintosh, Linux, and Unix title from CA. The flaw could allow attackers to generate buffer overflows, and from there, run code of their choice on the machines. Computer Associates, however, released patches that same day.
In August, the Islandia, N.Y.-based software maker's BrightStor ARCserve Backup was plagued with a buffer overflow vulnerability that was quickly patched.