Symantec Tells Users to Disable pcAnywhere, Cites Threat from Anonymous
In the wake of a threat by Anonymous to expose Symantec source code, the company advises customers to stop using pcAnywhere -- but says its antivirus software products are not at risk.
Symantec is warning customers to disable or uninstall its pcAnywhere remote access software until the vendor can issue updates that resolve current known security vulnerabilities.
The warning comes three weeks after Symantec first acknowledged that a group of hackers had gained unauthorized access to the source code for some of its older products. Initial reports claimed that the hackers had stolen the source code from servers owned by the government of India and that the breach was limited in scope -- but as further details emerged, Symantec was forced to admit that the company's own servers had been hacked in 2006, and that the scope of the breach included source code for six-year-old versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (including Norton Utilities and Norton GoBack), and PCAnywhere.
The company's warning to pcAnywhere customers follows recent threats by hackers affiliated with the Anonymous hacktivist group to release the stolen source code from Symantec's Norton Utilities, Norton AntiVirus, and pcAnywhere products. The hackers stated that they timed their threat to coincide with the filing of a lawsuit against Symantec by a third party, accusing the company of using "scareware" tactics to market its Norton Utilities products to consumers.
"Symantec can confirm that a segment of its source code has been accessed," the company admitted in a statement on its Web site earlier this week. "Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
Symantec explained that because of the age of the stolen code, customers of up-to-date Symantec and Norton-branded antivirus and endpoint protection products have little to fear with regard to increased cyber attacks as a result of the source code disclosure. Symantec said the stolen Norton Antivirus Corporate Edition source code accounted for less 5 percent of the code base for Symantec AntiVirus 10.2, which was released to the company's enterprise customers in 2006. Furthermore, the company stated that Symantec Endpoint Protection -- its current flagship enterprise security product, which was initially released in the fall of 2007 -- was based upon a separate code branch that it does not believe was exposed.
However, the company warned that customers of its pcAnywhere software do have cause for concern.
"With this incident, pcAnywhere customers have increased risk," Symantec said in a white paper. "Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks."
A man-in-the-middle attack is one in which the attacker inserts himself as a layer between two communicating devices. The attacker can use this to intercept private communications such as log-in and authentication information. If the malicious user is able to intercept cryptographic key information with pcAnywhere, it can be used to launch unauthorized remote control sessions.
Symantec said customers of pcAnywhere 12.0, 12.1, and 12.5 are all at increased risk -- as are customers with prior, unsupported versions of the software. pcAnywhere was also bundled in three Symantec products: Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1.
"The increased risk is isolated to the pcAnywhere components only," Symantec said. "There are no known impacts to the rest of the components in the Altiris products or the pcAnywhere Solution component that provides integration between pcAnwhere and the Symantec Management Console."
Symantec said pcAnywhere customers should disable the product until it releases a final set of software updates that resolve currently known vulnerability risks.
"For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released and follow the general security best practices discussed [in the white paper]."