Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.
saga over Symantec's stolen code took another twist as the company acknowledged
that pcAnywhere customers are at risk for man-in-the-middle attacks and new
breach actually occurred on Symantec servers in 2006, and attackers stole
source code to several Norton security products and the pcAnywhere remote
access tool, Symantec confirmed last week. At the time, the company assured
customers that there was no risk to the products because the source code was so
old and the company had made security improvements over the past six years.
upon further investigation, it appears that pcAnywhere customers are at risk,
especially if they are not following "general security best
practices" to protect the endpoint, network and remote access, as well as
properly configuring the remote access tool, Christine Ewing, director of
product marketing in the endpoint management group, wrote on the
Endpoint Management Community
blog Jan. 24. Those customers are susceptible
to man-in-the-middle attacks, which can reveal authentication and session
of Symantec's pcAnywhere have increased risk as a result of this
incident," Ewing wrote.
encoding and encryption elements within pcAnywhere are vulnerable to being
intercepted in man-in-the-middle attacks, according to a
addressing the issues in the remote access tool released by
Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they
would be able to launch unauthorized remote control sessions and access other
systems and sensitive data. If the key is using Active Directory credentials,
the attackers would be able to access other parts of the network.
company released a patch fixing three vulnerabilities in the latest version of
pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release
additional patches during the week for older versions of pcAnywhere, including
versions 12.0 and 12.1. Symantec is also expected to patch more issues in
version 12.5. Symantec will keep updating the software until "a new
version of pcAnywhere that addresses all currently known vulnerabilities"
is released, Ewing said.
should disable pcAnywhere because malicious developers would be able to
identify vulnerabilities within the source code and launch new exploits,
Symantec said in the whitepaper. The remote access tool should be disabled
unless it is vitally needed for business use, and in those situations customers
should use the latest version of pcAnywhere with all the relevant patches and
"follow the general security best practices," Symantec said.
this time, Symantec recommends disabling the product until Symantec releases a
final set of software updates that resolve currently known vulnerability
risks," the company said.
pcAnywhere is available as a stand-alone product, bundled with other Symantec
products and also as part of Altiris-based packages, customers should check to
see if the tool is enabled. A remote access component called pcAnywhere Thin
Host is also bundled with several backup and security products from Symantec.
company again asserted that its antivirus and endpoint security products are
not at risk. "Our analysis shows that due to the age of the exposed source
Symantec antivirus or endpoint security customers, including those running
Norton products, should not be in any increased danger of cyber-attacks
resulting from this incident,"
Symantec said in a statement
theft was limited to the code for the 2006 versions of Norton Antivirus
Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes
Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton
Antivirus Corporate Edition code "represents a small percentage" of
the code that appeared in the prerelease source for Symantec Antivirus 10.2,
which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced
Symantec Antivirus Corporate Edition, was based on a separate code branch
"that we do not believe was exposed," Symantec said. Customers
running Symantec Endpoint Protection 11.x are at "no increased security
risk" due to the code theft.
should follow recommended best practices, such as making sure antivirus
definitions are up to date and running the latest version of the software. If
it makes sense for the organization, Symantec recommends upgrading to the
latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but
there is no rush.
code that has been exposed is so old that current out-of-the-box security
settings will suffice against any possible threats that might materialize as a
result of this incident," Symantec said.