Symantec Warns pcAnywhere Users to Disable Tool Due to Source Code Theft

Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.

The saga over Symantec's stolen code took another twist as the company acknowledged that pcAnywhere customers are at risk for man-in-the-middle attacks and new exploits.

The breach actually occurred on Symantec servers in 2006, and attackers stole source code to several Norton security products and the pcAnywhere remote access tool, Symantec confirmed last week. At the time, the company assured customers that there was no risk to the products because the source code was so old and the company had made security improvements over the past six years.

However, upon further investigation, it appears that pcAnywhere customers are at risk, especially if they are not following "general security best practices" to protect the endpoint, network and remote access, as well as properly configuring the remote access tool, Christine Ewing, director of product marketing in the endpoint management group, wrote on the Endpoint Management Community blog Jan. 24. Those customers are susceptible to man-in-the-middle attacks, which can reveal authentication and session information.

"Customers of Symantec's pcAnywhere have increased risk as a result of this incident," Ewing wrote.

The encoding and encryption elements within pcAnywhere are vulnerable to being intercepted in man-in-the-middle attacks, according to a whitepaper addressing the issues in the remote access tool released by Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they would be able to launch unauthorized remote control sessions and access other systems and sensitive data. If the key is using Active Directory credentials, the attackers would be able to access other parts of the network.

The company released a patch fixing three vulnerabilities in the latest version of pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release additional patches during the week for older versions of pcAnywhere, including versions 12.0 and 12.1. Symantec is also expected to patch more issues in version 12.5. Symantec will keep updating the software until "a new version of pcAnywhere that addresses all currently known vulnerabilities" is released, Ewing said.

Customers should disable pcAnywhere because malicious developers would be able to identify vulnerabilities within the source code and launch new exploits, Symantec said in the whitepaper. The remote access tool should be disabled unless it is vitally needed for business use, and in those situations customers should use the latest version of pcAnywhere with all the relevant patches and "follow the general security best practices," Symantec said.

"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said.

Since pcAnywhere is available as a stand-alone product, bundled with other Symantec products and also as part of Altiris-based packages, customers should check to see if the tool is enabled. A remote access component called pcAnywhere Thin Host is also bundled with several backup and security products from Symantec.

The company again asserted that its antivirus and endpoint security products are not at risk. "Our analysis shows that due to the age of the exposed source Symantec antivirus or endpoint security customers, including those running Norton products, should not be in any increased danger of cyber-attacks resulting from this incident," Symantec said in a statement.

The theft was limited to the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton Antivirus Corporate Edition code "represents a small percentage" of the code that appeared in the prerelease source for Symantec Antivirus 10.2, which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced Symantec Antivirus Corporate Edition, was based on a separate code branch "that we do not believe was exposed," Symantec said. Customers running Symantec Endpoint Protection 11.x are at "no increased security risk" due to the code theft.

Customers should follow recommended best practices, such as making sure antivirus definitions are up to date and running the latest version of the software. If it makes sense for the organization, Symantec recommends upgrading to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but there is no rush.

"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," Symantec said.